what data protection laws and regulations mean for

What Data Protection Laws and Regulations Mean for Security ProfessionalsTony Pelli – National Practice Director, Security

BSI Professional Services

55

Our Portfolio

Our people and innovative solutions provide

unparalleled visibility and knowledge that

empowers you to effectively address business

risks, and build resilient risk and compliance

management programs.

We specialize in several practice areas that

leverage our rich history in standards

development, expertise, and passion to protect

your supply chain, people, and the

environment.

Industrial Hygiene

Construction Safety

Environmental Compliance

Ergonomics

Cybersecurity

Safety

Information Solutions

Remediation Project Management

Sustainability

Supply Chain Risk

6

Copyright © 2018 BSI. All rights reserved

Supply Chain Resilience:Assessment, Design,

Management, and Monitoring

• Inventory Management

• Business Continuity in the Supply Chain

• Good Manufacturing and Distribution Practices

• Anti-Bribery and Corruption Due Diligence

• EHS and Waste Disposal in the Supply Chain

• Privacy and Compliance

• Management Systems Approach

Service Areas

7

Mandate and Commitment

Management buy-in to improve data protection

Management Policy

Design the Framework for Managing Risk

Risk AssessmentRegulatory Requirements

Objectives and TargetsManagement Program

Planning and Assessment

Responsibility and Competence (Training)Communication of Objectives

Documentation of the ProgramOperational Control

Implementation and Operation

Measurement and Monitoring Against TargetsEvaluation of the Program

Non-Conformance and Corrective ActionsProgram Records

Audit and Assess Performance

Checking and Corrective Action

Gap AssessmentRisk Assessment

SOP DevelopmentTraining

Audit

SOP DevelopmentPlanning Assistance

Why Does This Matter?


Emerging security technologies have important privacy implications


Tighter regulations globally are adding additional requirements to existing security technologies

Thinking About One Site

• Large factory

• 67 cameras running 24 hours per day• 11,256 hours of footage each week

• 700 employees in the facility and 100 visitors per week• Information collected on 5,900 people per year (at least)

• That’s a lot of information to process and protect!

What is “Personal Data”?

GDPR 4(1):

[A]ny information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Where could this be an issue for security professionals?

The Global Landscape – GDPRWhat GDPR is not:

• A ban on storing personal data

• A strict time limit on storing personal data

• A ban on the use of CCTV

However, penalties can be severe:

British Airways$228 million

Marriott$124 million

€10 million or 2% of annual turnover, whichever is greater

The Global Landscape – GDPR

What GDPR does require from companies collecting data:

• Consent (in most cases) to collect personal data

• Disclose how the data will be used

• Only use data for the stated purpose

• Ensure that the data is accurate and up-to-date

• Erase the data when it is no longer needed and keep records of retention and deletion of personal data

• Secure the data

• Allow the ‘data subject’ to access their data

Where Does This Apply For Security?

• CCTV is specifically referenced by some data protection authorities• Berlin Data Protection Conference• Italy’s 2010 CCTV rules• Swedish Data Protectorate CCTV guidance• UK Surveillance Camera Code of Practice

• Biometrics are considered “sensitive personal information” that cannot be collected in most circumstances

• Background checks (already difficult in Europe) may be further restricted

Where Does This Apply For Security?

• GPS tracking

• Information collected for investigations

• Transfer of data to non-GDPR countries

• Handling access requests• How do you ensure the request if legitimate?

• Avoid ‘fishing’ for information with data access requests

Outside of the EU

• Countries where the law is fairly strong, but enforcement is weak• Mexico

• South Africa

• Countries where the law is not as restrictive as Europe, but still strong• South Korea

• Japan

• Hong Kong

• Taiwan

• Canada (especially Quebec and British Columbia)

Outside of the EU

• Brazil is the first country to pass a post-GDPR data protection law• Comes into effect in 2020

• Models the GDPR in terms of privacy protections and fines• Up to 2% of revenue in Brazil or $13.5 million, a requirement to delete the data,

and a daily fine for continued non-compliance

• Remains to be seen how authorities will enforce the law

Data Protection in the United States

• Most US states only have laws that protect names connected to another piece of information, such as:

1. A driver’s license number

2. Social security number

3. Debit, credit card, or bank account numbers

• Washington, Texas, and Illinois have laws restricting use of biometrics• Other states considering restrictions include Arizona, Massachusetts, and Florida

• Very few restrictions on camera placement and use

Data Protection in the United States

• California has passed the strictest US data protection law• Goes into effect in 2020

• Only applies if:• The business has gross revenues in excess of $25 million• Holds for commercial purposes the data of 50,000 or more people• Derives 50% or more of its revenue from selling personal information

• Includes GDPR-style disclosure, access, and deletion requirements

• Appears to be less direct application for physical security professionals

Comparing the US, EU, and the Rest of the World

• EU: highly prescriptive, more restrictive laws

• US: primary remedies are through lawsuits, less restrictive laws

• Rest of world:• More GDPR-style laws likely

• Brazil

• India

• Thailand

22


Management buy-in to improve privacy

Management Policy














Audit


Building the Management Policy

• What is your company’s data protection policy?

• Does security have a data protection policy?

• Does your company have a data protection officer?

Considerations for Data Protection Policy

• Adapted for your circumstances – taking into account what you use

• Things to consider:• Retention periods for CCTV

• Retention periods and scope of background checks

• Use of biometric data

• Logs for processing and deletion of data

25



Management Policy














Audit


Evaluating Regulatory Requirements

• Conduct a data protection audit – what’s out there?

Germany:CCTV, visitor logs

GDPR

New Jersey:CCTV, biometricsNo Relevant Laws

Korea:CCTV, GPS tracking

Data Protection Law

Germany: GDPR

• CCTV retention limits

• CCTV signage

• Visitor log retention limits

• Handling access requests

• Data collection purpose statement

New Jersey

• CCTV signage

• CCTV usage policy

• Restrict access to CCTV and biometrics to avoid abuse

• Optional

South Korea

• Disclosure of personal data collection (CCTV signage)

• CCTV retention limits

• Possible limits around GPS retention and usage

31



Management Policy














Audit


Risk Assessment

• Where is my company likely to face the greatest consequences?

• Likelihood [enforcement & presence] x Impact [possible fines]

Risk Assessment

Germany:Strict enforcement

Large fines

Severe Risk

New Jersey:No enforcement

No fines

Low Risk

Korea:Strict enforcement

Some fines

High Risk

Gap Assessment

• Are there policies in place?• Does it include the relevant requirements?

• Is it reviewed?

• How does management ensure they are being followed?

• Is each site following the policies?

• How is the information being protected?

Protecting Personal DataPhysical Protections

Administrative ProtectionsTechnical Protections

36



Management Policy














Audit


How To Measure Success?

• As with physical security, you’re doing a good job if nothing happens

• Initial metrics related to completing reviews of all sites or locations

• Subsequent metrics related to percent compliance and number of corrective actions required

38



Management Policy














Audit


Documenting Data Protection

• Beyond the policy, what else should you document?

• Deletion of personal data

• Records of personal data held

• Any consent forms

• Any data access requests

40



Management Policy














Audit


Pushing Data Protection to Your Sites

Pushing Data Protection to Your Sites

Management Systems Gaps

Root Cause Analysis

Develop & Improvement Plan

43



Management Policy














Audit


Measure and Monitor

45


Management buy-in to improve data protection

Management Policy














Audit


BSI Services

• Evaluating the regulatory landscape and compliance databases

• Gap and risk assessments

• Policy and procedure development

• Measuring and monitoring performance

Questions?

Contact Information

Tony Pelli, National Practice Director

[email protected]

+1 571-528-8704

mailto:[email protected]

what data protection laws and regulations mean for

Documents