Is Your Physical Security GDPR Compliant?
Even though the UK has now officially left the EU, GDPR still applies. The rules were updated slightly when they were incorporated into UK law. Overall, however, for most businesses, everything stays the same. That includes the need to make sure that your physical security is GDPR-compliant.
One key change to note
As the UK is now outside the EU, UK companies need to appoint a GDPR representative within the EU or EEA if they collect data from EU residents. This requirement can be a ticklish one for UK-based companies to navigate.
For example, if you have an EU national working for you on a permanent basis, then they will almost certainly be considered a UK resident. Therefore they will be outside the scope of GDPR.
If, however, you have an EU resident visit your business premises and you collected their data, then you would almost certainly need a designated representative within the EU/EEA. The reason for this is that access controls, essentially by definition, monitor the behaviour of individuals. This means that they need to collect the individual’s personal data.
This requirement has been in place since the end of the transition period. This means that all companies impacted by it should have their arrangements in place already. If you haven’t and you need to then you should do so as a matter of urgency as fines for non-compliance are high. If you’re not impacted now, keep this requirement in mind in case your situation changes.
Remember that GDPR covers a wide range of data
Even though GDPR has now, essentially, been in place for over two years, many businesses may still fail to appreciate just how broad its scope is. This is likely to be particularly true of smaller businesses. These are unlikely to have the resources to analyse laws in detail.
The key point to understand is that GDPR’s remit is much broader than just standard personal details such as name, DOB and contact information. For example, it includes a person’s image and can include location information. This has obvious implications for implementing physical security, especially CCTV.
Consent may not be sufficient
Under GDPR there are six reasons which justify collecting personal data. These are as follows:
- affirmative consent on the part of the data subject.
- the vital interest of the individual.
- the public interest.
- the legitimate interest of the data controller.
- contractual necessity.
- compliance with legal obligations.
At first glance, it may seem like affirmative consent is the best option to use whenever possible. In principle, this may be the case. In practice, however, it can often be surprisingly difficult to demonstrate that a data subject did genuinely give affirmative consent.
Firstly, you need to show that the consent was given freely. Secondly, you need to show that the data subject was fully aware of all the implications of that consent. If you fail either of these tests then you fail to show affirmative consent.
In an employment setting, the law recognizes that there is often an imbalance of power between the employer and the employee. This in itself can make it very difficult to show that consent was freely given.
What’s more, the onus is on the employer to provide their employee with the necessary information to decide whether they wish to give consent. If there is an issue with the information provided, then the consent will not be considered to be informed and hence not affirmative.
When dealing with the public, the question of whether consent is affirmative is likely to depend very much on the context. For example, if a business sets up CCTV covering its own premises, then appropriate signage may be sufficient to demonstrate affirmative consent. This is because the only reason to go into view of the CCTV is to visit the business.
By contrast, if a business sets up CCTV covering a public street, then appropriate signage may not be sufficient to demonstrate affirmative consent. This is because the business cannot claim ownership of a public street in the same way that they can claim ownership of a private business location. Therefore, they cannot insist that people agree to follow their rules if they want to use it.
Interest must be demonstrated
Three of the five grounds for data collection relate to some form of legitimate interest. This can be on the part of the individual, the public or the data controller. In the context of access control, the likeliest option is a legitimate interest on the part of the data controller.
Keep in mind that there are effectively two parts to this condition. The first part is to show that the overriding interest is legitimate. The second part is to show that the data collection and processing is proportionate to that legitimate interest.
For example, regardless of whether you installed CCTV on private land or public land, you would be expected to implement the minimum practical level of coverage. You would also be expected to delete the footage as quickly as possible. For practical purposes, this is currently considered to be after about 6 months.
Contractual necessity and legal obligations must also be demonstrated. With regards to contracts, remember that they need to be fair to be enforceable. In other words, if you enter into a contract which is a bit too heavy-handed, you may find yourself responsible for the consequences.
The rights of data subjects
GDPR gives data subjects 8 key rights with regards to their data. These are as follows:
- the right to be informed.
- the right to be notified if their personal data is compromised.
- the right to rectification.
- the right to restrict processing.
- the right to object to your use or processing of their data.
- the right to be forgotten.
- the right to data portability.
- the right to access.
These apply to both employees and members of the public. As GDPR has already been in place for over two years, you should already have resolved any issues relating to these. If not, then you need to address these urgently, particularly if you are using CCTV.
If you are planning on updating your access controls, then you should definitely check for GDPR implications. Again, this applies particularly to CCTV but is relevant for any system which monitors user behaviour.
Find out more about complying with GDPR.