03 May 2018
How will GDPR affect access control?
GDPR (General Data Protection Regulation) – the next major
shakeup to European Union (EU) data privacy laws – is set to come into full
force on May 25, forcing businesses of all kinds to reassess their attitudes towards
and processes around personal data.
Full details of the changes are available direct from the official GDPR Portal (https://www.eugdpr.org/), but the most discussed
points are undoubtedly the new definitions of what constitutes personal data and updated guidelines on
the need for consent from data subjects.
The use of access control systems on business premises will
be affected in a number of ways from the end of May, so it’s important to brush
up now and make any necessary adjustments.
A new way to define ‘personal data’
‘Personal data’ is a broad term that gets bandied around a
lot, and with GDPR, the EU is arguably making it even more difficult to define
it effectively. It’s acting with good reason, however.
The definition is being extended to include digital
identifiers such as IP addresses, as well as other nameless data that can be
linked back to individuals – including the staff and visitors who pass through
your access control system each day.
This means things like entry times, departure times and
vehicle number plates could be classed as personal data – as well as more
obvious information such as fingerprints and retina scan imagery. And with GDPR
giving everyone more rights to view, control and even seek to delete the
personal data kept on them, you may need to start being more transparent – but
it does depend on the situation.
You may need consent
There are a few scenarios in which you won’t need fresh
consent from employees and visitors to keep access control data on them. The
most obvious, with employees at least, is when there’s a contract in place and
it already covers the use of certain data. This could even be barrier entry and
departure times if they’re used for payroll purposes or fire safety.
Other lawful grounds for data processing under GDPR, as
written in the official guidelines, include:
Legal obligation: the processing is necessary for you to
comply with the law (not including contractual obligations).
Vital interests: the processing is necessary to protect
Public task: the processing is necessary for you to
perform a task in the public interest or for your official functions, and the
task or function has a clear basis in law.
Legitimate interests: the processing is necessary for your
legitimate interests or the legitimate interests of a third party unless there
is a good reason to protect the individual’s personal data which overrides
those legitimate interests. (This cannot apply if you are a public authority
processing data to perform your official tasks.)
Think carefully about the data currently being captured by
your security systems, and whether it fits in with any of the exceptions above.
If not, you will need explicit consent from anyone affected by them. This may
be easier to obtain from employees than visitors, but either way, be sure to be
transparent about your reasoning.
Working with the right suppliers
Your own GDPR compliance should certainly be the priority in
the coming months, but it’s important too that the businesses you work with are
up to speed with the latest rules and regulations – this includes access
control partners, so be sure to speak frankly with any suppliers. We’ll
certainly answer any questions
you may have on the subject.