On May 25, the European Union’s new General Data Protection Regulation (GDPR) will officially go into effect. Developed to protect individual privacy as it relates to the data being collected from citizens of the EU, the GDPR requires organizations adhere to specific governance and accountability standards in the processing and protection of data.
Accordingly, anyone collecting personally identifiable information (PII) in the EU will have to abide by certain practices. Among other regulations, the GDPR imposes mandatory breach reporting rules that require organizations report a breach within 72 hours of detection. In addition, the GDPR sets out new record-keeping requirements for collecting, managing, modifying, storing and analyzing personal data.
To lay the groundwork for continued compliance over the long-term, the GDPR also stipulates that, in order to meet these requirements, organizations cannot simply deploy add-on options. Instead, they must use solutions that have privacy features built in at the design level. As a result, systems integrators are going to have to work with vendors who develop technology with privacy in mind.
For some, non-compliance could come with a staggeringly high price tag. The penalties for non-compliance include fines up to $20 million euros or 4 percent of global annual turnover – whichever is higher.
It would be a mistake to think that the GDPR will only impact European or Europe-based organizations. The reality is that any business collecting PII within the EU is going to be held accountable regardless of where they are based. Multi-national companies, retail chains and other enterprise businesses will certainly feel its impact and security systems integrators have a vital role to play in getting these organizations GDPR-ready.
GDPR’s Impact on the Security Sector
The security industry will, of course, feel the effects of the GPDR. PII is at the heart of video surveillance – there is nothing more personal than your image. For this sector, complying with the GPDR is going to require a new way of thinking. To this point, the pervasive attitude has been that, when it comes to security, there is no such thing as too much data – the more data we collect and store, the more we can understand, prepare and investigate.
However, under the GDPR, organizations will have to be more cognizant of retention rates and how much data they are collecting with their VMS and recorders. This is will be especially true for cases involving the video monitoring of public areas on a large scale, since this type of processing has been identified as high-risk.
The regulation stipulates that organizations are responsible for ensuring that the minimum amount of PII is being collected. They can be considered in breach of the regulation if they do not take proper steps to limit retention or use suitable archiving controls.
In addition, organizations are also going to have to pay careful attention to how data is accessed and stored given that, as of May 25, European citizens will have greater control over their PII. In order to increase data transparency and provide more power to individuals, under the GDPR, EU citizens will be able to obtain confirmation as to whether or not their data is being processed, where it is being processed, and for what purpose.
Furthermore, organizations will be required, upon request, to provide a copy of an individual’s PII free of charge. In order to meet these requests, organizations must have tools that enable them to search through and share data easily with the appropriate individuals. At the same time, these tools must also make it possible to hide the identity of selected individuals in video footage to preserve their right to privacy.
Steps to Becoming GDPR-Ready
Systems integrators must keep in mind that there are several steps organizations everywhere should be taking in order to get GDPR-ready. While the new regulations require reporting a data breach within 72 hours of detection, rather than focus on reporting, it would obviously be best not to allow a network to become vulnerable in the first place. This means understanding and implementing best practices for cybersecurity across an entire operation.
First, no organization should ever place equipment on their network that is vulnerable to attack. We know that cyber criminals need little more than one unprotected or under-protected device to gain access to an entire system and everything else connected to it. As a result, in addition to ensuring that every deployed device – including every camera and sensor – is either password-protected or secured with a certificate that enables the archiver and camera to create an encrypted communication, organizations should also be working with vendors who build cybersecurity into their products from the very first line of code.
Another step in protecting systems is to ensure that the PII being collected, transferred, analyzed and stored is encrypted. When data is encrypted, even if an unauthorized person gains access, it is not readable.
Under the GDPR, organizations will be responsible for overseeing access to the data being collected in their systems. Managing access rights is important both for privacy and mitigating the risk of possible data breaches.
Access rights can be managed through authentication and authorization. Authentication uses certificates, user/name password combinations, and tokens to prevent cyber-criminals from impersonating an identity to penetrate a system and manipulate, copy, or take control of the data. Authorization restricts the scope of activity within a system by giving access rights to groups or individuals based on clear rules and credentials. This enables organizations to limit who can see what data as well as what they can do with it.
Maintaining Privacy in Video Streams
In order to comply with the GDPR and safeguard the right to privacy, organizations will also have to deploy video surveillance systems that protect identities by ensuring that individuals remain anonymous. There are different ways to achieve this, including permanent masking, redaction and dynamic anonymization.
The most basic method, permanent masking, involves permanently anonymizing individuals in video footage. Because the masking cannot be removed, this method is not ideal in situations where a person’s identity might be significant for future investigations.
Redaction, which is usually done after the fact, involves hiding the identity of selected people in video footage. This is typically done in instances where an organization is sharing video with law enforcement, but it does not protect individual privacy in live streams.
The most effective method of anonymization, especially for organizations conducting video surveillance of public spaces, is dynamic anonymization. Using this approach, a VMS monitors actions and movements and automatically anonymizes individuals in live and recorded streams. Authorized personnel can unmask the video in the event of an investigation. In this way, dynamic anonymization both ensures individual privacy and supports law enforcement in their efforts to keep citizens safe.
Investing in Software
How can systems integrators help organizations get ready and stay complaint with the GDPR? One way is to stress the importance of the software running their systems. As threats and requirements change, so too will organizations have to adapt and evolve. For this reason, organizations need to look at purchasing software as an investment in a living technology that is constantly improving based on customer feedback, continued research and constant monitoring for new cybersecurity vulnerabilities.
When a technology company creates a strong relationship with its user base, they are able to use real-world feedback to help guide their software development cycles. This means that, as European companies work to meet the requirements of the GDPR, they will be contributing to improved privacy and security on a global level.
Beyond the EU
While it is important that global integrators get customers GDPR-ready, we cannot lose sight of the fact that concerns around privacy are on the rise everywhere. Increasingly, people, businesses, and governments are taking a closer look at privacy and how to keep PII secure.
The challenge of easy access to information while ensuring privacy has been with us for decades. As early as 1967, the United States established the Freedom of Information Act (FOIA), which provides the public with the right to request access to records from any federal agency, including records on an individual. The exemptions for such requests include the potential invasion of personal privacy. Thus, for almost 50 years, the U.S. has been managing some of what the GDPR will cover.
While it might be tempting to think that only European and multi-national organizations need to think in terms of GDPR compliance, the reality is that we all need to continue to think about the best way to balance privacy and security today and in the future.
Andrew Elvish is Genetec’s VP of Worldwide Marketing. Request more info about the company at www.securityinfowatch.com/10213771.