GDPR - an opportunity or a risk to the Physical Security Industry?
On the 25th of May 2018, the European Union, General Data Protection Regulation (GDPR) comes into force across the EU. It replaces the less extensive Data Protection Directive 95/46/ec. In itself, the introduction of a Regulation as opposed to simply a Directive, is significant.
Regulations have binding legal power throughout every Member State and come into effect on a set date. Directives can only define certain results that must be achieved but each Member State is free to decide how to interpret Directives into national laws. A Regulation therefore, is in effect, the law. So, the ‘bar’ is being raised and the importance being attached to a breach of an individual’s data privacy is clearly demonstrated by the potential sanctions for non-adherence.
In many industries where the consequences of a data privacy breach will impact directly via regulatory controls, such as Banking or Utility companies, GDPR is very firmly on the corporate agenda. As it also seems to be within the Information Technology support sector. It could be argued that this area of the IT industry is analogous in a number of ways to the Electronic Physical Security arena however, within physical security manufacturers and software developers, there appears to be little awareness and even less activity around the subject. During a recent, unscientific survey of Access Control and Video Management vendors, there was a concerning lack of knowledge related to the potential impact that GDPR may have on product design and only sporadic indication that product development was incorporating features that would help end-clients demonstrate adherence.
One of the key aspects of GDPR is the introduction of the principle of ‘privacy by design and default’. These elements are important to consider as a business end-user but are equally important for product manufacturers and software developers to understand. The burden on organisations to comply with Data Protection legislation becomes significantly greater on an on-going basis in ensuring that privacy becomes mandatory.
Privacy by Design
Privacy by design means that each new service or business process that makes use of personal data must take the protection of such data into consideration. An organisation needs to be able to show that they have adequate security in place and that compliance is monitored. In practice, this means that an organisation must now take privacy into account during the whole life cycle of the system or process development.
Privacy by Default
Privacy by Default simply means that the strictest privacy settings are to automatically apply once a new identity is added to a security database or of course, any other business system. In other words, no manual change to the privacy settings should be required by the system user. There is also a chronological element to this principle, as personal information must, by default, only be kept for the amount of time necessary to provide the service.
How products and more specifically database use and protection, will need to be developed to enable users to comply with the GDPR requirements is an opportunity that, if harnessed, could help to differentiate one particular product from its competition. In an environment where competitive advantage can increase market share, it is surprising that system manufacturers have not embraced the changes and are not already busy publicising how their solutions will help protect end-clients from the potential consequences of a data privacy breach. Those that are, will surely elevate their status in comparison with those that are not and benefit from the provision of solutions that are better aligned with client requirements.
The penalties for non-compliance could be significant. As the digital landscape has developed over the past 15 to 20 years, the issue of privacy and the protection of an individual’s personal data has become a vexed subject. The right to privacy is a highly-developed area of European Law.
Article 8 of the European Convention on Human Rights, enshrined in UK law in 1998, asserts that ‘everyone has the right to respect for their private and family life, their home and their correspondence’. The application and how this requirement is interpreted has led to many test cases and there have been prosecutions.
The maximum penalties for mishandling data under the new GDPR will dramatically increase to a level where C-suite interest is bound to be piqued. Fines of up to 4% of global revenue or €20m, whichever is greater, are at a level where ‘Data Protection’ should be added to corporate risk registers, if of course it’s not already there. For many organisations in the UK, this represents a huge increase in the Information Commissioners Office (ICO) current maximum penalty of £500k.
In addition, responsibility for protecting personal information under GDPR will extend to data processing as well as data controllers. Further changes to be introduced include:
- Data breaches must be reported as soon as possible and, where feasible, no later than 72 hours after discovery of a breach.
- Personal data now extends to location, IP address, RFID identifiers, as well as whole new swathes of medical data, including genetic information.
- The “right to be forgotten” being enshrined in law. The new regulation will apply to companies that are headquartered outside of Europe as long as they have operations within Europe.
- Greater rigour around consent to use personal data.
- New requirements to carry out Privacy Impact Assessments (PIAs) to ensure that personal data is sufficiently protected and privacy of the individual is maintained.
Data Processing The Data Protection Directive 95/46/ec introduced the concept of limiting the processing of personal data based upon the following three principle categories:
- Legitimate purpose
The notion of ‘processing’ was defined to mean “any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;”
Data Protection Officers
Organisations, whose core activity consists of processing special categories of data or the systematic monitoring of individuals on a large scale, will be required to appoint a Data Protection Officer to monitor compliance with the GDPR rules. In view of the scale of data processing undertaken by most responsible employers in relation to vetting, HR, payroll, pensions and access management as a minimum, we envisage that they will be impacted by this requirement and they should be making arrangements to appoint an officer if they have not already done so.
Organisations will also have to demonstrate that an individual’s consent to the processing of their personal data is ‘freely given, specific, informed and unambiguous’, and in most cases implied consent will not be sufficient. Although in relation to the use of CCTV it is still currently unclear to what extent you will need to seek to obtain explicit consent from individuals to record them via a CCTV system, as is already the case, you are required to make the presence of CCTV cameras very clear.
Between now and May of next year, the issue of data privacy and in particular GDPR, will undoubtedly be a subject that will attract a growing level of publicity. The suggestion that The Information Commissioners Office is currently recruiting Enforcement Officers and the call from Christopher Graham, the Information Commissioner until midlast year, for additional powers of prosecution, indicate the direction of travel. A greater number of prosecutions and a much higher level of resultant fines for failures to comply with the new regulations must be expected in the years ahead.
The introduction of GDPR is in effect a challenge to society as a whole, to take data privacy and personal information more seriously and to do more to protect the privacy rights of each individual. It’s not a subject that will go away and whilst the media are quick to publicise larger scale ‘breaches’ and levels of associated crime continue to rise, the need to embed ‘privacy and data protection’ into business systems in all areas will intensify.
Organisations, in all aspects of the supply chain that have not incorporated the new regulations at the heart of their business processes and systems will become disadvantaged by their lack of adherence and those that fully embrace and harness data privacy will thrive.
The Physical Security industry and in particular product and system manufacturers and developers, need to move quickly to ensure that they are ready for the pending changes and do not become the focus of unwanted attention as a consequence of end-clients being penalised for non-compliant systems or processes.
Whilst there is a commercial opportunity associated with the introduction of GDPR compliant products there must also be a significant risk for those who continue to ignore or are ignorant of the changes.
Want to read the full white paper?
CornerStone is an award winning, independent security, cyber and risk consulting firm providing a range of Risk Management, Security Design and Implementation Management Services. Click below to explore the full whitepaper and hear more insights from experts.