Access Control and GDPR

23/09/2019 in Security

The General Data Protection Regulation (GDPR) came into effect on 25th May 2018. In a nutshell, the regulation ensures that any personal data of EU citizens is handled securely by organisations. It requires these organisations to have policies in place to protect personal data at each point of the process.

GDPR applies to any data that can be used to identify an individual. For example; name, address, telephone number and email address. Even on biometric data such as fingerprints, iris scans and voice scans. It also applies to key fobs and access control verifications, where the item is linked to someone’s personal details.

Implications for access control systems

Access control is one of the main security solutions found at construction sites. To function, it requires data for key fobs, access cards and more recently, biometric details. GDPR affects all elements of the security system so long as the data stored includes any data of EU citizens.

When it comes to access control systems, the information stored is a necessity in order for the control key (fob, card or biometric) to match the authorised personnel, and give them permission to enter the construction site or a specific area on the site.

It is worth evaluating the collection and storing processes of the data to see whether or not it complies with the GDPR standards. If any of the access control variables can identify an individual, organisations need to know and evaluate how to handle and manage the data securely.

Any infringements or lack of compliance with these standards can result in monetary penalties from the Information Commissioners Office (ICO).

GDPR Compliance Check:

To comply with GDPR, your construction security needs to have restrictions in place your access control data. They must also be fully aware of the data they hold, why they are holding it and the what permissions they have to use it.

The Information Commissioners Office (ICO) recommends assessing these key areas to check for GDPR compliance:

  • Data processing and storage: It is recommended that data should always be updated and kept for only an appropriate amount of time. Unnecessarily storing personal data for long periods of time, allows any potential breaches to become more severe as it involves more data. In the context of access control, regularly updating the system and removing employees or contractors (who no longer work on the site) from the system, will allow you to safeguard personal details and stay GDPR compliant.
  • Access and accountability: Understanding who has access to the data at every stage of the data journey is an integral part of GDPR. Ensuring that only authorised individuals can see and modify personal details of people, who are of the part of the access control system, is critical to keeping compliant.
  • Consent: With GDPR, it is now vital that you get explicit consent from an individual to collect and process their data. Ensuring employees understand during the setup procedure – wherein their details are being inputted into the access control system – is essential for them to know the purpose of giving their data.
  • Encryption: Encryption adds another level of security to protect data. It is the process of converting information or data into code to anonymise it and prevent unauthorised access. Encryption key holders are the only people who are able to access and translate the code into the full readable structure.
  • Frequent evaluation: Organisations need to allocate time to regularly reassess their GDPR compliance, and ensure that each new area and process doesn’t create vulnerabilities in the data processing, storage and maintenance.

Here at Millennium Security, we ensure that we are compliant with all our industry standards and pride ourselves on high levels of client satisfaction. We have an outstanding reputation to maintain and hold several security credentials in our field.

To discuss our access control solutions for your construction site, contact us today.