GDPR and its potential impact on security
Recently, the vast majority of conversations with cyber security ‘experts’ inevitably include a reference to GDPR (General Data Protection Regulation). Additionally, a whole industry is springing up around consultancy on GDPR, and if you believe some accounts this new legislation will become a minefield in which many of the benefits of video surveillance will be lost. However, what is the reality of GDPR with respect to security applications? Benchmark takes a closer look at the impending regulations.
For many, the General Data Protection Regulation (GDPR) remains something of a mystery. In a recent seminar attended by around 50 security installers and system integrators, only three people were aware of the legislation which comes into force in May 2018. Of those three, two worked for the company giving the presentation!
In some sectors, GDPR is big news. Admittedly these sectors include data management, IT, cloud services and – not surprisingly – GDPR consultancy and training. In other industries, it still creates many quizzical looks. Of those who have heard of GDPR, few are able to provide any detail beyond some of the headline facts.
One of those often repeated facts is that companies who fall foul of the regulation could be fined up to four per cent of their worldwide revenue or 20 million Euros, whichever is greater. This astronomical figure is used to portray GDPR as some sort of doomsday scenario which will destroy businesses and organisations unless they are properly prepared (preparation which often includes an investment in training or consultancy). The situation is somewhat reminiscent of the Millennium Bug!
Interestingly, knowledge of GDPR and its implications is very low amongst those it is designed to protect: the general public.
Currently the management and security of personal data is covered in the UK by the Data Protection Act. Despite this having been the instrument to protect the public against mismanagement of data since 1984, it is, itself, still widely misunderstood by both the public and by some businesses and organisations handling personal data.
From 25 May 2018, the gathering, processing and management of personal data will be covered by GDPR. This regulation will bring all data protection within the EU into line. It will also impact on any businesses or organisations outside of the EU who are handling personal data of individuals within the Union.
Despite the lack of clarity over Brexit, the UK Government has indicated that GDPR will either be retained or alternative legislation will be introduced. Experts predict that any alternative legislation will echo GDPR, as this allows UK businesses and organisations a seamless interaction with EU digital markets.
In short, GDPR is and will remain important to those in the UK involved in the collection, processing and use of personal data; this includes the use of security systems.
What is personal data?
In order to clarify what constitutes personal data and processing, it is worth looking at the exact wording of the GDPR text. In Article 4 (Definitions), personal data is defined in Clause 1.
This states, ‘Personal data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.’
As a definition it indicates that just about all information that might be used to identify an individual can be construed to represent personal data. The inclusion of anything that is a reference to ‘physical, physiological, genetic, mental, economic, cultural or social identity’ certainly includes video and images.
However, it can be argued that the definition also includes other security systems where a user has been issued with any form of credential (PIN code, card, tag, biometric template, etc.). This brings access control and even intruder alarm systems into the scope of GDPR.
The regulation itself is mainly concerned with the processing of personal data. The definition of processing is given in Article 4, Clause 2 of the GDPR text, which states, ‘Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.’
At first glance it appears that GDPR is very vague and loose in terms of what it covers, and this is certainly the case. Those who remember the introduction of DDA (Disability Discrimination Act) in 1995 and its impact on access control systems will recall a similar level of generality in that document. The intention was that a proper understanding of how the Act should be implemented would be achieved via test cases. That GDPR has been created with a degree of flexibility to allow individual EU Member States to adapt the regulations to their needs underlines this.
How different is GDPR?
Much of the regulation is similar to the Data Protection Act, but there are some differences. For example, GDPR covers both data ‘controllers’ and ‘processors’. This means, for example, that a public space video surveillance system might be owned and operated by a council, who would decide which data to process and the conditions under which this might happen. They would be the data controller as defined under GDPR.
If they use the services of a remote monitoring company, the RVRC effectively becomes a data processor as defined under GDPR.
The same situation exists for Cloud services. The controller (the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data) might use a Cloud service to store and maybe process data, for example by deploying analytics. The Cloud provider is therefore the processor (the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller).
Fines issued for breaches of GDPR could be applied to both parties, as the text states, in Article 83, that fines will be decided based upon ‘the degree of responsibility of the controller or processor, taking into account technical and organisational measures implemented by them’.
Interestingly, there are several Cloud-based video providers currently promoting their services based upon claims about GDPR. Many imply that it will not possible to ensure private servers are secure under GDPR, so the Cloud is the only compliant option. Such statements should be treated with a pinch of salt. One provider includes quotes which are intended to appear as if they are from the GDPR text, but they are not.
Other differences – alongside the definition of personal data and data processing, the inclusion of both data controllers and data processors, the value of fines that can be levied and the removal of geographical limitations – include consent for data processing, requirements for notification of data breaches, the creation of administration and audit trails and the need for PIAs (privacy impact assessments).
There are exclusions for security-specific data gathering. Article 2 (Material Scope) of the General Provisions chapter of the GDPR text states, ‘This Regulation does not apply to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences, the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.’
It also states that GDPR does not impact on ‘processing of personal data by a natural person in the course of a purely personal or household activity.’
Consent for data processing was, under the DPA, probably not as robust as it needed to be. For example, people were often forced to opt out rather than opt in to third party data processing. Individuals who made complaints to businesses and organisations often found themselves on mailing lists, for example.
Under the new regulation, this would be a violation.
GDPR defines consent as, ‘any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.’ In short, doing nothing does not constitute consent.
In many cases this means that explicit consent will be required rather than implied consent. The question this raises is how is explicit consent gained for security monitoring or surveillance?
Security monitoring and surveillance will certainly require clear and obvious notification that data processing is taking place, but only real-world experience and test cases will clarify the degree of ‘explicit consent’ that might be required.
Making the provision of services conditional upon consent may not have a legal basis, according to guidance from the ICO. For example, a sign stating that people should not enter a retail space unless they give consent to being monitored should not be considered as it would have no legal basis.
Processing data without consent is allowed in some circumstances. For example, private businesses and organisations, ‘can process personal data without consent if they have a genuine and legitimate reason, including commercial benefit, unless this is outweighed by harm to the individual’s rights and interests,’ according to ICO guidance.
In the public sector, organisations can process personal data without consent where this is required to carry out tasks and functions in the public interest. Obviously, safety and security fall into this category.
GDPR has strict conditions concerning how data breaches must be handled, and this is one area that will certainly see test cases early on in the life of the regulation.
Indeed, for many installers and integrators the focus on cyber security will be one of the more significant issues with regard to the introduction of GDPR. Network security, encryption and device hardening will be very important, as will ensuring that locations which house servers are also physically secure.
Again, there is a proliferation of claims from some Cloud providers that indicate Cloud offerings will take all the pain away, at a price (both in terms of cost and reduced performance and flexibility). However, this is not always the case, and for installers and integrators the reality is that implementing best practice and working with credible manufacturers and suppliers remains the most proactive approach.
Many security systems already include features and functions to deliver secure and protected solutions. Manufacturers and suppliers are offering support too. Working with professional companies will see a lot of resources which can help. If suppliers can’t or won’t help, then give them a wide berth!
GDPR will arrive on 25 May 2018, and the security sector has to meet the requirements. Some self-proclaimed ‘experts’ are already confusing the market with claims that only their products or services can ensure compliance. However, the introduction of GDPR need not be a nightmare for professional security companies.
Attention to detail, implementation of cyber security measures and thoughtful system design will be the best tools for installers and integrators.