A guide to GDPR for Security
The third in our series of GDPR guides targeted at specific functions, this time focusing on security. This bite size guide will cover the top preparations and key themes you should concentrate your efforts on to ensure your security-related activties are ready ahead of the May 2018 deadline.
With the General Data Protection Regulation (GDPR) deadline just around the corner, it is important to consider how it will impact you and the way in which you collect, process and store information about people as part of your security activities.
Any data that you collect, process and share about employees, contractors, consultants, customers, suppliers, clients or visitors must comply with the principles of GDPR.
Top three preparations
Whether they relate to personnel, physical or IT security, there are a number of things that need to be done to ensure your security-related activities are ready for when GDPR takes effect on 25 May 2018. Here we are focusing on the three main ones we are seeing with our clients.
Know your suppliers
You should know, in detail, what any third parties are doing to collect and/or process personal data on your behalf, including how and where they are storing and sharing that data. This must include those involved in activities such as operating CCTV, as well as those conducting pre-employment checks on your behalf.
Design privacy into procurement
It is important that any security-related services and/or products consider privacy right from the start. Where they are likely to involve higher risk processing, for example, the use of body worn video by physical security people, a data protection impact assessment will be needed.
Be clear about your objectives
Many security-related processing activities are very intrusive or can involve collecting very detailed information about an individual. You must be clear about what it is you are looking to achieve and ensure all related policies and procedures reflect that, including what you tell the people who are impacted by the processing.
Top themes to focus on
Privacy by design
Privacy must be considered from the point you decide to procure a service or product, as many of them can be intrusive. You should first define the objectives you are looking to achieve as this will drive the personal data you need to collect and how long you should keep it. It is important that any changes to the procurement, or the system/product once it is operational, considers any impact on privacy.
Some physical security services can involve a number of different parties. For example, an organisation may contract a firm to provide security services and they, in turn, may engage another party to operate the CCTV system. Data mapping will help to clarify where personal data is moving around the ecosystem and the responsibilities of the different parties involved. This is also the case when engaging with a third party to carry out pre-employment checks on your behalf.
Data subjects' rights
Individuals are able to exercise their rights to obtain access to their personal data that is collected by security systems, such as CCTV or swipe access records. The policies and procedures for responding to requests from people exercising their rights must be documented and the appropriate levels of sign off defined. It’s a good idea to test these systems ahead of the deadline to see how quickly and effectively you can respond to the different types of requests.
We have a whole host of other supporting material on this subject which can be found here.
Published date:  10 March 2018
Written by:  Stephen Bailey