In his latest blog for Infologue Bob Forsyth, Chief Executive Officer at Kings Security writes about the introduction of GDPR and its implications for the security sector. Bob writes: “The new GDPR legislation will come into force as of 25th May and, like all businesses in the UK, we have been working towards its implementation and to ensure we are abiding by the new legislation. It has opened up more questions than answers as new legislation sometimes does when it is so broad across business, and of course it has been expensive and time consuming to train staff and understand the touch points around process. It is especially tricky around CCTV footage and monitoring as I indicate below.
The GDPR is all about the protection of a person’s privacy. The impact a security system has on personal privacy is in two key areas:
1. CCTV footage of customers and staff on premises; where is it stored, is it transmitted externally, how, where to etc.
2. (If the alarm system is monitored externally) the contact details of the key holders for the premise.
One of the current weaknesses in the industry is the transmission of CCTV data over encrypted networks. As technology has advanced over the years existing systems have had new features bolted on, potentially weakening the security of the equipment. More and more customers want their CCTV monitored remotely with a view of replacing manpower on site. Article 32 of the GDPR outlines the requirements for security of processing personal data, which highlights (based on a risk assessment and cost/purpose analysis) that encryption should be considered during processing, opening an opportunity within the industry to upgrade some of the older, unencrypted systems.
The GDPR introduces the right for personal data to be erased (Article 17). Personal data should only be stored for as long as is necessary. This is where the retention of CCTV footage should also be considered, even where the footage is stored locally on DVRs and hard drives, all customers responsible for the daily upkeep of the CCTV should be aware of how to erase data, and DVRs should be programmed in line with their own retention policies. Where CCTV is transmitted off-site, either for evidential or monitoring purposes, this should be restricted to needs-only access and kept only for as long as is necessary.
As far as BAU goes, customers will be looking for security providers with robust information security procedures. Accreditation to ISO 27001 will be an attractive USP in the industry and more and more security companies will move towards this in the coming years as they find the market pinching.
In conclusion, this is a complex matter due to the nature of monitoring signals and understanding where these signals are stored and viewed, it is also understanding the encryption and its quality standards from equipment manufactured around the world. GDPR is the usual well-meant legislation around personal data but has no real concept of the nature of some sectors and the real risk in place, which is extremely low and has no real substance. It has also created a small industry of consultants all peddling the massive fines that could be levied with the shock and awe strategy of Doomsday. We, of course, have complied like the vast majority of companies in the UK, but there will need to be clarity in due course as to some of the specific industry challenges this, on the face of it, could entail.