In this article, we will look at GDPR in relation to security and why compliance is important for all businesses
Europe is now covered by the world’s strongest data protection rules. The mutually agreed General Data Protection Regulation (GDPR) came into force on May 25, 2018, and was designed to modernise laws that protect the personal information of individuals. In this article, we will look at GDPR in relation to security and why compliance is important for all businesses.
Many businesses are still not GDPR compliant when it comes to security
News articles have highlighted that many businesses are still not GDPR compliant, and statistics from the ICO show that the number of incidents (such as data protection breaches, failure to comply with notices and prosecutions) has increased since GDPR came into force.
Research undertaken by TrustArc within the IT and Legal sectors showed that only 1-in-5 of the 600 companies surveyed believed they were GDPR compliant in July this year. While 53% were still in the implementation phase and 27 % had not yet started their implementation. EU companies, excluding the U.K., are further along, with 27% reporting they are compliant, versus 12% in the U.S. and 21% in the UK, It certainly seems that a lot of UK businesses are probably not GDPR compliant even after a two-year time-frame to prepare. One of the main reasons why businesses appear to have failed in meeting the GDPR deadline is the complexity of the regulations.
GDPR: a quick overview
Data protection rules affecting Europe were first created during the 1990s but struggled to keep pace with rapid technological changes. GDPR altered how businesses and public sector organisations handle the information of their customers. It also boosted the rights of individuals and gives them more control over their information.
In the full details of GDPR, there are 99 articles setting out the rights of individuals and obligations placed on organisations covered by the regulation. There are eight rights for individuals. These include allowing people to have easier access to the data companies hold about them, a new fines regime and a clear responsibility for organisations to obtain the consent of people they collect information about.
In terms of biometrics and CCTV, there are very clear clauses which set out the ways in which businesses must comply with the new regulations. We have previously written in depth about GDPR and CCTV, and GDPR in terms of processing biometric information, so please do read these articles if you are unsure of the detail.
GDPR: Who is in charge in the UK?
The Department for Culture, Media and Sport is the government arm responsible for ensuring that UK law complies with the requirements of GDPR. The government body was also responsible for creating the UK’s Data Protection Act but won’t have control of the day-to-day elements of GDPR once it is enforced.
The Information Commissioner’s Office (ICO) is responsible for enforcing GDPR. The ICO has the power to conduct criminal investigations and issue fines. It is also providing organisations with huge amounts of guidance about how to comply with GDPR.
Don’t take the risk
One of the biggest, and most talked about, elements of the GDPR has been the ability of regulators to fine businesses that don’t comply with it. If an organisation doesn’t process an individual’s data in the correct way, it can be fined. If it requires and doesn’t have a data protection officer, it can be fined. If there’s a security breach, it can be fined.
On the 3rd July Noble Design and Build of Telford, Shropshire, which operates CCTV systems in buildings across Sheffield, broke data protection laws by failing to comply with an Information Notice. It was first pulled up on this in September 2017, when it was also told to ensure that it had the appropriate signage in place to alert people to the fact CCTV was in use. The company failed to register with the ICO, despite it being a criminal offence not to do so. The business failed to take any heed of two further reminders, as well as an information notice and so ended up in court. On Monday 2 July 2018, the company was convicted at Telford Magistrates’ Court and fined £2000.
Registering with the ICO
It is important for businesses to show due regard for the personal data of their customers, especially if those customers are vulnerable persons e.g. care homes, hospitals or local councils. Directors and officers of unregistered companies should be wary of breaching the DPA in this regard, as they might receive an unwanted criminal record for their organisation’s non-compliance. Registering with the ICO is not expensive: small organisations (maximum turnover of £632,000 or no more than 10 staff) pay £40 a year, while SMEs (maximum turnover of £36m or no more than 250 employees) pay £60. These are small figures when you consider that fines are usually several thousands of pounds or more.
Do you have CCTV or use biometrics?
If you have CCTV installed at your premises, or use any form of biometrics to capture and store personal data, then it’s very important that you are GDPR compliant. Identifiable imagery is considered ‘personal data’ under GDPR regulations and therefore requires the person who is handling it (the ‘Data Controller’) to act in a responsible manner. All Data Controllers must be able to justify how their business obtains and uses personal data by means of a CCTV system.
With regards to biometrics, the GDPR does not overtly suppress the ways in which you can use biometric data, but it does emphasise the need for caution. Before processing biometric data organisations should:
- Collect data for a valid reason, fairly and transparently, with the subject’s permission
- Store it safely and securely
- Use it for the purpose for which it was collected
- Retain it for only as long as it is relevant and reasonable
Any truly effective approach to GDPR compliance must cover three aspects – prevention/ technology, people and process. With the right guidance and help, meeting the GDPR’s data security requirements can lead not just to compliance but also to an enhanced security posture and business benefits. Businesses and organisations impacted by GDPR have had two years to get their systems ready – if you are still struggling with compliance, don’t wait any longer. Audit now or you may be at risk of a large fine or prosecution by the ICO.
As installers of CCTV systems, and providers of biometric control systems, Almas Industries are well placed to help businesses with the physical security aspect of GDPR compliance. You can arrange your free, no obligation security survey by calling us on 0333 567 6677. If you prefer, you can always send a confidential email via [email protected].
- The full regulation. It’s 88 pages long and has 99 articles.
- The ICO’s guide to GDPR is essential for both consumers and those working within businesses.
- EU GDPR is full with information on the regulation. It details all you need to know
- The EU’s Article 29 data protection group is publishing guidelines on data breach notifications, transparency, and subject access requests.