Message from the CEOUnderstanding GDPR
By Peter Strom, March Networks President and CEO
In recent months, there has been a lot of talk in boardrooms and in the media about the new data privacy regulation known as GDPR, and the impact it will have on business.
The new regulation comes into effect across the European Union (EU) on May 25. While it is being driven by the EU, the regulation’s impact will be felt well beyond Europe and will touch any organization that collects or processes data related to an EU resident. Corporations are now rushing to assess their vulnerabilities, as failure to comply can lead to penalties totaling 4 percent of an organization’s worldwide revenue. Before discussing the effect of GDPR, let’s define what it is.
Firstly, GDPR stands for General Data Protection Regulation. The regulation is intended to harmonize and standardize the various privacy laws that have generally been applied and interpreted by individual
European countries. The main driver of the regulation is to safeguard the personal data of individuals and consumers.
The regulation applies to any organization that collects personal data on EU residents, and focuses on how that data is handled, managed and used. The regulation defines personal data as any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address. When applied to video surveillance, personal data is defined as any information that can be used to identify an individual.
Any organization that uses video surveillance to secure its properties, protect its assets or leverage video to gather data will be profoundly impacted by these regulations. From a user perspective, security and IT departments must implement several new measures. These include:
- Complying with restrictions on how long video data is stored.
- Clearly marking the location of surveillance cameras.
- Masking the identity of individuals in recorded video captured by cameras in public areas.
- Keeping written records of the organization’s camera system operation and being able to provide information about the data processing method.
- Adequately securing camera system operation and stored recordings against unauthorized use.
- Reporting any breach or data leak within 72 hours to the office of Personal Protection, and being able to demonstrate that procedures have been followed.
- Organizations must also appoint a data protection officer, responsible for understanding the regulation and ensuring compliance.
While the full impact of this sweeping regulation has yet to be determined, organizations around the world are now busily reviewing their data capture and handling processes and proactively identifying any potential compliance violations.
The broad application of GDPR will no doubt have a significant impact on corporations that capture data, as well as the suppliers that provide the platforms.
As an example, any U.S.-based bank or retailer conducting business in Europe will now have to ensure that the management of data from their European customers adheres to European regulations.
As the pendulum swings from developing platforms designed to capture as much personal data as possible — and correlating various data sources with the express purpose of targeting individuals for marketing, political or security purposes — the focus is now on tools that anonymize the data. From a manufacturer’s point of view, the core design of its software, including data encryption and segregation capabilities, will become key. Flexibility with respect to retention periods and customized search features will also be vital to ensuring compliance with the regulation.
General consensus is that the regulators will not expect 100 percent compliance right out of the gate. For many companies, GDPR will require them to change how they operate and to complete expensive upgrades. The key will be the ability to demonstrate to authorities that steps are being taken to achieve full compliance.
As I write this, the world recently learned that Cambridge Analytica accessed personal information harvested from more than 50 million Facebook profiles for the purpose of targeted political campaigns.
How much of an impact this revelation will have on data privacy remains to be seen. As Europe prepares for increasingly restrictive data privacy laws, it will be interesting to see if the U.S. and other countries follow suit. I urge all of you to learn more about GDPR and the potential impact it will have on your organization.
Regardless of the direction it goes, March Networks’ customers and partners can rest assured that we are closely following developments and are deploying the resources required to make sure that our technology adapts to the changing world.
Peter Strom,
President and CEO,
March Networks