For some time, data laws in Europe have been open to interpretation. From one country to the next, companies conducting business or protecting assets would adapt their infrastructure and policies to local standards. Now, in less than a year, that is all going to change. On May 25, 2018, the European Union’s General Data Protection Regulation (EU GDPR) will come into effect. Jean-Philippe Deby, Business Development Director Europe for Genetec takes a look at the implications.

Essentially, the GDPR mandates that businesses adhere to specific governance and accountability standards in the processing and protection of data. The scope of data being regulated is as predictable as personal and banking information of customers, and as extensive as video surveillance footage of individuals on or around a property. It also requires that businesses report any data breaches within 72 hours. Failure to comply to these new regulations could result in up to 20 million Euros in penalties or 4% of the company’s global annual turnover.
On one hand, the GDPR will make it easier for companies to manage data across many different countries because laws will be standardized. It also provides the consumer with greater levels of consent, giving them access rights to their own data and decision power over how it is used or distributed.
On the other hand, these new guidelines and laws will hold all companies operating in the EU accountable for the information they collect, manage and store. This includes foreign companies that do not even have a physical presence in the EU, but that might process transactions or collect any type of data from EU residents and organizations.
With a heavy penalty looming, everyone from big multi-national retail chains to small and medium sized businesses are understandably asking questions. While there is much to be considered about the GDPR, this article will highlight the implications for data derived specifically from physical security systems and what businesses can do to ensure compliancy before these new laws come into effect.

From High to Low
According to the GDPR, there is a clear distinction between the risk levels of data. Physical security data spans all levels from high to medium to low risk. Data derived from a system that captures massive amounts of personal information, without explicit consent, is considered high risk. This includes information that shows who a person is, where they are and any other specifics about them. Therefore, businesses who use video surveillance technology to monitor public spaces would be dealing with high-risk data.
Another form of high-risk data comes from analytics and technologies such as automatic number plate recognition (ANPR) systems because these solutions associate a vehicle with a person in a specific location. On the other end of the spectrum, data is classified as low-risk when it is not associated with any individual and their privacy.

All Change
So why is this important? Businesses with systems collecting high-risk data need to ensure its utmost protection. They also must secure access to the systems and servers storing the information. To adhere to these regulations, companies might need to change corporate policy to restrict system or data access privileges. They might also need to upgrade systems to take advantage of advanced cyber security measures such as encrypted communications, built-in data and privacy protection capabilities, strong user authentication and password protection.
Investing in technologies that can automate privacy protection could also help companies quickly adapt to these new laws. One example is having video redaction capabilities to blur out people’s faces in video. This feature transfers high-risk data to the low-risk category, allowing operators to see what is happening in video footage without violating anyone’s privacy. Other tools such as an intelligent investigation management system could help companies securely share digital evidence with police or deliver data to EU citizens on request, while maintaining strict access and privacy rights.

Take Ownership or Outsource?
Another important distinction is between what the GDPR refers to as Data Controllers and Data Processors. Any company that collects and controls private information is a Data Controller. However, small or medium sizes businesses may not have the resources to properly manage the collected data. Therefore, the GDPR makes concessions for companies who need to outsource some of the responsibility to service providers, known as Data Processors.
For instance, a retailer could decide to implement solutions by Genetec such as Stratocast, the Video Surveillance as a Service (VSaaS) solution, and Retail Sense, an advanced customer analytics solution. These solutions come with built-in privacy protection and cyber security mechanisms that help businesses adhere to new privacy laws. However, it is not a full transfer of risk. The retailer would still be responsible for issuing and managing system access privileges, ensuring password choices are strong, and essentially, limiting data to those who can view or extract it.
From an operational perspective, the company would be able to collect all types of statistics on customer traffic such as the number of people who entered a store at any given time. While numbers are computed from video surveillance footage, the Retail Sense solution would deliver this information without any association to a specific individual. This keeps the risk low, but still provides valuable operational intelligence to the retailer.

Best Practices
With so much to consider, here are three ways companies can start the process of securing their physical security systems and derived data as per the GDPR.

1. Get Involved in the Discussion
   Start talking to your consultants, integrators and suppliers about GDPR. Find out what they are doing in terms of privacy and data protection and what steps they are taking to help businesses comply with the legislation. Keep in mind that the GDPR requires every company to appoint a data protection officer (DPO), who must be independent from any IT, risk, or VP-level functions.
2. Evaluate Your Current Systems
   Conduct a gap analysis to identify what works and what might require improvement in accordance with the new regulations. Consider upgrading to solutions that will help you effectively manage the security and privacy of your systems, without requiring large capital or human resource investments. Also, consider systems that can easily span geographic boundaries. This will allow you to easily standardize on processes and policies in all countries.
3. Consider Cloud-Based Services
   Investigate and get quotes on services or solutions outside your own datacenters. Learn how the SaaS model or any cloud-based applications could help your business become more efficient at adhering to these new laws. Top-tier cloud providers offer all the built-in security and privacy mechanisms, and facilitate updates to ensure your system always has the latest fixes and capabilities.
   Data laws are changing around the world. To keep pace, businesses need to seriously consider how their security technology investments will help them manage risks. With the GDPR deadline only months away, now is the ideal time to re-evaluate practices, partner with forward-thinking vendors and adopt technologies that will help them meet privacy and data protection laws. With the right partners and technologies on their side, businesses can minimize risk, avoid costly penalties and be ready for anything as these laws continue to evolve.