Privacy of Security Systems according to GDPR
 

GDPR Legislation
 

The arrival of the new GDPR legislation, people whose personal data is processed acquire new rights. This calls for stricter guidelines and rules for organizations that process personal data and require you to safeguard the privacy of those people whose information is processed. Camera and/or access control systems often process personal data.

Download our GDPR (AVG) Whitepaper

 

To help you get started with making your security systems compliant with the GDPR, we developed a Whitepaper (in Dutch only, for now). You can download the AVG Whitepaper for free. If you have any more questions and require a Security Privacy Scan, please feel free to contact us!

>

 
 
Security systems process personal data

If you're recording CCTV footage for security purposes and are people portrayed recognizably, then you are processing personal data. After all, the footage is collected, sometimes stored (temporarily) and used for surveillance. If your employees are granted access to your premises with an access card or token, the access control system will register who was granted access at what time. If this is done with a name or a reducible ID number, you are also processing personal data.

>
 
GDPR: what does this mean for you?

To be GDPR compliant with your (existing or new) camera or access control systems, you will need to take some precautions. The most important ones are listed below:

  1. Execute a Data Protection Impact Assessment (DPIA)
  2. Establish and maintain a register of processing activities
  3. Establish Data Processor Agreements with processors
  4. Take technical and organizational measures to prevent a breach of privacy
  5. Register and report data leaks

 

 
>
Organizational and Technical Measures

According to the GDPR, you need to take appropriate (tuned to the risks) organizational and technical measures to protect personal data. For camera and access control systems, Hardening is a popular measure. This includes password policy, encrypted connection to and from the system and an active policy concerning software and firmware updates.

Organizational measures particularly implicate timely communication and an authorization policy that determines who can view and process log files and/or camera footage. It's highly recommended that you take the protection or personal data into account as soon as you get started with designing a security system.

 
>
 

Security Privacy Scan

 

Existing security systems sometimes require additional technical and organizational measures, to ensure that only data is processed that is specifically required for the stated purpose. Mactwin can perform a Quick Scan for you, to establish which additional measures are required to be GDPR compliant.

 

Request Security Privacy Scan
>

 
 
 
Other GDPR Services

Mactwin can support you in your quest to become GDPR compliant. Based on our experience, we developed several organizational (BIESS) tools. We can execute a Data Protection Impact Analysis (DPIA) for you and offer our clients the following BIESS GDPR documents:

  • DPIA template
  • Example of a processing register
  • Processing agreement concept
 
 
Ask our Specialists

Do you want to know more about GDPR in relation to security? Or do you want to know your risks and what measures are available? Please feel free to contact us!

Bjorn Brinkman
Consultant


Or call: +31 (0) 26 479 22 46