GDPR is the General Data Protection Regulation adopted by the European Union (EU) in 2016. This just became enforceable as of May 2018. Does it affect me? The short answer is “Yes”. This law may affect you if you have an enterprise class system that collects and shares data around the world.
What is GDPR?
In a nutshell, GDPR is the European Union law devoted to personal data protection and privacy. It covers all individuals within the EU and the European Economic Area (EEA). The EEA includes EU member states and other members that are part of the European Free Trade Agreement (EFTA). This law addresses the storage of personal data inside the EU and EEA. It also pertains to the transmission of personal data outside the EU and EEA.
The GDPR applies to all entities and organizations that transact business with the EU or EEA. This will likely include your enterprise-wide HR and access control systems if you have facilities in the EU or EEA.
GDPR and Security Systems
Specifically, systems and applications must have software developed with data protection and privacy settings at the highest level by default. This would include applications such as an access control system. The default configuration means that systems must store personal data using encryption and/or non-attributable translation methods. These methods secure the data and prevent it from public disclosure without an individual’s explicit consent. Again, this is by default and not optional.
Enterprise organizations with an HR or access control system may not collect, store, process, or transmit personal data without meeting the requirements of this regulation. However, the organization may receive opt-in permission from an individual. This permission should be in writing, and an individual may revoke it at any time. (The individual has control, not the organization.)
Required Disclosures
Any organization that collects and processes personal data must:
- Disclose what data the organization collects
- Declare the lawful basis and purpose for data collection and processing
- State how long the organization retains data
- State if the organization shares data with any third parties or outside of the EU and EEA.
Any individual affected by or included in the data collection has the lawful right to request a copy of the data collected in a common format. The individual also has the lawful right to have their data erased under certain circumstances.
Data Protection Officer
All organizations that regularly and systematically collect and process personal data as part of their core business are required to employ a Data Protection Officer (DPO). This individual is responsible for managing compliance with the GDPR. It is unclear whether this would also apply to an organization collecting personal data from its employees for the HR or access control systems.
The above information is not legal advice. Please contact your legal counsel and Compliance Office for specific guidance and interpretation of GDPR for your organization.
Plan. Protect. Prosper.
Protus3 specializes in security system design, security consulting, corporate investigations and other investigative services. Partner with Protus3 and we will examine each situation to identify threats and develop solutions for your best outcome.