ing collected from them and have the right to make decisions on how it is used or distributed. PII includes an individual’s name, home address, images, bank details, social networking posts, medication information, IP addresses, mobile device ID and data collected through the IoT.
Some in North America believe that, since they are not located within the European Union, the regulation does not apply to their operations. What these companies fail to recognize is that the GDPR is applicable to any organization conducting business within the EU, including those simply collecting data there. As soon as a European citizen visits your website, you are subject to the regulations and fines set out under the GDPR. Ultimately, if you are collecting PII from people within the EU, your organization is going to be held account- able, regardless of where you are based.
The Global Benefits of the GDPR
North American companies should not be nervous about comply- ing, particularly in light of the new reporting requirements around breaches. We know that mitigating the risks associated with a sys- tem breach requires early detection. We also know that, with the increased connectivity between systems and the sharing of infor- mation between organizations, a breach at one organization can have a significant impact on others. As a result, when a company reports a breach quickly, it goes a long way to reducing potentially disastrous outcomes.
The GDPR states that, in addition to new record-keeping require- ments for collecting, managing, modifying, storing and analyzing PII, companies must also abide by mandatory breach reporting rules. This includes reporting a breach within 72 hours of detection. In this way, the regulation, which is designed to help European citizens, will also help protect our global networks as well.
Now That You’re Convinced, What Can You Do?
The first step on your road to compliance with the GDPR is to talk with the experts. If your company has a compliance department, reach out to them. They are probably already working on it and will have many of the answers to your questions.
What questions should you be asking? Typically, you are going to have to look at all the data you are collecting to see if you need to comply. Once you determine whether or not your company will be subject to the regulations, you have to see what, if any, additional controls you will need.
To help organizations build a solid foundation for continued com- pliance over the long-term, the regulation stipulates that, in order to meet its requirements, organizations cannot simply deploy add-on options. You must use solutions that implement privacy by design. This means that organizations are going to have to work with vendors who, in addition to understanding the importance of keeping systems and networks secure, focus on providing the tools and features that can continue to make this possible.
Specifically, solutions that implement privacy by design allow companies to leverage the latest technologies to encrypt their data— both in motion and at rest—keeping it hidden from prying eyes. They also allow for a high level of identity assurance by authenticating user access in order to make sure that everyone—app, user, server—is who they claim to be.
At the same time, organizations are going to have to ensure that they control access to personal data. This is particularly important as companies grow in size and reach and as they share data with stake- holders outside their organizations. A company must allow enough access to ensure that people can do their jobs effectively without put- ting anyone’s PII at risk.
How to Protect Individual Privacy
Under the GDPR, video surveillance is considered a high-risk process- ing operation. As a result, companies will have to implement controls that allow them to protect individual privacy in video streams both as they are being captured and then once they are shared or stored. There are a variety of methods of protecting privacy in video surveillance, including permanent masking, redaction, and dynamic anonymization.
The most basic method is through permanent masking. This in- volves permanently anonymizing individuals in video footage. Because the masking cannot be removed, this method is not ideal in situations where a person’s identity might be relevant for future investigations.
Redaction, which is usually done after the fact, involves hiding the identity of selected people in video footage. This is typically done in instances where an organization is sharing video with law enforce- ment. But it does not protect individual privacy in live streams.
The most effective method of anonymization, especially for orga- nizations conducting video surveillance of public spaces, is dynamic anonymization. Using this approach, VMS monitors actions and movements and automatically anonymizes individuals in live and re- corded streams. Then authorized personnel can unmask the video in the event of an investigation. In this way, dynamic anonymization both ensures individual privacy and supports law enforcement in their efforts to keep citizens safe.
How GDPR-compliance Might Impact Workflows
Finally, North American companies are also going to have to think about how to handle the increased pressure on their workflows as they move toward compliance. Under the GDPR, EU citizens have the right to obtain confirmation as to whether or not their data is being processed, where it is being processed, and for what purpose. In addition, they also have the right to request and receive, free of charge, a copy of their individual PII.
This means that companies need to have systems in place to recog- nize requests, assess their validity, and provide the information. How is a company going to find an individual’s PII within the vast amount of data they are collecting and how are they going to protect the pri- vacy of other individuals when fulfilling these requests?
The answer is to work with a solution that facilitates workflow by providing assets back to the requester in a secure fashion. When it comes to sharing video assets, for example, a solution must be able to redact any other individuals in order to protect their privacy.
In Benefits vs. Cost There is No Contest
Ultimately, regardless of your location, if your company or organi- zation is conducting any form of business in the EU, you are going to have to determine what you will need to do to comply with the GDPR. You are going to need to look at how you keep the data you are collecting private and how you can continue to share that data securely. As a result, you’re also going to have to think about the way you store, access, and transmit that data.
While it can seem like a daunting task initially, complying with the GDPR will help keep our global networks more secure as it increases personal privacy. And, if you are wondering what will happen if you do not comply, the answer is that it will cost you. The penalties for non-compliance are steep with
fines of up to $20 million euros or four percent
of global annual turnover—whichever is higher.
It is no wonder that Facebook has been working
to get on board.
Christian Morin is the vice president of cloud services at Genetec Inc.
WWW.SECURITYTODAY.COM 23