an opportunity or a risk to the Physical Security Industry?
On the 25th of May 2018, the European Union, General Data Protection Regulation (GDPR) comes into force across the EU. It replaces the less extensive Data Protection Directive 95/46/ec. In itself, the introduction of a Regulation as opposed to simply a Directive, is significant.
Regulations have binding legal power throughout every Member State and come into effect on a set date. Directives can only define certain results that must be achieved but each Member State is free to decide how to interpret Directives into national laws. A Regulation therefore, is in effect, the law. So, the ‘bar’ is being raised and the importance being attached to a breach of an individual’s data privacy is clearly demonstrated by the potential sanctions for non-adherence.
In many industries where the consequences of a data privacy breach will impact directly via regulatory controls, such as Banking or Utility companies, GDPR is very firmly on the corporate agenda. As it also seems to be within the Information Technology support sector. It could be argued that this area of the IT industry is analogous in a number of ways to the Electronic Physical Security arena however, within physical security manufacturers and software developers, there appears to be little awareness and even less activity around the subject. During a recent, unscientific survey of Access Control and Video Management vendors, there was a concerning lack of knowledge related to the potential impact that GDPR may have on product design and only sporadic indication that product development was incorporating features that would help end-clients demonstrate adherence.
One of the key aspects of GDPR is the introduction of the principle of ‘privacy by design and default’. These elements are important to consider as a business end-user but are equally important for product manufacturers and software developers to understand. The burden on organisations to comply with Data Protection legislation becomes significantly greater on an on-going basis in ensuring that privacy becomes mandatory.
Privacy by Design
Privacy by design means that each new service or business process that makes use of personal data must take the protection of such data into consideration. An organisation needs to be able to show that they have adequate security in place and that compliance is monitored. In practice, this means that an organisation must now take privacy into account during the whole life cycle of the system or process development. .
Privacy by Default
Privacy by Default simply means that the strictest privacy settings are to automatically apply once a new identity is added to a security database or of course, any other business system. In other words, no manual change to the privacy settings should be required by the system user. There is also a chronological element to this principle, as personal information must, by default, only be kept for the amount of time necessary to provide the service.
How products and more specifically database use and protection, will need to be developed to enable users to comply with the GDPR requirements is an opportunity that, if harnessed, could help to differentiate one particular product from its competition. In an environment where competitive advantage can increase market share, it is surprising that system manufacturers have not embraced the changes and are not already busy publicising how their solutions will help protect end-clients from the potential consequences of a data privacy breach. Those that are, will surely elevate their status in comparison with those that are not and benefit from the provision of solutions that are better aligned with client requirements.
The penalties for non-compliance could be significant
As the digital landscape has developed over the past 15 to 20 years, the issue of privacy and the protection of an individual’s personal data has become a vexed subject. The right to privacy is a highly-developed area of European Law.
Article 8 of the European Convention on Human Rights, enshrined in UK law in 1998, asserts that ‘everyone has the right to respect for their private and family life, their home and their correspondence’. The application and how this requirement is interpreted has led to many test cases and there have been prosecutions.
The maximum penalties for mishandling data under the new GDPR will dramatically increase to a level where C-suite interest is bound to be piqued. Fines of up to 4% of global revenue or €20m, whichever is greater, are at a level where ‘Data Protection’ should be added to corporate risk registers, if of course it’s not already there. For many organisations in the UK, this represents a huge increase in the Information Commissioners Office (ICO) current maximum penalty of £500k.
In addition, responsibility for protecting personal information under GDPR will extend to data processing as well as data controllers. Further changes to be introduced include:
- Data breaches must be reported as soon as possible and, where feasible, no later than 72 hours after discovery of a breach.
- Personal data now extends to location, IP address, RFID identifiers, as well as whole new swathes of medical data, including genetic information.
- The “right to be forgotten” being enshrined in law.
- The new regulation will apply to companies that are headquartered outside of Europe as long as they have operations within Europe.
- Greater rigour around consent to use personal data.
- New requirements to carry out Privacy Impact Assessments (PIAs) to ensure that personal data is sufficiently protected and privacy of the individual is maintained.
The Data Protection Directive 95/46/ec introduced the concept of limiting the processing of personal data based upon the following three principle categories:
- legitimate purpose,
The notion of ‘processing’ was defined to mean “any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;”
Data Protection Officers
Organisations, whose core activity consists of processing special categories of data or the systematic monitoring of individuals on a large scale, will be required to appoint a Data Protection Officer to monitor compliance with the GDPR rules. In view of the scale of data processing undertaken by most responsible employers in relation to vetting, HR, payroll, pensions and access management as a minimum, we envisage that they will be impacted by this requirement and they should be making arrangements to appoint an officer if they have not already done so.
Organisations will also have to demonstrate that an individual’s consent to the processing of their personal data is ‘freely given, specific, informed and unambiguous’, and in most cases implied consent will not be sufficient. Although in relation to the use of CCTV it is still currently unclear to what extent you will need to seek to obtain explicit consent from individuals to record them via a CCTV system, as is already the case, you are required to make the presence of CCTV cameras very clear.
Between now and May of next year, the issue of data privacy and in particular GDPR, will undoubtedly be a subject that will attract a growing level of publicity. The suggestion that The Information Commissioners Office is currently recruiting Enforcement Officers and the call from Christopher Graham, the Information Commissioner until midlast year, for additional powers of prosecution, indicate the direction of travel. A greater number of prosecutions and a much higher level of resultant fines for failures to comply with the new regulations must be expected in the years ahead
The introduction of GDPR is in effect a challenge to society as a whole, to take data privacy and personal information more seriously and to do more to protect the privacy rights of each individual. It’s not a subject that will go away and whilst the media are quick to publicise larger scale ‘breaches’ and levels of associated crime continue to rise, the need to embed ‘privacy and data protection’ into business systems in all areas will intensify.
Organisations, in all aspects of the supply chain that have not incorporated the new regulations at the heart of their business processes and systems will become disadvantaged by their lack of adherence and those that fully embrace and harness data privacy will thrive.
The Physical Security industry and in particular product and system manufacturers and developers, need to move quickly to ensure that they are ready for the pending changes and do not become the focus of unwanted attention as a consequence of end-clients being penalised for non-compliant systems or processes.
Whilst there is a commercial opportunity associated with the introduction of GDPR compliant products there must also be a significant risk for those who continue to ignore or are ignorant of the changes.
Jon roadnight - Director of CornerStone GRG Ltd
For more information on Security Budgeting as well as a range of other Security Consultancy services please contact us via telephone or our website.
CornerStone GRG Ltd
8 City Road
London, EC1Y 2AA
tel: 020 3405 4956
The contents of this document are provided on an “as is” basis. No representation or warranty (either express or implied) is made as to the completeness, accuracy or reliability of the contents of this document. Advice given and recommendations made do not constitute an assurance against risk or a warranty of future results by CornerStone GRG Ltd.
Intellectual Property and Copyright
This document includes registered and unregistered trademarks. Any trademarks displayed are the trademarks of their respective owners. Your use of this document does not constitute or create a license or any other right to use the name and/or trademark and/or label. This document is subject to copyright owned by CornerStone GRG Ltd. You agree not to copy, communicate to the public, adapt, distribute, transfer, sell, modify or publish any contents of this document without the express prior written consent of CornerStone GRG Ltd.