According to the GDPR, you need to take appropriate (tuned to the risks) organizational and technical measures to protect personal data. For camera and access control systems, Hardening is a popular measure. This includes password policy, encrypted connection to and from the system and an active policy concerning software and firmware updates.
Organizational measures particularly implicate timely communication and an authorization policy that determines who can view and process log files and/or camera footage. It’s highly recommended that you take the protection or personal data into account as soon as you get started with designing a security system.