The new General Data Protection Regulation has a major impact on data and personal information, but also on access control and identity management. How can organisations stay in control? Together with the experts of Privacy Management Partners, Nsecure works with you to prepare your systems for the introduction of the GDPR. Over the course of the next few days, we will cover the most important points of attention in a series of blog articles.
“The GDPR is about proactively thinking about what you want to do with personal data and communicating properly regarding these purposes,” says Joris Hutter (partner at Privacy Management Partners). Every organisation has its own processes. In addition to the process itself, it is also important to identify the phases or components of each process. What category do certain systems or solutions fall into? What is the resulting data permitted to be used for? Who has access to this data, and is it shared with anyone else? “One example is camera surveillance. This falls into the category of ‘tracking systems.’ Obviously, organisations are permitted to install cameras at and around a location. The main thing is that you inform people about the cameras’ presence and are able to substantiate what is being done with the footage. For how long is it stored? And for what purpose? Do you share the footage with any third parties?”
Once the process has been mapped out, organisations must evaluate their partnerships with external parties, such as security companies, receptionist services or marketing agencies. If any of those external parties process data from the security process, clear agreements must be made with the parties in question. These agreements are recorded in processing agreements. Hutter: “If an organisation uses an external security company to handle its access control, clear instructions must be drawn up regarding what the security company is allowed to do with the data and what measures it must take to protect the data. Furthermore, those involved have the right to know what personal data of theirs is being processed. They may also request to have their personal data rectified or deleted. As an organisation, you must have procedures in place for these kinds of situations.”
The general principle is that a more significant (potential) impact on privacy or security requires stricter measures. For that reason, organisations must conduct a Privacy Impact Analysis (PIA) in certain situations. The magnitude of the risk differs per situation, due to variables such as the nature of the processing (increased risk of theft or fraud), the scope (large volumes of data), the context, or the purpose of the processing (information is used for decision making).
Specifically, a PIA is required for:
A PIA is required when camera surveillance is used in public areas. Observation services that process privacy-sensitive data often also involve increased risks, thus necessitating a PIA. Many organisations have already conducted these analyses in preparation for the GDPR, but the results will remain important nevertheless, as the purposes of or insights into data processing may change, causing PIA results to change. In such an event, a PIA may need to be modified or redone.
In some situations, it can be difficult to correctly interpret the principles of the GDPR. For example, the use of biometrics for access control is permitted under certain conditions. However, these conditions, such as necessity and proportionality, are open to interpretation. In other words, there is still plenty to think about.
The GDPR will enter into effect on May 25th. Together with Privacy Management Partners, we work with you to find ways to become GDPR-compliant without disrupting your operations. Over the course of the next few weeks, we will be publishing a series of articles about the GDPR in relation to specific topics to do with access control. If you want to stay up to date or learn more about this subject, please follow us on LinkedIn or Twitter or contact us via email@example.com.