Date icon03 May 2018

How will GDPR affect access control?  

GDPR (General Data Protection Regulation) – the next major shakeup to European Union (EU) data privacy laws – is set to come into full force on May 25, forcing businesses of all kinds to reassess their attitudes towards and processes around personal data.

Full details of the changes are available direct from the official GDPR Portal (, but the most discussed points are undoubtedly the new definitions of what constitutes personal data and updated guidelines on the need for consent from data subjects.

The use of access control systems on business premises will be affected in a number of ways from the end of May, so it’s important to brush up now and make any necessary adjustments.

A new way to define ‘personal data’

  ‘Personal data’ is a broad term that gets bandied around a lot, and with GDPR, the EU is arguably making it even more difficult to define it effectively. It’s acting with good reason, however.

The definition is being extended to include digital identifiers such as IP addresses, as well as other nameless data that can be linked back to individuals – including the staff and visitors who pass through your access control system each day. This means things like entry times, departure times and vehicle number plates could be classed as personal data – as well as more obvious information such as fingerprints and retina scan imagery. And with GDPR giving everyone more rights to view, control and even seek to delete the personal data kept on them, you may need to start being more transparent – but it does depend on the situation.

You may need consent

There are a few scenarios in which you won’t need fresh consent from employees and visitors to keep access control data on them. The most obvious, with employees at least, is when there’s a contract in place and it already covers the use of certain data. This could even be barrier entry and departure times if they’re used for payroll purposes or fire safety. Other lawful grounds for data processing under GDPR, as written in the official guidelines, include:

Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

Vital interests: the processing is necessary to protect someone’s life.

Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

Think carefully about the data currently being captured by your security systems, and whether it fits in with any of the exceptions above. If not, you will need explicit consent from anyone affected by them. This may be easier to obtain from employees than visitors, but either way, be sure to be transparent about your reasoning.

Working with the right suppliers

Your own GDPR compliance should certainly be the priority in the coming months, but it’s important too that the businesses you work with are up to speed with the latest rules and regulations – this includes access control partners, so be sure to speak frankly with any suppliers. We’ll certainly answer any questions you may have on the subject.