Director at ClearView Communications, specialists in access, CCTV, intruder & fire - service & installation.
Your access control system collects, records and processes large amounts of personal data. Some of this may be critical and sensitive. For example, the cardholder’s (data subject’s) name, employee number, PIN code, photo ID and CCTV footage.
Access control systems also record cardholders’ movements. From this data, you can see someone’s behaviour. Cardholders are often unaware of the personal data captured by access control systems, how long it’s stored, whether it’s stored securely, and where and to whom it’s been distributed.
Access control systems are normally considered as securing a building. The protection of cardholders’ personal data is often overlooked – and can easily be violated. For example, a system administrator is often able to view the access control transactions of all cardholders. This right can be abused by browsing the information for non-security-related purposes. Under GDPR, this would be classed as a “data breach”.
In the new GDPR world, it’s important to consider the security of the cardholder – as well as the building. A well designed system can achieve both.
There needs to be an increased focus on data protection and data security to meet GDPR. This should be considered from the design phase – particularly with respect to accessing, rectifying and erasing data.
The following aspects should be considered when deploying an access control system:
1. Purpose for identifying cardholders
2. Type of data – and who has access to it
3. Method of data entry (manual or automatic)
4. Storage location and retention period
5. Sharing data with third parties