It looks like there are major changes ahead for the workplaces of the future. The need for security, however, is, at the very least, going to stay the same. It may very possibly grow. Now is therefore the perfect time for companies to (re)assess their physical security. In particular, now is the time for you to double-check that it is both robust and legal.
The basics of physical security
All forms of security essentially boil down to two main points. Firstly, you need effective access controls. Secondly, you need effective remediation plans to use if those access controls are breached. Both your controls and your remediation plans need to be created with GDPR in mind at all times.
There are two ways GDPR should influence physical security. Firstly, your digital security will depend, in part, on your physical security. This applies even if your entire IT infrastructure is hosted by third-party cloud vendors. If your employees access the cloud in an insecure manner, your data could be at risk. The obvious example of this is someone seeing them typing in their password.
Secondly, access controls typically involve some form of identity check. This, literally by definition, involves personal data. As such, it is protected by GDPR and has to be treated accordingly.
Implementing physical security
Modern physical security tends to involve a combination of hardware, technology and human oversight. These should be deployed to create robust access controls backed by continual monitoring. Both the access controls and the monitoring systems should be reviewed and tested regularly.
The reviews and tests should assess not just whether or not the security systems are effective but also whether they are proportionate. They have to strike the right balance between ensuring safety for you and your employees and maintaining privacy for anyone touched by them. It’s important to understand that the requirement to respect privacy lasts for the entire lifecycle of the data.
To begin with, you need to ask yourself if you can justify collecting the data in the first place. It’s very dangerous to rely purely on the basis of consent, especially when dealing with employees. The law recognizes that this is an imbalanced relationship. If data is collected, it needs to be stored securely. This typically requires encryption. It also needs to be deleted promptly.
All data should have an owner and that owner should have responsibility for making sure that GDPR-compliance is maintained at all times. This includes fulfilling subject access requests within the designated time scale (currently 30 days). Always remember, you can outsource actions but not accountability. This means that you need to vet any third-party vendors carefully.
Access controls should be implemented at the very perimeter of your working location. They should often be continued within your working location itself. Most companies are likely to want to have public and private areas. Some companies may even want to fine-tune privacy settings within private areas. For example, you might want to limit access to very secure areas or only permit access at certain times.
Traditional access controls were very much focussed on hardware e.g. keys. Even in the olden days, however, people understood that this wasn’t always sufficient. They might therefore also have a human guard keeping a log of entries and exits. This became easier as literacy increased although there was always scope for human error (and malpractice).
Modern access controls, by contrast, tend to combine an element of physical hardware with some form of technological control. For example, a gate could be linked to an Automatic Number Plate Recognition (ANPR) system. It would open itself (or remain closed) for safe-listed (banned) vehicles. It would also have a link to a human guard who could override the automated settings and open or close it remotely.
In theory, doors could be operated by facial recognition. In practice, biometric identification is still a very thorny area. Most companies would, therefore, want to avoid it, or, at the very least, be extremely careful about implementing it. Doors can, however, be operated by PINS and/or access cards. Exterior doors might benefit from using both. Internal doors could use one or the other.
You cannot rely purely on access controls. The simple fact of the matter is that left unattended, they will eventually be breached. Access controls are only a meaningful deterrent if they are suitably monitored. Essentially, their purpose is to delay intruders long enough for help to arrive. Ideally, this will discourage intruders from attempting an attack. If not, however, it should enable you to foil it.
A lot of monitoring is now undertaken by automated, sensor-based systems, with human oversight. This has a lot of advantages. Most of these hinge on the fact that all locations can be simultaneously monitored with minimal human staff. For many businesses, remote monitoring will be sufficient on its own. Ideally, however, it will be paired with human spot-checks.
Sensors can be highly efficient but they are definitely not infallible and they can be fooled. The same applies to humans. Technology and humans working together is generally by far the most secure combination. There is unlikely to be any harm in asking regular staff to be vigilant as they go about their duties. In fact, it’s often very advisable.
Keep in mind, however, that there’s a limit to how many tasks a person can handle simultaneously. This limit often depends on what the tasks are. For example, a person stocking shelves may be able to keep an eye on the door. A person serving a customer, by contrast, should be focused on the customer. It is, therefore, generally preferable to have at least one person devoted to security whenever possible.
Hope for the best but prepare for the worst. In other words, always assume that your security is going to be breached and have a plan in place to handle it. Review that plan regularly and put it to the test. If necessary, undertake a real-world simulation (in the same way as you’d undertake a fire drill). This is really the only way to be confident that a plan will work in practice as well as it does in theory.
Lucinda Thorpe is the Business Development Executive at Newgate, who are specialists in providing businesses in the UK & overseas with secured access solutions.