GDPR Legislation
With the advent of the new General Data Protection Regulation (GDPR), individuals whose data is processed will have more rights. Therefore, stricter rules have been set for organizations which process personal data, having to ensure that the privacy of the individuals whose data is processed is safeguarded. Camera and/or access control systems process personal data in many cases.
Security systems process personal data
Video recordings for security purposes often include individuals which are recognizably in images, which means personal data is being processed. Indeed, video footage is collected, sometimes stored (temporarily) and used for surveillance purposes. If your employees access your premises with an access card or tag, the access control system will record who was provided access and when. If this is done by name or traceable identification number, then it is also processing personal data.
GDPR: what does it mean for you?
To achieve GDPR compliance with your (existing or new) camera and/or access control system, you will need to take a number of steps. The main five are listed below.
- Conducting Data Protection Impact Assessment (DPIA)
- Create and maintain records of processing activities
- Entering into processor agreements with processors
- Technical and organizational measures to prevent privacy breach risks
- Register data breaches
Organizational and technical measures
According to the GDPR, you must take appropriate – risk-based – organizational and technical measures to protect personal data. For camera or access control systems, “hardening” is a commonly used measure. Consider having a sound password policy, using encryption for connections to and from the system(s), and having an active policy regarding software and firmware updates.
Organizational measures mainly have to do with timely communication and an authorization policy which regulates who may view and process log files and/or camera footage. It is advisable to include the protection of personal data as early as the design of a security system.
Other GDPR services
In performing the aforementioned steps, Mactwin can support you. Based on our experiences, we developed several organizational (BIESS) tools. For example, Mactwin can perform a Data Protection Impact Analysis (DPIA) for you upon request and we offer our clients the following BIESS GDPR documents:
- DPIA Template
- Sample register of processing operations
- Draft processor agreement
Ask your questions to our specialists
In case of any questions, our staff is here to help. we are happy to tailor solutions to your specific needs. Feel free to contact us!