A security strategy for GDPR compliance – Privacy by design
On May 25 2018, the General Data Protection Regulation (GDPR) came into effect. For many, this shouldn’t have come as a shock.
Since the European Union announced the GDPR mandate over two years ago, many businesses have implemented tighter controls to protect people’s personal data. In fact, according to a recent survey by Coleman Parkes Research, 72% of organisations worldwide believe they will be ready for GDPR compliance. While this is great news, there are still many businesses that struggle to fully understand how these regulations impact their organisation or what they need to do to comply.
From a physical security perspective, there’s much to consider. That’s because most organisations collect and store personal identifiable information through the security solutions that safeguard their business. For instance, public video surveillance is considered a high-risk operation, and protecting this data is just one side of the coin. Under GDPR legislation, consumers also have greater levels of consent. This means that at any point in time, an EU resident has the right to access and view their personal information, including any images or video of them. If a company fails to deliver, not only will they face hefty fines but the damage to their reputation could be immense.
The public demand for more protected and private data – as played out in the recent Facebook revelations – along with the threat of serious financial penalties, has thus accelerated the motivation and urgency for organisations to implement security technologies that are designed, from the start, with data privacy and protection in mind. This approach is known as Privacy by Design. Below, we’ll explore how this strategy helps businesses acclimatise to changing data regulations to protect people’s privacy and keep information safe over the long term.
Building a system that respects privacy
Designing compliance into existing security technologies is difficult. Many businesses with legacy security equipment or older proprietary systems will have a harder time attaining GDPR-compliance. Some security systems simply cannot enable and support the fundamentals of data security and privacy which ensure confidentiality, integrity and availability of data. While an organisation could try to patch solutions onto existing systems and infrastructures to help mitigate risks and become compliant, vulnerability could still lurk.
For instance, if a retail shop receives a request from a customer to see collected video footage, will that retailer be able to safely share those video files while protecting the identities of other individuals in the frame? Or, what would happen if a hospital’s busy security team failed to notice a camera going offline, and that one device becomes the pathway to a breach of patient information?
Implementing a unified security solution that is built with the latest privacy features in mind is a must. It allows each organisation to design a security platform that empowers their team to effectively do their job –safeguarding people and assets – while protecting video data and individual privacy.
Each business must be able to hand-pick and enable privacy protection capabilities which are best suited for their unique environment. These can include:
- Encrypted data and video communication which extends from the device to the user application and to archiving. Encryption essentially protects an organisation’s information by using an algorithm to translate readable text and video into an unreadable format, making data undecipherable to prying eyes.
- Automatic anonymisation capabilities which obscure individuals’ identities in a video frame. This feature transfers high-risk data to the low-risk category, allowing operators to see what is happening in video footage without violating anyone’s privacy.
- Digital evidence management which helps companies securely deliver data to EU citizens on request. Instead of burning copies of video on to a CD or USB stick, a manager could send an email to the recipient which would include a link to the file. This would include set permissions to only view the video. Built-in redaction obscures any other individuals’ faces to uphold privacy.
- User privileges and audit trails which ensure integrity of the data stays intact. Organisations can provide access rights to groups or individuals for specific resources, data or applications and define what users can do with these resources. Audit logs show who accessed the files, either validating or disproving any suspicions of tampering.
- Built-in health monitoring which alerts operators to devices going offline, or any other system vulnerabilities. When they know about these events, they can immediately take action to ensure the system is optimised and safe from bigger threats. After all, only the most resilient security system can ward off cybercriminals and guarantee the highest levels of privacy.
Prioritising Privacy by Design
The days of complacency are over. Data laws are changing, and organisations must be able to adapt. GDPR legislation will continue to evolve, which means protecting privacy will also be an ongoing discussion and process. In today’s climate of big data, deep learning, machine learning, and artificial intelligence (AI), organisations require solutions that must be designed with privacy protection as a default. Stringent-yet-flexible solutions will help these organisations adjust and adapt their protection methods to meet mandates, but also to deliver a greater trust demanded by public and private customers.
Paul Dodds
Country Manager, UK & Ireland, Genetec
