FMJ.CO.UK FACILITIES SHOW DAILY
GDPR: IMPACT AND IMPLICATIONS FOR
SECURITY AND FIRE SAFETY COMPANIES
No one with a personal email account will have escaped the flurry of emails in recent weeks from
organisations explaining their responsibilities under the GDPR (General Data Protection Regulation),
with many of us having taken the opportunity to decline the implicit future ‘junk mail’. Richard
Jenkins, Chief Executive, NSI explains the implications
FACILITIES SHOW DAILY JUNE 2018 5
WHAT IS GDPR?
The GDPR is a regulation in EU law governing data
protection and privacy for all individuals within the
European Union (EU) and the European Economic
Area (EEA). It also addresses the export of personal
data outside the EU and EEA. Notwithstanding
Brexit, the British government was determined to
implement this new piece of legislation, and on
the 25th May the Data Protection Act (DPA) 2018
was published, capturing the requirements of the
GDPR, amended in the UK’s national context: the
GDPR and DPA 2018 go hand in hand.
For those not expert in the field the Act is a
complex and, in places, unclear piece of legislation.
Some larger organisations have taken extensive
advice in developing their response, while many
smaller businesses have been relying upon
guidance from the Information Commissioner’s
Office.
Within the security and fire safety sector every
company holds personal data of some description,
often as a result of contractual arrangements with
clients. Some aspects of personal data, such as
the capture and storage of images, are a grey area
as far as the regulation is concerned, and time will
tell through case law the true impact. However,
where companies are managing CCTV or other
image capture devices such as body worn cameras,
consideration of how such personal data is
managed is essential. There is no specific guidance
on this point as yet, since GDPR supersedes
an International Standards Organisation (ISO)
published code of practice dated June 2017, which
references the earlier 1998 Data Protection Act.
For the time being all companies must
demonstrate an understanding of how personal
data is captured, where it is stored and the
processes in place for managing it in line with
the regulatory requirements. NSI like most
companies has been through this process. To raise
awareness amongst all staff, NSI developed a 40
minute on-line GDPR training module, including
an assessment, and rolled it out across the
organisation to ensure a good understanding of the
regulation and pitfalls to avoid.
Having ‘market tested’ a genericised version,
this e-learning is now available to NSI approved
companies and associate consultants, as a tool to
increase awareness, and encourage best practice.
HOW CAN COMPANIES LEARN MORE?
Over the last six months NSI has seen a steady
stream of enquiries from approved companies,
asking for guidance. Some of the most frequently
asked questions include:
Q: Do I need to send a letter to all my customers
asking them for their consent to continue
processing their data?
A: If you have a contractual agreement with a
customer for the service you are providing, then
the contract provides you with a lawful basis for
processing their data. You only need to obtain
consent if you wish to use the data for a different
purpose to that originally set out in the contract.
Q: What types of documentation do I need to
have in place?
A: You must have a Privacy Notice or Privacy
Policy in place to provide your customers and
potential customers with information they need
to know about how and why you process their
data, who it will be shared with and how long
it will be retained. You must make this publicly
available, for example on your company’s website.
Companies must ensure they have processes in
place for data retention, data breach reporting,
subject access requests, and data protection
impact assessments. Best practice is to conduct
a data mapping exercise, document the data
held within your organisation and how it moves
throughout processing. A data inventory audit is a
good place to start.
Q: Our company holds contact details for key
holders – do we need to obtain their consent to
contact them?
A: No – there is a legitimate reason to hold contact
details, namely to be able to contact them when
responding to an alarm signal. This is a lawful basis
for using their data.
Q: Do I need a data protection agreement with
my suppliers, if I am the Data Controller?
A: If you are a Data Controller and you share the
data you hold with a third party Data Processor,
the GDPR sets out requirements to have a written
contract in place, so that you can ensure the third
party processes the data you are providing in
ways that you are instructing. The GDPR sets out
the standard clauses for such contracts - further
guidance on this is on the ICO’s website: https://
ico.org.uk/for-organisations/guide-to-the-generaldata
protection-regulation-gdpr/accountabilityand
governance/contracts/
With the regulation framework now in place
we all face interesting times as businesses and
consumers grow increasingly aware of the power
of data and how it should be used, and continue to
learn about the use and misuse of data in the GDPR
world.
NSI AT IFSEC
Visit NSI on stand F538 at IFSEC and find how NSI’s
independent approval of over 1800 approved
companies in the security and fire safety sectors
helps maintain industry standards.
/