GDPR Compliance Will Impact Physical Access Controls


The European Union (EU) General Data Protection Regulation (GDPR) places strict new security and privacy requirements on any data related to persons living in the EU. In documenting and managing such data, organizations should not overlook physical access control systems.

As we noted in a previous post, physical security typically falls under the purview of a Chief Security Officer (CSO) or facilities manager, while the IT department is responsible for logical access controls related to systems, applications, and data. This siloed approach is inefficient and opens the door (sometimes literally) to security threats. The GDPR adds another layer of complexity to the situation.

Physical security controls require the collection of identity data so appropriate access credentials can be assigned. The process impacts not only employees but contractors, business partners, and visitors. If any of those individuals lives in any of the EU’s 28 member countries, the personal data collected is governed by the GDPR.

Often, however, organizational processes related to physical access controls are immature and poorly managed. HR departments will likely have a database of employee and contractor credentials but little, if any, knowledge of the comings and goings of business partners and other visitors. Though visitor access might be tracked by a sign-in sheet held at the front desk, frequent visitors might have more formal credentials. All related data must be managed appropriately to ensure GDPR compliance.

In a previous post, we discussed the GDPR at length, but we’ll recap a few of the essential points here. The three core tenets are:

  • Consent: The data subject must expressly consent to the collection of the data. Implied consent is not sufficient.
  • Right of Access: The data subject has the right to obtain confirmation as to what type of personal information is stored and for what purpose.
  • Right of Erasure: Also known as the “right to be forgotten,” this tenet gives the data subject the right to request that personal data be deleted.

Note that the GDPR applies to all companies, regardless of size or location, that handle the personal information of EU residents. Noncompliance can result in fines of up to 4 percent of an organization’s global revenues.

To ensure compliance with the GDPR, organizations should establish policies related to the collection and maintenance of data used for physical access controls. These policies should define what data is collected, the reasons it is collected, and how long it is to be held. The policies should be stated clearly on consent forms and in procedures developed for ensuring that the policies are followed.

These processes can be streamlined by merging physical security credentials with IT’s identity management system. This establishes one centralized location for all identity-related data, making it easier to track consent and respond to requests from data subjects under the GDPR.

The GDPR is sweeping legislation, and we are only beginning to understand its full impact. Organizations should carefully consider every point at which personal information is collected and take steps to ensure proper governance of that data. This might require rethinking physical access control procedures.


For more information about GDPR, please send us an email at (

Leave a Comment