By AMAG Technology, Vice President of Products and Partner Programs, Dave Ella
Organizations using AMAG’s Symmetry Security Systems throughout the European Union [EU] are preparing for the new General Data Protection Regulations (GDPR) which take effect from May 2018. GDPR will require organizations who control or process personal data from EU residents to obtain consent from employees, visitors and contractors for data stored in physical access control systems. Organizations will need to define why the data is needed and when it will be removed. The new regulations reflect the cloud hosted nature of many current information systems, but also have implications for on premise installations which are typical of security systems. Fines for non-compliance are steep – up to 4% of annual global revenue – so these are regulations which organizations must take seriously.
Multi-national organizations with a single access control system spanning North America and Europe will potentially be affected by the new regulations, as a database held on premise by an organization in North America will be subject to the new regulations in the same way. If a third party organization such as a security integrator is either hosting the server or managing it on a day to day basis, there are potential implications for that third party, even if they are not situated in the EU.
Access control systems are capable of holding extensive levels of personal data and as with previous regulation, organizations need to ensure that the data held is relevant and justifiable. It is easy for an organization to import data from an HR system which is not directly necessary to the specific security application. Retention periods, particularly for former employees, contractors and visitor’s personal data, also need to be considered.
An important new aspect of the GDPR regulation includes data from which a person’s location can be calculated. While this is presumably targeted at web applications which track cell phone location, physical access control systems do hold data related to who has gone where and when, so the responsible parties within an organization need to take this into account. As with any new regulation, it is unclear how this will be interpreted in a real-world scenario.
GDPR broadens the definition of ‘personal data’ to mean anything that could identity a person. For example, an email address, home address, job title or type of car one drives. Other identifiers could include gender, political views, biometric information and personal interests.
There is a strong link between GDPR and cyber security since security of the data being held is understandably seen of great importance under the regulations. It is important that AMAG customers have hardened their system using IT best practices and considered using the encryption mechanisms within the Symmetry system.
With web based applications in mind, the regulations now insist that people explicitly agree for their personal data to be held by a system – typically by proactively ticking a box in a sign-up screen which must be empty by default. How that will be interpreted for the systems of organizations which require to hold personal data such as HR and payroll systems – and security systems – is not yet totally clear, and statements in employee terms and conditions of employment may still be sufficient. Visitor Management systems need to be considered too, as some personal data of visitors either in a Symmetry database or as video will also normally be held.
Video Management Systems, and the retention periods for storage of video data fall under the GDPR regulations as well. As with all personal data recorded by business systems, as long as there is a genuine need for the data to be held for a given length of time, and the systems have been considered and recorded by the organization’s data protection officer in line with the new regulations, there should be no major implication for the Symmetry user in terms of the continuation of their physical security arrangements.
AMAG certified resellers with customer sites in Europe, and security managers in Europe should familiarize themselves with the new regulations and co-ordinate with each organization’s data protection team to ensure that their activities are fully compliant.
To learn more visit: http://www.eugdpr.org/