Gdpr Physical Security Requirements

Security requirements of the gdpr.

Gdpr physical security requirements.

Why physical measures are important to gdpr. Securing data against hacking and malware is rightly top of mind for many organisations however many fail to adequately address the physical security of it hardware. The requirements for security are described in article 32 of the eu gdpr. Data breaches are constantly making headlines and it is almost exclusively due to hackers and cyber criminals taking advantage of.

The eu gdpr harmonises european data protection law and strengthens data protection authorities. For example it requires the controller to report a breach within 72 hours which means you need to have 24 7 visibility into your applications. The gdpr requires that taking into account the state of the art the costs of implementation and the nature scope context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons the controller and the processor shall implement appropriate. Much has been written about the eu gdpr which was adopted on 27 th of april 2016 and becomes enforceable on 25 th may 2018.

More than half fail to use a physical lock for it equipment1. Yet given the unique challenges involved surprisingly little has been devoted to the process of ensuring compliance for the operation of video surveillance access control and other physical security systems. It now demands that all companies carefully check reorganize and often more comprehensively address their privacy and physical it security. For physical security systems including video surveillance and access control there are significant requirements that gdpr places on operators of such systems.

Gdpr articles 33 and 34 require transparency in case of a breach with notifications to the regulator and the end user. The european union general data protection regulation gdpr requires organizations worldwide to rethink how they access use and maintain personal data. Unless an incident response plan is developed in advance and all individuals involved in the breach response are aware of their responsibilities a rapid response will be difficult. This white paper describes scenarios of data risk that could result in administrative interventions and financial penalties under the new regulation.

In particular because of facial recognition and automated license plate recognition operators of physical security systems can only handle personally identifiable data with. This puts organisations at risk for non compliance with gdpr. As the gdpr data security requirements are dependent to such a degree on the risk that is presented by the data type and the processing activity a crucial first step for any organisation looking to comply with the gdpr should be a comprehensive audit to capture and understand all the information that they store and treat. Organisations should address gdpr requirements if they handle eu originated personally identifiable data.