What Data Protection Laws and Regulations Mean for Security ProfessionalsTony Pelli – National Practice Director, Security
BSI Professional Services
2
4
55
Our Portfolio
Our people and innovative solutions provide
unparalleled visibility and knowledge that
empowers you to effectively address business
risks, and build resilient risk and compliance
management programs.
We specialize in several practice areas that
leverage our rich history in standards
development, expertise, and passion to protect
your supply chain, people, and the
environment.
Industrial Hygiene
Construction Safety
Environmental Compliance
Ergonomics
Cybersecurity
Safety
Information Solutions
Remediation Project Management
Sustainability
Supply Chain Risk
6
Copyright © 2018 BSI. All rights reserved
Supply Chain Resilience:Assessment, Design,
Management, and Monitoring
• Inventory Management
• Business Continuity in the Supply Chain
• Good Manufacturing and Distribution Practices
• Anti-Bribery and Corruption Due Diligence
• EHS and Waste Disposal in the Supply Chain
• Privacy and Compliance
• Management Systems Approach
Service Areas
7
Mandate and Commitment
Management buy-in to improve data protection
Management Policy
Design the Framework for Managing Risk
Risk AssessmentRegulatory Requirements
Objectives and TargetsManagement Program
Planning and Assessment
Responsibility and Competence (Training)Communication of Objectives
Documentation of the ProgramOperational Control
Implementation and Operation
Measurement and Monitoring Against TargetsEvaluation of the Program
Non-Conformance and Corrective ActionsProgram Records
Audit and Assess Performance
Checking and Corrective Action
Gap AssessmentRisk Assessment
SOP DevelopmentTraining
Audit
SOP DevelopmentPlanning Assistance
Why Does This Matter?
Why Does This Matter?
Emerging security technologies have important privacy implications
Why Does This Matter?
Tighter regulations globally are adding additional requirements to existing security technologies
Thinking About One Site
• Large factory
• 67 cameras running 24 hours per day• 11,256 hours of footage each week
• 700 employees in the facility and 100 visitors per week• Information collected on 5,900 people per year (at least)
• That’s a lot of information to process and protect!
What is “Personal Data”?
GDPR 4(1):
[A]ny information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Where could this be an issue for security professionals?
The Global Landscape – GDPRWhat GDPR is not:
• A ban on storing personal data
• A strict time limit on storing personal data
• A ban on the use of CCTV
However, penalties can be severe:
British Airways$228 million
Marriott$124 million
€10 million or 2% of annual turnover, whichever is greater
The Global Landscape – GDPR
What GDPR does require from companies collecting data:
• Consent (in most cases) to collect personal data
• Disclose how the data will be used
• Only use data for the stated purpose
• Ensure that the data is accurate and up-to-date
• Erase the data when it is no longer needed and keep records of retention and deletion of personal data
• Secure the data
• Allow the ‘data subject’ to access their data
Where Does This Apply For Security?
• CCTV is specifically referenced by some data protection authorities• Berlin Data Protection Conference• Italy’s 2010 CCTV rules• Swedish Data Protectorate CCTV guidance• UK Surveillance Camera Code of Practice
• Biometrics are considered “sensitive personal information” that cannot be collected in most circumstances
• Background checks (already difficult in Europe) may be further restricted
Where Does This Apply For Security?
• GPS tracking
• Information collected for investigations
• Transfer of data to non-GDPR countries
• Handling access requests• How do you ensure the request if legitimate?
• Avoid ‘fishing’ for information with data access requests
Outside of the EU
• Countries where the law is fairly strong, but enforcement is weak• Mexico
• South Africa
• Countries where the law is not as restrictive as Europe, but still strong• South Korea
• Japan
• Hong Kong
• Taiwan
• Canada (especially Quebec and British Columbia)
Outside of the EU
• Brazil is the first country to pass a post-GDPR data protection law• Comes into effect in 2020
• Models the GDPR in terms of privacy protections and fines• Up to 2% of revenue in Brazil or $13.5 million, a requirement to delete the data,
and a daily fine for continued non-compliance
• Remains to be seen how authorities will enforce the law
Data Protection in the United States
• Most US states only have laws that protect names connected to another piece of information, such as:
1. A driver’s license number
2. Social security number
3. Debit, credit card, or bank account numbers
• Washington, Texas, and Illinois have laws restricting use of biometrics• Other states considering restrictions include Arizona, Massachusetts, and Florida
• Very few restrictions on camera placement and use
Data Protection in the United States
• California has passed the strictest US data protection law• Goes into effect in 2020
• Only applies if:• The business has gross revenues in excess of $25 million• Holds for commercial purposes the data of 50,000 or more people• Derives 50% or more of its revenue from selling personal information
• Includes GDPR-style disclosure, access, and deletion requirements
• Appears to be less direct application for physical security professionals
Comparing the US, EU, and the Rest of the World
• EU: highly prescriptive, more restrictive laws
• US: primary remedies are through lawsuits, less restrictive laws
• Rest of world:• More GDPR-style laws likely
• Brazil
• India
• Thailand
22
Mandate and Commitment
Management buy-in to improve privacy
Management Policy
Design the Framework for Managing Risk
Risk AssessmentRegulatory Requirements
Objectives and TargetsManagement Program
Planning and Assessment
Responsibility and Competence (Training)Communication of Objectives
Documentation of the ProgramOperational Control
Implementation and Operation
Measurement and Monitoring Against TargetsEvaluation of the Program
Non-Conformance and Corrective ActionsProgram Records
Audit and Assess Performance
Checking and Corrective Action
Gap AssessmentRisk Assessment
SOP DevelopmentTraining
Audit
SOP DevelopmentPlanning Assistance
Building the Management Policy
• What is your company’s data protection policy?
• Does security have a data protection policy?
• Does your company have a data protection officer?
Considerations for Data Protection Policy
• Adapted for your circumstances – taking into account what you use
• Things to consider:• Retention periods for CCTV
• Retention periods and scope of background checks
• Use of biometric data
• Logs for processing and deletion of data
25
Mandate and Commitment
Management buy-in to improve privacy
Management Policy
Design the Framework for Managing Risk
Risk AssessmentRegulatory Requirements
Objectives and TargetsManagement Program
Planning and Assessment
Responsibility and Competence (Training)Communication of Objectives
Documentation of the ProgramOperational Control
Implementation and Operation
Measurement and Monitoring Against TargetsEvaluation of the Program
Non-Conformance and Corrective ActionsProgram Records
Audit and Assess Performance
Checking and Corrective Action
Gap AssessmentRisk Assessment
SOP DevelopmentTraining
Audit
SOP DevelopmentPlanning Assistance
Evaluating Regulatory Requirements
• Conduct a data protection audit – what’s out there?
Germany:CCTV, visitor logs
GDPR
New Jersey:CCTV, biometricsNo Relevant Laws
Korea:CCTV, GPS tracking
Data Protection Law
Germany: GDPR
• CCTV retention limits
• CCTV signage
• Visitor log retention limits
• Handling access requests
• Data collection purpose statement
New Jersey
• CCTV signage
• CCTV usage policy
• Restrict access to CCTV and biometrics to avoid abuse
• Optional
South Korea
• Disclosure of personal data collection (CCTV signage)
• CCTV retention limits
• Possible limits around GPS retention and usage
31
Mandate and Commitment
Management buy-in to improve privacy
Management Policy
Design the Framework for Managing Risk
Risk AssessmentRegulatory Requirements
Objectives and TargetsManagement Program
Planning and Assessment
Responsibility and Competence (Training)Communication of Objectives
Documentation of the ProgramOperational Control
Implementation and Operation
Measurement and Monitoring Against TargetsEvaluation of the Program
Non-Conformance and Corrective ActionsProgram Records
Audit and Assess Performance
Checking and Corrective Action
Gap AssessmentRisk Assessment
SOP DevelopmentTraining
Audit
SOP DevelopmentPlanning Assistance
Risk Assessment
• Where is my company likely to face the greatest consequences?
• Likelihood [enforcement & presence] x Impact [possible fines]
Risk Assessment
Germany:Strict enforcement
Large fines
Severe Risk
New Jersey:No enforcement
No fines
Low Risk
Korea:Strict enforcement
Some fines
High Risk
Gap Assessment
• Are there policies in place?• Does it include the relevant requirements?
• Is it reviewed?
• How does management ensure they are being followed?
• Is each site following the policies?
• How is the information being protected?
Protecting Personal DataPhysical Protections
Administrative ProtectionsTechnical Protections
36
Mandate and Commitment
Management buy-in to improve privacy
Management Policy
Design the Framework for Managing Risk
Risk AssessmentRegulatory Requirements
Objectives and TargetsManagement Program
Planning and Assessment
Responsibility and Competence (Training)Communication of Objectives
Documentation of the ProgramOperational Control
Implementation and Operation
Measurement and Monitoring Against TargetsEvaluation of the Program
Non-Conformance and Corrective ActionsProgram Records
Audit and Assess Performance
Checking and Corrective Action
Gap AssessmentRisk Assessment
SOP DevelopmentTraining
Audit
SOP DevelopmentPlanning Assistance
How To Measure Success?
• As with physical security, you’re doing a good job if nothing happens
• Initial metrics related to completing reviews of all sites or locations
• Subsequent metrics related to percent compliance and number of corrective actions required
38
Mandate and Commitment
Management buy-in to improve privacy
Management Policy
Design the Framework for Managing Risk
Risk AssessmentRegulatory Requirements
Objectives and TargetsManagement Program
Planning and Assessment
Responsibility and Competence (Training)Communication of Objectives
Documentation of the ProgramOperational Control
Implementation and Operation
Measurement and Monitoring Against TargetsEvaluation of the Program
Non-Conformance and Corrective ActionsProgram Records
Audit and Assess Performance
Checking and Corrective Action
Gap AssessmentRisk Assessment
SOP DevelopmentTraining
Audit
SOP DevelopmentPlanning Assistance
Documenting Data Protection
• Beyond the policy, what else should you document?
• Deletion of personal data
• Records of personal data held
• Any consent forms
• Any data access requests
40
Mandate and Commitment
Management buy-in to improve privacy
Management Policy
Design the Framework for Managing Risk
Risk AssessmentRegulatory Requirements
Objectives and TargetsManagement Program
Planning and Assessment
Responsibility and Competence (Training)Communication of Objectives
Documentation of the ProgramOperational Control
Implementation and Operation
Measurement and Monitoring Against TargetsEvaluation of the Program
Non-Conformance and Corrective ActionsProgram Records
Audit and Assess Performance
Checking and Corrective Action
Gap AssessmentRisk Assessment
SOP DevelopmentTraining
Audit
SOP DevelopmentPlanning Assistance
Pushing Data Protection to Your Sites
Pushing Data Protection to Your Sites
Management Systems Gaps
Root Cause Analysis
Develop & Improvement Plan
43
Mandate and Commitment
Management buy-in to improve privacy
Management Policy
Design the Framework for Managing Risk
Risk AssessmentRegulatory Requirements
Objectives and TargetsManagement Program
Planning and Assessment
Responsibility and Competence (Training)Communication of Objectives
Documentation of the ProgramOperational Control
Implementation and Operation
Measurement and Monitoring Against TargetsEvaluation of the Program
Non-Conformance and Corrective ActionsProgram Records
Audit and Assess Performance
Checking and Corrective Action
Gap AssessmentRisk Assessment
SOP DevelopmentTraining
Audit
SOP DevelopmentPlanning Assistance
Measure and Monitor
45
Mandate and Commitment
Management buy-in to improve data protection
Management Policy
Design the Framework for Managing Risk
Risk AssessmentRegulatory Requirements
Objectives and TargetsManagement Program
Planning and Assessment
Responsibility and Competence (Training)Communication of Objectives
Documentation of the ProgramOperational Control
Implementation and Operation
Measurement and Monitoring Against TargetsEvaluation of the Program
Non-Conformance and Corrective ActionsProgram Records
Audit and Assess Performance
Checking and Corrective Action
Gap AssessmentRisk Assessment
SOP DevelopmentTraining
Audit
SOP DevelopmentPlanning Assistance
BSI Services
• Evaluating the regulatory landscape and compliance databases
• Gap and risk assessments
• Policy and procedure development
• Measuring and monitoring performance
Questions?
Contact Information
Tony Pelli, National Practice Director
+1 571-528-8704
Top Related