Are you ready for GDPR?

The guidelines, which become enforceble on May 25, may impact U.S. companies
 - 
Wednesday, May 2, 2018

Much has been written about the EU GDPR, or General Data Protection Regulation, which was adopted on April 27, 2016 and becomes enforceable on May 25. Yet given the unique challenges involved, surprisingly little has been devoted to the process of ensuring compliance for the operation of video surveillance, access control and other physical security systems. The concern for most in the physical security industry is how will it affect them and is this something that they should be concerned about in the United States. Well, unfortunately, as you are about to find out, the issues facing the entire security industry include not only how to mitigate the hidden liability associated with this regulation but also—how do manufacturers, consultants, and integrators protect themselves from the inevitable lawsuits that could arise from personal data of a EU citizen being viewed by security personnel?

What should organizations do to prevent data breaches? Article 24 of the GDPR outlines an organization’s responsibility to implement “appropriate technical and organizational measures” to ensure and demonstrate proper processing of personal data. Article 32 goes a step further to explain that “In assessing the appropriate level of security, account shall be taken of the risks that are presented by processing, in particular, from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.”

An important aspect of this regulation is the emphasis on preventing unauthorized access. This is where physical security is essential. Specifically, it can help safeguard data against internal and external human threats that aim to exploit gaps within your organization’s walls and through your workforce. This includes limiting what data can be observed, stolen or accessed. Review the following and assess whether your workforce has the appropriate technical and organizational measures in place to comply.

The critical issues center around the protection of data, which encompasses video management, video storage, camera with onboard storage, video analytics, access control, biometric, document storage, document sharing, etc. The basis of GDPR is the desire to protect all individual’s privacy rights who are citizens of the EU. This must be treated as extremely important since the alleged fines could amount to more than one million euro per alleged violation. The gravity of this for the United States is that corporations who presently admit anyone from the European Union must put immediate provisions to ensure that any form of data that is collected on that person be either destroyed or masked to prevent others from viewing the information. The only provision is that the person can give permission, if asked. As you can see, this could become a massive burden to corporations as well as the public sector.

Finally, it is important to understand how GDPR affects cloud solutions and the storage of data on servers in the cloud. This could be an issue for manufacturers who use cloud to maintain their security solutions. If data is at rest on a server in Europe, you are required to fulfill the requirements of GDPR. 
Potential remedies, which may need to come from the federal government, may state that anyone who enters into the United States from Europe must sign a release of privacy regarding GDPR guidelines. 

Pierre Bourgeix is president of ESICONVERGENT LLC, a management consulting firm focused on helping companies assess and define the use of people, process, and technology within the physical and cyber security arena.