GDPR - an opportunity or a risk to the Physical Security Industry?

On the 25th of May 2018, the European Union, General Data Protection Regulation (GDPR) comes into force across the EU. It replaces the less extensive Data Protection Directive 95/46/ec. In itself, the introduction of a Regulation as opposed to simply a Directive, is significant.

Regulations have binding legal power throughout every Member State and come into effect on a set date. Directives can only define certain results that must be achieved but each Member State is free to decide how to interpret Directives into national laws. A Regulation therefore, is in effect, the law. So, the ‘bar’ is being raised and the importance being attached to a breach of an individual’s data privacy is clearly demonstrated by the potential sanctions for non-adherence.

In many industries where the consequences of a data privacy breach will impact directly via regulatory controls, such as Banking or Utility companies, GDPR is very firmly on the corporate agenda. As it also seems to be within the Information Technology support sector. It could be argued that this area of the IT industry is analogous in a number of ways to the Electronic Physical Security arena however, within physical security manufacturers and software developers, there appears to be little awareness and even less activity around the subject. During a recent, unscientific survey of Access Control and Video Management vendors, there was a concerning lack of knowledge related to the potential impact that GDPR may have on product design and only sporadic indication that product development was incorporating features that would help end-clients demonstrate adherence.

Data Protection

One of the key aspects of GDPR is the introduction of the principle of ‘privacy by design and default’. These elements are important to consider as a business end-user but are equally important for product manufacturers and software developers to understand. The burden on organisations to comply with Data Protection legislation becomes significantly greater on an on-going basis in ensuring that privacy becomes mandatory.

Privacy by Design

Privacy by design means that each new service or business process that makes use of personal data must take the protection of such data into consideration. An organisation needs to be able to show that they have adequate security in place and that compliance is monitored through structured reviews and regular assessments.

In practice, this means that an organisation must now take privacy into account during the whole life cycle of the system or process development.

Privacy by Default

Privacy by Default simply means that the strictest privacy settings are to automatically apply once a new identity is added to a security database or of course, any other business system. In other words, no manual change to the privacy settings should be required by the system user. There is also a chronological element to this principle, as personal information must, by default, only be kept for the amount of time necessary to provide the service.

How products and more specifically database use and protection, will need to be developed to enable users to comply with the GDPR requirements is an opportunity that, if harnessed, could help to differentiate one particular product from its competition. In an environment where competitive advantage can increase market share, it is surprising that system manufacturers have not embraced the changes and are not already busy publicising how their solutions will help protect end-clients from the potential consequences of a data privacy breach. Those that are, will surely elevate their status in comparison with those that are not and benefit from the provision of solutions that are better aligned with client requirements.

Penalties

The penalties for non-compliance could be significant. As the digital landscape has developed over the past 15 to 20 years, the issue of privacy and the protection of an individual’s personal data has become a vexed subject. The right to privacy is a highly-developed area of European Law.

Article 8 of the European Convention on Human Rights, enshrined in UK law in 1998, asserts that ‘everyone has the right to respect for their private and family life, their home and their correspondence’. The application and how this requirement is interpreted has led to many test cases and there have been prosecutions.

The maximum penalties for mishandling data under the new GDPR will dramatically increase to a level where C-suite interest is bound to be piqued. Fines of up to 4% of global revenue or €20m, whichever is greater, are at a level where ‘Data Protection’ should be added to corporate risk registers, if of course it’s not already there. For many organisations in the UK, this represents a huge increase in the Information Commissioners Office (ICO) current maximum penalty of £500k.

Establishing robust security standards and governance frameworks is a practical way to reduce exposure to GDPR penalties and demonstrate proactive risk management.

In addition, responsibility for protecting personal information under GDPR will extend to data processing as well as data controllers. Further changes to be introduced include:

• Data breaches must be reported as soon as possible and, where feasible, no later than 72 hours after discovery of a breach.
• Personal data now extends to location, IP address, RFID identifiers, as well as whole new swathes of medical data, including genetic information.
• The “right to be forgotten” being enshrined in law. The new regulation will apply to companies that are headquartered outside of Europe as long as they have operations within Europe.
• Greater rigour around consent to use personal data.
• New requirements to carry out Privacy Impact Assessments (PIAs) to ensure that personal data is sufficiently protected and privacy of the individual is maintained.

Data

Data Processing The Data Protection Directive 95/46/ec introduced the concept of limiting the processing of personal data based upon the following three principle categories:

• Transparency
• Legitimate purpose
• Proportionality

The notion of ‘processing’ was defined to mean “any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;”

Data Protection Officers

Organisations, whose core activity consists of processing special categories of data or the systematic monitoring of individuals on a large scale, will be required to appoint a Data Protection Officer to monitor compliance with the GDPR rules. In view of the scale of data processing undertaken by most responsible employers in relation to vetting, HR, payroll, pensions and access management as a minimum, we envisage that they will be impacted by this requirement and they should be making arrangements to appoint an officer if they have not already done so.

Organisations will also have to demonstrate that an individual’s consent to the processing of their personal data is ‘freely given, specific, informed and unambiguous’, and in most cases implied consent will not be sufficient. Although in relation to the use of CCTV it is still currently unclear to what extent you will need to seek to obtain explicit consent from individuals to record them via a CCTV system, as is already the case, you are required to make the presence of CCTV cameras very clear.

The Future

Between now and May of next year, the issue of data privacy and in particular GDPR, will undoubtedly be a subject that will attract a growing level of publicity. The suggestion that The Information Commissioners Office is currently recruiting Enforcement Officers and the call from Christopher Graham, the Information Commissioner until midlast year, for additional powers of prosecution, indicate the direction of travel. A greater number of prosecutions and a much higher level of resultant fines for failures to comply with the new regulations must be expected in the years ahead.

For many organisations, this means investing in modern cyber security services that integrate privacy protections across both IT and physical infrastructure.

The introduction of GDPR is in effect a challenge to society as a whole, to take data privacy and personal information more seriously and to do more to protect the privacy rights of each individual. It’s not a subject that will go away and whilst the media are quick to publicise larger scale ‘breaches’ and levels of associated crime continue to rise, the need to embed ‘privacy and data protection’ into business systems in all areas will intensify.

Organisations, in all aspects of the supply chain that have not incorporated the new regulations at the heart of their business processes and systems will become disadvantaged by their lack of adherence and those that fully embrace and harness data privacy will thrive.

The Physical Security industry and in particular product and system manufacturers and developers, need to move quickly to ensure that they are ready for the pending changes and do not become the focus of unwanted attention as a consequence of end-clients being penalised for non-compliant systems or processes.

Whilst there is a commercial opportunity associated with the introduction of GDPR compliant products there must also be a significant risk for those who continue to ignore or are ignorant of the changes.

Firstly, lets explain what we mean by the term ‘built environment’.

It refers to our manmade surroundings; including buildings, transport systems, parks and open spaces, where society resides and goes about its daily life. It’s the new office block, as well as the out-of-town shopping centre, airport, high street or green space.

The built environment is important, as numerous studies over many years have determined that it can influence how it’s human occupants behave and this is important because that infers a potentially negative impact as well as the possible beneficial effect.

CPTED

In the 1950’s and 60’s there was a growing appreciation that good architectural design and town planning could create better places to live and work. In 1971 Criminologist C. Ray Jeffery, published his book “Crime Prevention Through Environmental Design”. In 1972, Architect Oscar Newman published his book, “Defensible Space: - Crime Prevention through Urban Design”. Newman subsequently refined his defensible space approach with further multi-disciplinary aspects and named the concept “Crime Prevention Through Environmental Design”, the term which he credited Jeffery for initiating. Crime Prevention Through Environment Design (CPTED) continued to evolve through the 1980’s with Criminologist Tim Crowe, amongst others, developing on Newman’s original concepts. By 2004, CPTED was commonly understood to refer to the Newman/Crowe model.

Although CPTED emerged from the United States, it has influenced many other Crime Prevention models throughout the world. In the UK, the Police Service introduced Secured by Design (SBD) in 1989, which was the title for a group of projects that focused on the design and security of domestic dwellings, commercial premises and car parks. It supports the principle of ‘designing out crime’ but focuses on physical security and processes to deliver crime reduction.

So, what is CPTED?

CPTED is a pro-active, crime prevention methodology that seeks to influence the decisions of a potential offender prior to perpetrating a criminal act with the intention of reducing levels of crime to the benefit of the local community and society as a whole. It focuses on tactical design and the effective use of the built environment to reduce both crime and the fear of crime. CPTED draws on a common-sense approach and helps develop a heightened sense of awareness of how the built environment might be used to enhance the community, as well as how it might be used for nefarious purposes. Having assessed a broad range of factors, better architectural and planning decisions can be made that positively influence how a space is used.

Modern CPTED incorporates five key elements:

• NATURAL ACCESS CONTROL
• NATURAL SURVEILLANCE
• TERRITORIAL REINFORCEMENT MAINTENANCE AND IMAGE IMPROVEMENT ACTIVITY SUPPORT

Natural Access Control

Natural Access Control limits the opportunity for crime by taking steps to clearly differentiate between public and private space. With the strategic locating of points of entry and egress, the use of security fencing, lighting design and landscaping, it is possible to control the flow of pedestrian and vehicular movement, naturally controlling access.

It is essential to understand the potential users of a space, as this will enable the designer to identify potential conflicts. An area where the elderly or infirm are expected to navigate past a busy office entrance that has a large open area outside that might be attractive to skateboarders is bound to experience some level of user conflict. By introducing suitable landscaping that breaks up the open space, by installing vegetation or installing structures and artefacts, users can be directed, creating segregated paths with appropriate signage and lighting to make the area less attractive to the skateboarders, whilst offering other users a clearer, more defined route to gain entry and exit.

By subtly channelling pedestrians, it is possible to make behaviour more predictable and this predictability can inform design decisions from the outset, often reducing the need for additional physical security measures to be applied. The result is a more natural aesthetic as well as a lower cost of delivery.

Natural Surveillance

Natural Surveillance raises the perceived risk of attempting criminal or anti-social behaviour by improving visibility of potential offenders by the general public. Natural surveillance occurs by ensuring that activities and people are not obstructed in such a way that visibility of the space and its users are maximised. This sense of openness adds to a potential offender’s feel of increased scrutiny. The perceived increase in risk can be extended by an apparent lack of viable and covert escape routes.

Lighting can play a significant role in achieving Natural Surveillance. Effective, well designed lighting schemes can provide choices for the people using the space during the hours of darkness and will again act to deter or at least displace potential offenders.

Natural Surveillance objectives can be boosted with the use of overt Closed Circuit Television. The choice of camera type and location of devices can play a critical role in its effectiveness but when used appropriately, Closed Circuit Television becomes a useful enhancement of Natural Surveillance.

Territorial Reinforcement

Territorial Reinforcement assists in controlling how a space is used by increasing the definition of space. An environment with a clearly delineated private space can be used to generate Stakeholders. Stakeholders have an increased sense of “investment”, even if it’s only at an emotional level and are more likely to challenge intruders or report anti-social behaviour. The sense of owned space creates an environment where “strangers” stand out and are more easily identified. By using many of the measures relevant to Natural Access Control and Surveillance to express a stakeholding and delineate public, semi-public and private space, natural territorial reinforcement occurs.

Maintenance and Image Improvement

Many studies from around the world have identified the need to maintain an environment that encourages a sense of value and pride. The ‘Broken Window Theory’ indicates that a building left with a broken window, even for only a short period of time, encourages vandals to break other windows. Before long, every window in the building has been broken and the building becomes derelict and attracts further anti-social and criminal behaviour. If left unchecked, the neighbourhood gets sucked into a spiral of decay that requires significant investment and activity to stop. By maintaining the appearance that there is a good level of ‘stakeholder’ engagement, which can be achieved by ensuring that low level maintenance tasks are addressed, anti-social behaviour and crime fails to take hold and the community benefits as a whole.

Activity Support

Activity Support is achieved by ensuring that the use of a space is defined so that should a different activity take place, via the use of Natural Surveillance, the risk of detection, particularly if that activity is anti-social or criminal, increases. By fitting signs in an area such as ‘Caution Children Playing’, local residents become more aware of what is happening in this space. Should other activities take place, it is more likely to register in the minds of the local community and if they are invested as stakeholders, they are more likely to take action to stop it.

Success

There are many examples of significant improvements in crime and anti-social behaviour attributable to the application of CPTED techniques. It will be most effective as part of a holistic security strategy where engagement starts at the earliest stage possible. For those familiar with the Royal Institute of British Architects (RIBA) work stages, this certainly means no later than Stage 1, Preparation and Brief, although will likely last through to Stage 4, Technical Design. Early and broad stakeholder engagement can help to achieve significantly better results but more importantly, improve the effectiveness of the eventual design.

Another significant benefit is that early engagement will often result in the reduction of Physical Security budgets, as physical security measures are typically designed to mitigate security risks or vulnerabilities that haven’t been addressed in the architectural design.

In many cases, this early integration happens through a structured security system design that aligns CPTED principles with modern technical solutions.

Second Generation CPTED builds greater depth to the model and refines some of the societal influences, ensuring its continued relevance in today’s world.

By using a CPTED design process, the Built Environment will continue to be enhanced and crime and anti-social behaviour will continue to reduce

For high-risk sites, regular physical penetration testing can validate whether the design performs as intended once operational.