By AMAG Technology, Vice President of Products and Partner Programs, Dave Ella
Organizations using AMAG’s Symmetry Security Systems throughout the European Union [EU] are preparing for the new General Data Protection Regulations (GDPR) which take effect from May 2018. GDPR will require organizations who control or process personal data from EU residents to obtain consent from employees, visitors and contractors for data stored in physical access control systems. Organizations will need to define why the data is needed and when it will be removed. The new regulations reflect the cloud hosted nature of many current information systems, but also have implications for on premise installations which are typical of security systems. Fines for non-compliance are steep – up to 4% of annual global revenue – so these are regulations which organizations must take seriously.
Multi-national organizations with a single access control system spanning North America and Europe will potentially be affected by the new regulations, as a database held on premise by an organization in North America will be subject to the new regulations in the same way. If a third party organization such as a security integrator is either hosting the server or managing it on a day to day basis, there are potential implications for that third party, even if they are not situated in the EU.
Access control systems are capable of holding extensive levels of personal data and as with previous regulation, organizations need to ensure that the data held is relevant and justifiable. It is easy for an organization to import data from an HR system which is not directly necessary to the specific security application. Retention periods, particularly for former employees, contractors and visitor’s personal data, also need to be considered.
An important new aspect of the GDPR regulation includes data from which a person’s location can be calculated. While this is presumably targeted at web applications which track cell phone location, physical access control systems do hold data related to who has gone where and when, so the responsible parties within an organization need to take this into account. As with any new regulation, it is unclear how this will be interpreted in a real-world scenario.
GDPR broadens the definition of ‘personal data’ to mean anything that could identity a person. For example, an email address, home address, job title or type of car one drives. Other identifiers could include gender, political views, biometric information and personal interests.
There is a strong link between GDPR and cyber security since security of the data being held is understandably seen of great importance under the regulations. It is important that AMAG customers have hardened their system using IT best practices and considered using the encryption mechanisms within the Symmetry system.
With web based applications in mind, the regulations now insist that people explicitly agree for their personal data to be held by a system – typically by proactively ticking a box in a sign-up screen which must be empty by default. How that will be interpreted for the systems of organizations which require to hold personal data such as HR and payroll systems – and security systems – is not yet totally clear, and statements in employee terms and conditions of employment may still be sufficient. Visitor Management systems need to be considered too, as some personal data of visitors either in a Symmetry database or as video will also normally be held.
Video Management Systems, and the retention periods for storage of video data fall under the GDPR regulations as well. As with all personal data recorded by business systems, as long as there is a genuine need for the data to be held for a given length of time, and the systems have been considered and recorded by the organization’s data protection officer in line with the new regulations, there should be no major implication for the Symmetry user in terms of the continuation of their physical security arrangements.
AMAG certified resellers with customer sites in Europe, and security managers in Europe should familiarize themselves with the new regulations and co-ordinate with each organization’s data protection team to ensure that their activities are fully compliant.
To learn more visit: http://www.eugdpr.org/
By AMAG Technology, VP of International Sales, Ramon Grado
An industry colleague recently reminded me, “Perfection is the enemy of ‘Good Enough’.” So what does that have to do with Physical Security and Physical Security Information Management (PSIM)? As security professionals, shouldn’t we strive to do our very best to protect people, property, assets and reputations?
The answer is a resounding “Yes, but…” Most of us work under the constraints of limited resources, be they CAPEX and OPEX funds, time, personnel or energy. So, as a result, expenses get spared, people get cut, projects get scaled back or delayed and the goal of increased Situational Awareness and an improved response to threats becomes a faded or distant vision.
Borrowing from a fellow blogger, “PSIM systems are ungodly expensive. Not only that, but they take 12-18 months on average to implement. And at the end of the day, for all that valuable Security budget, PSIM doesn’t provide a complete solution.” While not all PSIM projects go that way, it is a fair description of most large-scale attempts to connect the unconnected. Most of you already manage physical security information to some degree. Increased Situational Awareness begins with defining objectives. The next step should be looking at existing tools, not always looking to place an overhead layer above them.
Surprise: some of the tools you are using, including AMAG’s Symmetry access control system, have the capability to provide increased Situational Awareness by allowing users to better manage the information they already capture, transmit, analyze, display and store. It is often a matter of adding context, not necessarily cost. This can be accomplished by activating existing functionality such as Visitor Management, Threat Level, Video Analytics or Workflows. Symmetry also offers integration with complementary systems such as VMS, intercom, biometrics, EAS, IDS and yes, if you require it and have the budget, full-blown PSIM systems.
So we return to my original point: what is good enough? This begs the question, “What are you trying to accomplish?” If we cannot define what we are trying to accomplish, then we are not prepared to evaluate solutions. As some end users of security systems are finding, often the solution to their particular security problem is just an enhancement to their existing system(s) or simply taking advantage of the features that are already embedded and available in them. Often all that is needed is some additional training or orientation, worst case a minor investment in expansion modules and/or Professional Services to create increased Situational Awareness.
Food for thought for next time: why do end users spend so much time, effort and money on systems to record and playback video of the horses leaving the barn instead of spending a little more on systems aimed at controlling access and keeping the barn door closed in the first place?