GDPR and the Security Industry
The European Union’s (EU’s) General Data Protection Regulation (GDPR) on data privacy went into effect on May 25, 2018. The law gives consumers more control over how their data is collected and requires companies to justify what they do with this information. It also gives companies guidelines on what they can and cannot do with personal data and requires them to be more clear about their data practices.
While GDPR is EU legislation, it impacts companies outside Europe, including U.S.-based businesses. Under GDPR, companies (including security solutions firms) will need to follow the law’s guidelines when collecting or using personal data, including names, contact information and images taken on security cameras. If your company deals with European individuals in any other country, it’s critical to ensure you are GDPR compliant to avoid penalties. Learn more about GDPR and how it relates to the security industry and your company here.
Video: What Is GDPR?
This video, produced at ISC West 2018, featuring Susan Ross, Esq., of the law firm Mitchell Silberberg & Knupp LLP, Jasvir Gill of Alert Enterprise and Lora Wilson of Axis Communications, provides a quick overview of GDPR.
Slides: GDPR’s Impact on the Security Ecosystem and How to Prepare
In addition to producing the above video, SIA coordinated a panel at ISC West featuring Susan Ross, Jasvir Gill and Lora Wilson. This 16-page slide deck provides greater detail on the specifics of GDPR and recommended actions that companies should pursue to be in compliance with the regulation.
GDPR applies to the citizens of these nations: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lichtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and United Kingdom. (Underlined countries indicate non-EU nations which are also adopting GDPR.
What Organizations Must Do to Comply With GDPR
Organizations are responsible for complying with Data Subjects Rights for all PII data collection, lawfulness of processing and retention.
- Privacy by Design (classifications and segregation of PII)
- Audits and Reports of PII data management through Personal Data Register
- Security (pseudonymisation, encryption, minimization)
- Consent & Transparency ( clear, concise, intelligible and easy accessible)
- Monitoring and responding to changes in compliance mandates
- Managing and governing Data Processors and Third-Party interaction relative to the processing and handling of PII.
- Notifying Supervisory Authorities of data breaches within 72 hours of breach discovery
SIA Privacy Profile References
SIA has compiled a variety of GDPR references for physical security and identity in the United States.
GDPR Fact Sheet 1
This fact sheet shares an overview of GDPR and its global impact, answers to key questions, useful acronyms and Privacy Shield considerations
GDPR Fact Sheet 2: Operational Privacy
This fact sheet shares an overview of operational privacy for security services, key GDPR terms and helpful resources.
More Resources to Come
SIA is producing additional content, including videos and fact sheets, to help provide members education on this important topic. These resources will be added to this page when available.