Personal data protection in monitoring
Data protection and business continuity are extremely important for companies that provide alarm monitoring services. Such companies have important and often very important data in their IT systems. These are e.g. passwords for canceling alarms, contact details for important persons, so-called VIP. This information is often extremely important for the safety of customers, people associated with them, as well as for monitored property.
In addition, in the case of signal monitoring services from military facilities, the judiciary, public administration and critical infrastructure. Ensuring adequate security of personal data in a monitoring company may affect the security of your functioning. In Poland, the monitoring system that meets the highest standards in data security and business continuity is the system Safestar.
Unfortunately, according to statistics, only 3% of Polish companies processes personal data in accordance with the law (after registering personal databases with GIODO). Our observations allow us to state that this topic is often underestimated. It happens that monitoring companies often fail to comply with basic statutory obligations in providing adequate protection to data.
The basic normative act regulating the processing of personal data is the Act of 29 August 1997 on the protection of personal data. It imposes on all entities operating in the territory of the Republic of Poland and processing personal data obligatory obligations that must be met.
"Within the meaning of the Act, personal information means any information regarding an identified or identifiable natural person."
"An identifiable person is a person whose identity can be determined directly or indirectly, in particular by reference to an identification number or one or more specific factors defining his physical, physiological, mental, economic, cultural or social characteristics." Information shall not be deemed to make it possible to identify a person if that determination would require excessive costs, time or activities. "
Currently, when one of the common login templates for most electronic systems is the customer's email address. Please note that this address often identifies you. The processing of personal data means all operations performed on personal data. These include: collecting, recording, storing, developing, changing, sharing and deleting, especially those that are performed in IT systems.
In order to meet the statutory requirements on the organizational side, the first step is to appoint an Information Security Administrator (ABI). The next step is to develop appropriate documentation. Finally, the collection should be reported to the Inspector General for Personal Data (GIODO) before processing it. The basic obligations of the person designated as ABI include securing personal data against unauthorized access.
An important role in monitoring services is played by the system receiving, analyzing and collecting signals from objects. This system contains customers' personal data. Therefore, it should meet the statutory technical and organizational conditions for devices and information systems used to process personal data.
Fortunately, in May 2018 new provisions related to the protection of personal data will come into force, the so-called RODO. They will complement current requirements and regulate important issues related to electronic data processing.
ISO 27001 and information protection in a wider spectrum
The protection of personal data is not the only aspect of information security. It should be remembered that the modern Alarm Monitoring Center is a huge amount of IT equipment over which appropriate supervision should be exercised. Organizational solutions that should be implemented are ready in this area. It is the ISO27001 standard - but we will return to this in another material.
Business continuity in monitoring
An important element of monitoring services is Business Continuity Planning (BCP).
Speaking of business continuity management, we mean a continuous, endless process that involves, among others:
- risk and business impact analysis (so-called scenarios):
- determining the scope of protection (business functions and resources)
- emergency solutions (building, maintained and continuously tested)
- business continuity plans (crisis management)
- crisis management structures and processes.
The approach of companies in the area of business continuity management, not only on the monitoring market, is very different and results from a number of factors: The main ones are worth mentioning here:
- Legal regulations
- Requirements of insurance companies
- Awareness of hazards and associated risks
- Proper authorization of persons responsible for the BCP area in companies
- Appropriate budgets
- Requirements set by clients resulting from their procedures
- Striving to include the BCP area (ISO 22301 standard) into the integrated enterprise management system based on ISO standards (9001, 27001).
From the formal and legal side in Poland, the main guidelines are based on the recommendations of the Polish Financial Supervision Authority for financial institutions (banks, insurers, brokerage houses) and for the critical infrastructure of the State. For enterprises providing critical services from the point of view of the State (transport, telecommunications, energy, security), it is required to prepare critical infrastructure protection plans that fulfill the role largely identical with BCP. These are the only organizations that require monitoring companies to meet certain requirements in the BCP area.
It is obvious that companies providing monitoring services do it based on IT equipment and systems. That is why data protection and business continuity are particularly important. As a result, security companies can provide their customers with adequate security.
Awareness of this issue increases and specific customer requirements appear, which force monitoring companies to take appropriate steps. An element which clearly inhibits this process today is the lack of funds for this type of activities in companies protecting people and property.