Data privacy is regarded by many in the security industry as a challenge, even a threat, whether because of compliance costs, regulatory fines or potential liability.
But at least one integrator, after listening to a 90-minute panel discussion about the issue, described it very differently.
“It’s a tremendous opportunity,” he said.
The integrator was one of about 15 who attended the session at an event held by Security-Net in Austin, Texas, in late January. Kathleen Carroll, the chair of the SIA Data Privacy Advisory Board, Ryan Anderson, the director of outreach and strategic partners at the University of Texas Center for Identity, and I, as the panel moderator, addressed the group a few days after it was announced that Google had been fined 50 million euros ($57.2 million) for violating the General Data Protection Regulation (GDPR).
What was likely of more interest to the people in that room, though, was a 4,800-euro ($5,487) fine that had been imposed in October on a retail outlet in Austria whose video camera captured images outside the immediate vicinity of the establishment and, thus, beyond the area where signage notified passers-by of the surveillance. Although this was in Europe, it could have future implications for American companies.
“Congress is looking at the GDPR as a template for the United States,” Kathleen said. “It’s troubling. GDPR is extremely broad in its application.”
California’s Consumer Privacy Act is to go into effect in 2020, and while it has fairly high thresholds for what firms are covered – 50,000 records or $25 million in revenues or primarily in the business of selling personal information – one integrator noted that he had clients who possess that many records, so, “We, indirectly, might be on the hook.” This potential liability came up several times, especially as it was noted that several other states are considering similar laws, and data privacy is one of the few issues that has some bipartisan support in Congress. Ryan recommended that integrators perform a privacy impact assessment on projects in order to provide themselves with some legal protection.
In addition to concern, though, there was also the optimism noted above. With new regulatory demands being placed on end users, security companies may have the opportunity to develop new business models – and new sources of revenue – by offering enhanced services that combine risk mitigation with privacy compliance. It could be, as one integrator said, a new “value add.”
The Security Industry Association marked Data Privacy Day by continuing its efforts to help its members understand and manage the critical issue of protecting consumer data. Learn more here.
For more information, contact Ron Hawkins at firstname.lastname@example.org.