A Privacy Balancing Act

A Privacy Balancing Act

The privacy of the individual is the ultimate importance

Privacy. It’s gone beyond buzzword into a class of its own: basically, privacy of the individual is of the ultimate importance, and all else must fall away in our efforts to preserve it.

To that end, the European Union’s General Data Protection Regulation (GDPR) comes into effect on May 25. While this regulation is being mandated by the EU, it applies to organizations located in European Union states, organization located outside of the EU processing personal data of EU citizens, and multinational companies that supply goods or services to, and/or monitor the behavior of people in the EU.

GDPR addresses how data (including names, photos, email address, bank details, social media posts, medical information or a computer IP address) is collected, consented, used, processed, erased and controlled. The new legislation essentially sets higher fines for non-compliance or data breaches, and gives people (or, data subjects) more control and visibility over their personal information, what organizations do with it, and for how long. The basic concept is that the data subject, and not the collector, is the owner of his personal data.

According to the new regulations, an individual needs to willingly consent before his data would be collected; data may only be processed under “lawful” circumstances—meaning, there must be a specific purpose that is transparent and known to the data subject.

What is fascinating is that all of this is taking place with a backdrop of a global push for better security, more scrutiny and making the most of contactless biometric technologies, which is considered as sensitive private information.

So how can GDPR, security and biometrics coexist? What are the challenges and in which areas does society need to focus its energy?

Surveillance—More Important than Ever

There are far reaching implications of these new laws. CCTV cameras are commonly used in widespread surveillance systems. These systems can include hundreds, or in public spaces, tens of thousands (or more if you live in London) of CCTV cameras, which constantly record and collect people’s images. Police and other law enforcement officials often rely on these systems. Organizations and facilities also use CCTV cameras as part of their security infrastructures.

Does every person in the public sphere have to give their consent for this type of surveillance? In short, no. Surveillance is a common enough practice that simply having a sign in an area, informing people that they are being recorded, should be enough. If people see the sign, and still opt to enter that space, this demonstrates their consent. In some circumstances, an optional unmonitored passage needs to be conveniently available to ensure willing consent. Additionally, there are legal limitations to storage duration of CCTV recordings fulfilling a GDPR principle of “ensure erasure when no longer needed.”

Biometrics—Entering the Mainstream

The implications of GDPR go beyond basic CCTV cameras though. Increasingly, organizations are opting to deploy biometric systems to identify opted-in users for access control and security purposes. Biometrics are being selected both for their enhanced security, convenience and increased efficiency. Biometric data, good for identification, whether it visual identification data such as face templates or body behavior data, or other types of biometric information including fingerprints or iris scans would be included as Personally Identifiable Information (PII) under GDPR.

With visual identification in particular, which can be passively collected using standard CCTV cameras (unlike fingerprints or iris scans, which must be actively provided by a user), GDPR can pose some serious considerations.

What do you do with the data of all the people who pass by the camera, yet have not opted into the system? What about people who have opted in, but would like to opt-out now? How long can biometric data of subjects be stored when they have not specifically provided consent? And, for what purpose?

What of the Technology Provider?

It is important to note that the provider of the data collecting and processing technology is neither the processor, nor the controller of subjects’ data under GDPR.

To illustrate, computers and smartphones are used for many useful tasks: work, design, programming, entertainment, community, dating, picture albums and more. But, when used to commit an offence such as hacking into other systems, violation of media ownership rights, illegal darknet trades which are considered as crimes, would the computer or operating system software manufacturer be brought to trial for theft? Of course not. The person orchestrating the offence would be held responsible. No one thinks to outlaw computers and smartphones, when they serve such fundamentally positive purposes as well.

So, too, with personal data collection. The provider of the data collecting tools and technologies will not be held responsible when an organization collects or uses such personal data incorrectly. However, the technology provider does have responsibilities to enable and ensure that organizations are well equipped to comply with the regulation.

Responsibilities as a Technology Provider

As a provider of biometric identification technology, it is our responsibility and commitment to the organizations we work with to support the application of GDPR.

To that end, it is clear that technology providers must:

  • Provide the tools necessary for organizations to be able to not save the data of a subject’s data who is not enrolled in the system, or someone who was enrolled and opted out. Technology providers have a responsibility to create this capability.
  • Ensure that subject data would not be manipulated without authorization and would be protected from security breaches. That’s why it is vital for all data collected to be hashed and encrypted, so that if there is a data breach and information is possibly stolen, it is not usable. This protects the organization in the event of a breach from the serious penalties that can be incurred under GDPR.
  • Provide audited interfaces and tools to enable the organization to provide a data subject with a copy of the personal data saved in the system, ability to correct it or be forgotten when needed.

How GDPR Will Evolve in the Future

Ultimately, GDPR will be implemented in the EU and could be further enhanced according to norms for each member state. This is changing as well. The public is beginning to understand the efficiency that biometric identification brings with it. People like the idea of walking into their favorite shop and being welcomed by name.

Air travelers appreciate the convenience of passport control being automatically handled through biometrics without having to stand in the regular queue.

Of course, there will always be those who prefer to remain as anonymous as possible, and it is up to those involved in all perspectives related to GDPR to make sure anonymity is available.

The Changing Times

The trend is in favor of the public trading off some level of anonymity for the benefits that data-based identification can bring. Surveys show that up to 95 percent of people are interested in providing personal information when they stand to receive tangible benefits.

We should all support what GDPR is trying to accomplish. After all, privacy is still extremely important to people around the world. Yet, we have to periodically reexamine the degree to which there is a demand for what GDPR protects (namely, personal privacy), and make adjustments to the laws accordingly.

In that way, we can continue to move forward, allowing technology to increase safety, convenience and efficiency in our lives without compromising the privacy we all consider to be of sacred status.

This article originally appeared in the April 2018 issue of Security Today.

Featured

  • Video Surveillance Trends to Watch

    With more organizations adding newer capabilities to their surveillance systems, it’s always important to remember the “basics” of system configuration and deployment, as well as the topline benefits of continually emerging technologies like AI and the cloud. Read Now

  • New Report Reveals Top Trends Transforming Access Controller Technology

    Mercury Security, a provider in access control hardware and open platform solutions, has published its Trends in Access Controllers Report, based on a survey of over 450 security professionals across North America and Europe. The findings highlight the controller’s vital role in a physical access control system (PACS), where the device not only enforces access policies but also connects with readers to verify user credentials—ranging from ID badges to biometrics and mobile identities. With 72% of respondents identifying the controller as a critical or important factor in PACS design, the report underscores how the choice of controller platform has become a strategic decision for today’s security leaders. Read Now

  • Overwhelming Majority of CISOs Anticipate Surge in Cyber Attacks Over the Next Three Years

    An overwhelming 98% of chief information security officers (CISOs) expect a surge in cyber attacks over the next three years as organizations face an increasingly complex and artificial intelligence (AI)-driven digital threat landscape. This is according to new research conducted among 300 CISOs, chief information officers (CIOs), and senior IT professionals by CSC1, the leading provider of enterprise-class domain and domain name system (DNS) security. Read Now

  • ASIS International Introduces New ANSI-Approved Investigations Standard

    • Guard Services
  • Cloud Security Alliance Brings AI-Assisted Auditing to Cloud Computing

    The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today introduced an innovative addition to its suite of Security, Trust, Assurance and Risk (STAR) Registry assessments with the launch of Valid-AI-ted, an AI-powered, automated validation system. The new tool provides an automated quality check of assurance information of STAR Level 1 self-assessments using state-of-the-art LLM technology. Read Now

New Products

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings.

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation.