Your access control system collects, records and processes large amounts of personal data. Some of this may be critical and sensitive. For example, the cardholder’s (data subject’s) name, employee number, PIN code, photo ID and CCTV footage.
Access control systems also record cardholders’ movements. From this data, you can monitor a person’s behaviour. Cardholders are often unaware of the personal data captured by access control systems, how long it’s stored, whether it’s stored securely and where and to whom it’s been distributed.
Protecting the cardholders (data subject’s) personal data
Access control systems are normally considered as securing a building. The protection of cardholders’ personal data is often overlooked – and can easily be violated. For example, a system administrator is often able to view the access control transactions of all cardholders. This right can be abused by browsing the information for non-security-related purposes. Under GDPR, this would be classed as a “data breach”.
In the new GDPR world, it’s important to consider the security of the cardholder – as well as the building. A well designed system can achieve both.
How to ensure your access control is GDPR compliant
There needs to be an increased focus on data protection and data security to meet GDPR. This should be considered from the design phase – particularly with respect to accessing, rectifying and erasing data.
The following aspects should be considered when deploying an access control system:
- Purpose for identifying cardholders
- Type of data – and who has access to it
- Method of data entry (manual or automatic)
- Storage location and retention period
- Sharing data with third parties
ClearView can support you ensuring that your access control system is GDPR compliant. Visit us at IFSEC 2018 (Stand B556) at the Excel Centre, 19-21 June to discuss how we can help – and see our GDPR compliant access control, ANPR and visitor management systems in action.