Next year will see the biggest shakeup in data rights and security in history, as the European Union introduces its new set of laws on data protection, the General Data Protection Regulation. Whilst it is still many months away, ai security prides itself on best preparing clients for the future, so we introduce GDPR and outline how it will impact the security systems and processes you have in and around your business:
What is the General Data Protection Regulation (GDPR)? What is considered “data”?
The EU’s GDPR is a brand new global data protection legislation that will come into effect on 25th May 2018. It replaces the 1995 EU Data Protection Directive and 1998 Data Protection Act, as the new standard for protecting the data rights to all EU citizens.
The definition of “data” that the EU uses is any information that can be used to identify, directly or indirectly, an individual person. For businesses, everything from employee key cards to email addresses is considered processing data, and subject to the new laws.
If caught breaking GDPR after its initial teething period, the fines are severe – up to 4% of annual turnover or €20m per breach. For more general information on GDPR and its purpose, click here, as the rest of this article is specific to security systems.
How will GDPR affect my business’s security?
GDPR will have a direct impact on the security systems and processes employed by all UK businesses, big and small. All security systems that record the movement of any EU citizen to the extent it can individually identify them, whether CCTV, ANPR, or door entry, will need to undergo a Privacy Impact Assessment. This is to ensure the data being collected is within reason and not invasive, and being stored securely or appropriately destroyed after an agreed period of time.
All security systems need to be clearly explained to all customers through signage and staff members through their contracts of employment. It will become illegal to collect data
Many businesses will be expected to hire or train a dedicated employee as a Data Protection Controller, to manage paperwork and enforce compliance internally, including preventing data breaches and managing freedom of information requests (where there is a 40-day turnaround requirement). The Data Protection Controller may also be the only employee within the business that’s permitted to access and manage security systems, however this part of the legislation hasn’t been formalised.
But the UK is leaving the European Union. Doesn’t that mean GDPR doesn’t apply to UK businesses?
Whilst the UK is leaving the EU, “Brexit” will take many years to finalise, so the UK will still be held to EU laws when GDPR comes into effect on 25th May 2018 and likely throughout the regulation’s initial 2-year grace period.
However, post-Brexit, GDPR will still apply to all UK businesses. GDPR protects the data rights of all EU citizens, and any business anywhere on the planet caught encroaching on the data rights of an EU citizen can be fined. It is likely to make an example of the EU-departing UK and reinforce their power, EU regulators will put their focus on exposing British businesses big and small that break GDPR rules.
I have a traditional CCTV system that uses hard drives. Will I need to change it?
Not if you (or your assigned Data Protection Controller) are able to guarantee those hard drives are securely protected 24/7 from unsolicited access. However, as most businesses aren’t able to ensure this, a secure cloud-based system (where recordings are automatically stored in an encrypted and protected virtual space) is preferred. Speak to ai security about upgrading your CCTV in preparation for GDPR.
We use the data we collect from our security systems to manage operations. Will be we still be able to do this?
Yes, as long as all EU citizens that you are collecting data from are fully aware of what is being collected and how it is being used, stored and protected.
There will be extensive coverage of GDPR and how it affects all aspects of doing business in the coming months and years, and we will follow up this article with more security specific information. If you’d like to discuss GDPR with us before then, get in touch with us here.