The European Union’s General Data Protection Regulation (GDPR)

Your Business Needs A Security Risk Assessment – Here’s Why
April 15, 2018
Being Aware Can Help You Avoid Hijacking
May 10, 2018

The European Union’s General Data Protection Regulation (GDPR)


The GDPR is an European Union created regulation that comes into force on 25th May 2018. What is it? How does it affect me in South Africa? Is there any reason why I have to conform?

The security industry is directly impacted by the GDPR, it regulates all companies processing the personal data of European Union citizens regardless of where the company might be based worldwide. Yes, including you here in South Africa as video footage of someone is considered as data.

The regulation will give EU citizens new rights to access and remove their data while imposing restrictions on how this can be collected. Fines can be up to 4% of worldwide turnover or €20 million, whichever is higher. It provides for a harmonisation of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations. This is especially prevalent in view of the recent Facebook disclosures. It addresses the export of personal data outside of the EU and replaces the 1995 Data Protection Directive.

The POPI Act

In South Africa the Protection of Personal Information Act (POPI) was signed into law by The President in 2013. However, POPI will only commence on a later date to be proclaimed by the President. This has not stopped any number of SA companies offering POPI compliance workshops for a fee, while the POPI Act (POPIA) deadline might only be at the end of 2019 or into 2020. POPI ensures that all SA institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity’s personal information by holding them accountable should they abuse or compromise your personal information in any way. This includes video footage.

It is assumed that with GDPR ending its grace period on 25th May 2018 after its commencement in May 2016, that any organisation required to comply with the POPI Act and the GDPR should focus on complying with GDPR first and then POPI second. Lessons might be learnt through GDPR compliance that can be applied to POPI compliance. It might make sense to have one compliance project that covers all bases, POPI and GDPR. That would ensure that you do not have to worry about first complying with GDPR and then, at a later point, complying with POPI, although dealing with the overlap between data protection laws may be a challenge.

GDPR was developed with the intention of being a “global standard” of sorts, as expressed by Věra Jourová, the European commissioner for justice; “we want to set the global standard”. The GDPR forces non-EU companies to comply if, and only if, they are processing the data of EU citizens, thus effectively exporting data protection compliance worldwide. That means that most SA companies will have to align with POPI and need only to have a working knowledge of GDPR.

Additionally, the GDPR states that transfers of personal data to a third country can only take place if that country ensures “an adequate level of [data] protection.” So far, the European Commission has recognised only 11 countries – including the US and Canada as providing this standard; it is noted that the EU is linking free trade deals to adequate data protection. This has led countries like Japan to update their own domestic data protection legislation to more closely resemble the GDPR as it awaits an “adequacy decision” from the EU. In much the same way as data centres, call centres and cloud storage options might be offered locally to international organisations, it is important to know what regulations are being applied internationally and how it might affect you here in SA.

The GDPR Regulation

European standard EN 62676-4 describes the process of system design and operational requirement documentation. Through such documentation the end user could take the integrator/installer into account to pay for compensation in cases of ignoring GDPR regulations in system design or configuration.

Article 83 of the GDPR regulation allows fines for both data controllers and data processors. So it is not only end users, i.e. data controllers, who could find themselves subject to GDPR fines; manufacturers or integrators who are considered data processors could also be fined. Those suppliers who currently offer Cloud/VSaaS or remote management and maintenance options for end users could also be fined if the service does not comply to the rules, notably concerning EU citizens. This in turn might affect Guarding or Remote Transmission companies running video and alarm monitoring centres. It is essential for the end customer to have a very detailed documentation and awareness for proper data handling in terms of GDPR.

Interestingly, the US currently does not have any similar legislation to the GDPR in the pipeline. However, it is worth remembering that many American companies are still affected by the GDPR, as the legislation covers any company which processes the personal data of EU citizens regardless of where it is based.

The GDPR is also relevant to data breaches through Cyber-security issues where access may have been achieved through incorrect system design or backdoor scenarios. GDPR does not mandate the use of any specific technology or system requirements, however, if those systems leave you vulnerable to a personal data breach, then you run the risk of needing to comply with the GDPR’s provisions for breaches laid out in article 33 of the regulation. It might be a good idea to run a full risk assessment to ensure that your system is secure; failing which upgrades might be necessary?

One key area the GDPR focuses on is correct notification. End users must at the very least put up signs indicating that video surveillance is taking place, but where the GDPR actually goes further is stating what must be included:

  • The identity and contact details of the data controller
  • The purposes of the processing for which the personal data are intended as well as the legal basis for the processing
  • The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
  • Informing data subjects of their right to lodge a complaint with a supervisory authority
  • The existence of the right to request access, rectification, and removal of the dataTop of Form
  • Bottom of Form

Conclusions

Data protection is an organisational and technical process not always requiring specified products. The introduction of GDPR and POPI should be the kick start to ensure that you review your current business processes to ensure full compliance. Even if you have older systems, you might well be okay if access to the data is properly controlled through risk mitigation such as physical security, IT and network security, including regular software updates.

It is often expected that installers and integrators know how to configure such systems to prevent similar security breaches seen recently in a number of cases within South Africa. Should you have any concerns or doubts, speak to those conversant with the risks and how they can easily be mitigated?

The days of installing a system, scanning a QR code and giving the customer the admin login might well be over. How do you intend to address the POPI and GDPR compliance requirements over the next few months? Come along to one of our free “Risk Inspired Solutions” seminars or contact us via telephone; 011 463 9797, website or email for more information.

Vision Catcher provides “Risk Inspired Solutions” to enable you to find key solutions that will mitigate risk to protect your children, family, property or business within the IT, Cyber and Physical Security space.

Leave a Reply

Your email address will not be published. Required fields are marked *

share