Although GDPR came into force over a year ago, it’s probably fair to say that companies, especially SMEs, are still getting to grips with what it means in practice, particularly with regard to what might be termed niche situations such as access-control solutions.
The Basics Of GDPR And Security
Given that GDPR applies to all personal data collected by organizations, it is entirely logical that it applies to data collected for the purposes of security. The challenge for organizations can be to work out the extent to which the GDPR requirements extend and then to ensure that they comply with them.
For example, it may seem fairly obvious that issuing access-control devices on an individual basis would require the collection of personal data and therefore be covered by GDPR.
It may, however, be less obvious having people sign for access-control devices would also be covered under GDPR because it would require the collection of an individual’s personal data and it may not be at all obvious that the use of CCTV on business premises is also covered by GDPR as CCTV captures images which could be used to identify individuals.
Therefore, the first rule of using access-control solutions in a GDPR-compliant manner is to undertake a privacy impact assessment of any and all access-control solutions you currently use (or plan to use) and see what, if any, individual data they capture.
Personal Data Processing
Double-check that your data processing is proportionate to your legitimate needs
Proportionality is central to GDPR and it is generally judged on two key factors, how much data is captured and how long it is stored.
Basically, you should only capture the bare minimum of data for your intended purpose and only store it for the minimum length of time. While this may sound obvious, it can be surprisingly easy to fall foul of these regulations by accident, especially in smaller companies.
First of all, be careful about relying purely on consent as a justification for processing data. Under GDPR, for consent to be considered valid, it must be both informed and freely given.
In an employment context, companies may find themselves being challenged on the extent, if any, to which their employees could really find themselves free to refuse consent for their data to be processed.
Secondly, beware of allowing data to build up purely because you haven’t thought to delete it. When data is stored in digital form, you can often set up policies to ensure automatic deletion once certain criteria are met, for example, you could have CCTV images deleted automatically after six months.
When data is stored in physical form, then you will need to ensure that it is collected and deleted as appropriate. For example, if you are using a physical book to keep track of who has possession of a specific access-control device (or anything else), then you will need to make sure that pages are removed from the book as their useful life expires.
Keep All Data Safe But Accessible
This may seem like a contradiction in terms, but basically it just means that you need to know where all your data is stored, apply suitable protection to it (for example encryption in the digital world and keeping it suitably guarded in the physical world) and making sure that every, single data item held by your organization is under the control of an accountable person.
In this context, please note, that the accountable person needs to have the appropriate training and resources (including time) to do whatever is required of them, so their data-control tasks should be recognized as a meaningful part of their job, rather than just something to be done as, when and if they have time.