How Do Privacy Issues And GDPR Impact Physical Security Systems?
Editor Introduction
You could say concerns about privacy are “trending” in our increasingly data-driven world. Unease about how Facebook and other high-tech companies use and share data dominates the news, and the full impact of new European Union (EU) regulations is about to be felt around the world. By May 25, companies that collect data on EU citizens will need to comply with strict new rules around protecting customer data, as enumerated in the General Data Protection Regulation (GDPR). But how do the new regulations, and broader concerns about privacy, affect the physical security market? We asked this week’s Expert Panel Roundtable: How do privacy issues and regulations, such as GDPR, impact physical security systems and how they are managed?
GDPR will have a profound impact on how security systems are designed and managed. Significant investments have been made in developing sophisticated analytics capable of capturing an individual’s activity, identifying them, and linking them to different forms of data and transactions. GDPR specifically restricts the capture and use of EU residents’ personal data and is in direct conflict with the adoption of artificial intelligence (AI) platforms to track individual activities. The challenge for manufacturers will be to design solutions capable of capturing valuable information for security or business intelligence purposes while simultaneously anonymizing retained data. The use of intelligent masking, customizable retention, and data encryption and protection will become the standards moving forward. Failing to comply with these standards can lead to significant fines for the companies collecting the data, and we fully expect to see more end users putting the burden on manufacturers to prove that their systems comply.
Legislation such as the European Union's General Data Protection Regulation (GDPR) plays a bigger role in the operation and management of physical security systems than one may immediately recognize. These regulations exist to protect the personal data and privacy of citizens and customers, which becomes relevant in the physical security industry for organisations that store footage from the use of video surveillance or event management systems for private or public monitoring. The GDPR focuses heavily on enforcing proper reporting and mitigation techniques in the event of a cyber-attack or breach, emphasizing the importance of manufacturer responsibility and convergence between physical and IT security teams to cohesively ensure regulation compliance. While it will be primarily global companies affected by the GDPR, U.S. companies must also pay attention to how it impacts their business and can learn from and apply best practices to increase overall security.
This is a potentially complex situation. With an Access Control system there could be a request to supply data held on an individual, but to ensure the privacy of others it may be necessary to anonymize any data on connected third parties. For example, under GDPR regulations, any person whose image is recorded on CCTV has a right to seek and be supplied with a copy of their own personal data from the footage. However, the identity of any other individuals in that footage needs to be protected when it is shared. Investing in technologies that can automate privacy protection (such as using video redaction capabilities to blur out other people’s faces) could help companies to comply with the new GDPR regulations, painlessly and efficiently. This ability would transform data to a lower risk category, allowing operators to see what is happening in video footage without violating anyone’s privacy.
As the May 25 deadline for GDPR compliance quickly approaches, operators must be proactive in addressing how to improve visibility and control over the large pools of data that are collected with video surveillance, access control and other physical security systems. Owners of on-premise systems will be responsible for GDPR compliance and required to have transparent measures in place that hold them accountable for how data is accessed, used and maintained. Evaluating current systems and engaging with integrators is crucial to better understand what updates are required and how collected data must be reported per the new guidelines. Physical security can help prevent unauthorized access to data, but it’s essential that organizations have the appropriate technical and organizational measures in place to comply fully.
Physical security systems, such as video surveillance systems, gather video data in order to protect people and assets. Many organizations today hold onto that data for a set amount of time to use as forensic evidence or to comply with rules that govern a specific industry, like in casinos and gaming. “Data Controllers,” as they are called in GDPR regulations, are users of security systems who would be ultimately responsible for meeting the strict privacy and regulatory requirements such as the use of that video without consent, the location where the video is stored and the measures in place to protect the video. If “Data Subjects” (people in the video) are clearly identifiable, then the requirements for maintaining their privacy are very stringent. While the protection of data is mainly the responsibility of end users, manufacturers, especially cloud service providers, will also be on the hook for complying with regulations.
While GDPR is being implemented in the EU, U.S.-based companies can also learn a lot from the regulations being enforced in the realm of data privacy. Additionally, it is critically important for U.S. companies to be able to adhere to the rules guiding how data is collected and shared about EU citizens. When a company implements a physical security system such as access control, a lot of personal information is collected and analyzed for various purposes. While the majority of the data being shared is controlled by the company using the system, there are some elements that can come back to the integrator or even the manufacturer, like in the case of the organization implementing a managed cloud-based solution. Therefore, manufacturers need to be mindful of their product's capabilities and make it easy and streamlined for end-user companies to adhere to the data sharing and privacy regulations in place.
Privacy regulations (such as GDPR) are examples of how physical security systems and the data residing in them are subject to a growing number of business-critical compliance and audit standards. For both video surveillance and access control, a major aspect of GDPR is being able to continuously document system operation and be able to secure it from cyber-breaches. To achieve this requires consistent management processes, and automation to support and document those processes. Whether it’s GDPR or any other standard, the day is fast approaching where operators of physical security systems must be able to demonstrate system-wide control over their operations while utilizing automated service assurance solutions to ensure failures are quickly detected and their fixes are documented. Taking a system-level instead of a device-level approach to managing physical security is one of the positive directives GDPR is sending the industry.
The physical security market has undergone a lot of changes in recent years, driven by changes in IT technology, and cybersecurity is a commonly used term. In many cases, the CCTV system is installed and then promptly forgotten about – passwords are rarely changed, and overall security of the system is often taken for granted (how many times is the NVR kept in a broom cupboard?) Legislation such as the GDPR shines an uncomfortable light on these systems. Questions asked in IT circles such as “What type of encryption do you use?” and “What is your password policy?” often fall on deaf ears with end users when it comes to physical security. This means manufacturers must bear the responsibility of providing appropriately secure products - that includes encryption! Integrators, installers and manufacturers must educate end users what to look for in an updated data protection world.
No element of security can stand alone. Security, even “just” physical security systems, have many dimensions that must be considered in the modern-day business climate. Products, their implementation and ongoing management need to not only help secure facilities and personnel but also be secure themselves. Regulations such as GDPR have added a new world of consequences to this evolving topic. While the GDPR requirements are new, they only build on already existing issues such as data integrity, continuity of service and business reputational risks. Taken together, the considerations for successful installations and ongoing administration have become more comprehensive and necessary. System dependency management has never been more important and the opportunities for skilled system integrators never better.
Editor Summary
GDPR’s requirements may fall primarily on the end user community, but the impact will also be felt among integrators and manufacturers, as our panel has emphasized. Data stored in cloud systems, in particular, constitute a GDPR-related concern for integrators and manufacturers. Furthermore, savvy integrators and manufacturers know that meeting their customers’ challenges successfully is the best route to success, even if one of those challenges is to ensure individual privacy and comply with tough new regulations. Fortunately, our industry is already reacting to cybersecurity needs, which are closely aligned with privacy and GDPR.
- Related links
- March Networks Video Surveillance software
- Milestone Video Surveillance software
- Oncam Video Surveillance software
- Oncam Surveillance cameras
- TDSi Video Surveillance software
- TDSi Surveillance cameras
- March Networks Dome cameras
- March Networks Network Video Recorders (NVRs)
- Milestone Network Video Recorders (NVRs)
- Oncam Dome cameras
- TDSi Network Video Recorders (NVRs)
Expert commentary
Security beat
Security bytes
- Getting To Know Dan Grimm, VP And General Manager Of Computer Vision At RealNetworks
- Big Wins And The Importance Of Showing Up: Insights From SecurityInformed.com Editor Larry Anderson
- Setting Goals, Business Travels And Radioactivity: Success Secrets From Tiandy's John Van Den Elzen
- Getting To Know Jeff Burgess, President/CEO At BCDVideo
Healthcare security articles
Rapid technological advancement, artificial intelligence (AI) and machine learning (ML) are revolutionizing traditional on-premises video security systems. These next-level tools are not just enhancin...
Milestone Systems, a global pioneer in video technology, is at the forefront of the video security industry, emphasizing responsible technology innovation across its operations. The company will host...
Axon, the global public safety technology pioneer, launched a new generation of body cameras designed for frontline workers in retail stores and healthcare facilities. Axon Body Workforce adapt...
ASSA ABLOY Opening Solutions returns to Global Security Exchange (GSX) for 2024's powerhouse get-together of security professionals from around the world. Digital access control Attendees can visit...
As the backbone of community welfare, healthcare facilities cater to crucial public needs from emergency care to specialized medical treatments, and due to its position as a significant facet of the w...
Rhombus, a pioneer in cloud-managed physical security, announced the availability of two additions to its comprehensive lineup of security solutions: the R600 Multisensor Camera and the E50 Envir...
HID®, a worldwide pioneer in trusted identity solutions announces the launch of the next-generation FARGO® HDP5000e designed to deliver vibrant, high-definition cards and IDs. HID's Isaac You...
Suprema, a global pioneer of AI-based security solutions, announces that its products and services are fully compliant with the latest global data protection regulations and security certifications.&n...
Cyber resilience research commissioned by Cohesity, a pioneer in AI-powered data security, reveals the true cost of ransomware to finances and business operations and why overconfidence may be the cau...
Genetec Inc., a pioneering technology provider of unified security, public safety, operations, and business intelligence solutions, announced the launch of Genetec Cloudlink™ 110, the lates...
i-PRO Co., Ltd. (formerly Panasonic Security), a global pioneer in professional security solutions for video protection and public safety announced the establishment of a comprehensive AI governance f...
Gcore, the global edge AI, cloud, network, and security solutions provider announced the launch of Gcore WAAP, its end-to-end web application and API protection solution. Gcore WAAP Leveraging advan...
Barco, a global pioneer in visualization and collaboration solutions, is proud to announce its pivotal role in shaping the visitor experience for the Belgian pavilion at Expo 2025 in Osaka. Bar...
King Faisal Specialist Hospital & Research Center (KFSHRC) is at the forefront of the healthcare AI revolution. Since 2019, the hospital's dedicated AI center has been developing innovative applic...
Convergint, a global pioneer in service-based systems integration, today announced that it has acquired Esscoe, a premier provider of mission-critical security and fire and life safety systems in the...
The 2024 State Of Physical Access Trend Report
DownloadThe Security Challenges Of Data Centers
DownloadSecurity Practices For Hotels
DownloadSIA Identity and Biometrics Symposium
DownloadFacial Recognition
DownloadClimax Technology TouchPanel-3
Anviz M7 Palm Biometric Access Control
ASSA ABLOY Aperio P100 Padlock