The purpose of these recommendations is to briefly inform about potential safety and security risks and other areas of importance when using Indivd People Counter. The information in this document does not constitute professional advice and we encourage you to seek such support from an expert if necessary.
Indivd uses hardware and infrastructure managed and controlled by the data controller as regulated in the customer agreement. Personal data should not be stored, unless clearly motivated by other lawful purposes, and the storage should be handled appropriately for these purposes. This document contains general information on potential safety and security risks based on a risk assessment by IBM Security conducted 2020-04-16, as well as factors that can be taken into account when using Indivd People Counter.
Article 24 of the GDPR says that the controller shall implement appropriate technical and organizational measures. The measures shall include the implementation of appropriate data protection policies by the controller.
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Article 32 of the GDPR says that the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
1. the pseudonymization and encryption of personal data.
2. the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
4. a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
The following measures shall be implemented to address the encryption of the personal data:
- Any connection to the hardwares for the people counters network from an outside source should be encrypted. If the network is partly bridged over a public or otherwise vulnerable network, this bridging should also be encrypted. Encryption should follow up-to-date industry standards, such as AES.
Confidentiality Of The Processing Systems And Of The Services
This refers to protecting information from being accessed by unauthorized parties. The following measures could be implemented to address the confidentiality of the processing systems and of the Services:
- Prevent unauthorized persons from gaining access to data processing systems with which personal data are processed or used,
- People counters should be password protected. Access to any passwords should be limited to the necessary personnel and systems and be stored in a secure place. Passwords should be of good quality and follow NIST SP 800-41,
- the local network for the people counters should be protected by an appropriately configured firewall and follow industry standards such as NIST SP 800-63B,
- personal data is streamed for anonymization and should not be stored unless clearly motivated by other purposes and the storage is handled appropriately for these,
- the local network for people counters and any local server should be reasonably protected from physical access from unauthorized parties and follow industry standards.
Integrity Of The Processing Systems And Of The Services
This refers to the capability of performing correctly according to the original specification of the system under various adversarial conditions. The following measures could be implemented to address the confidentiality of the processing systems and of the Services:
- Protection by technical and organizational means regarding authorizations, protocols/logs including analyzing protocols, audits,
- logging of incoming and outgoing connections is recommended and follows industry standards such as NIST SP 800-92.
Process For Regularly Testing, Assessing And Evaluating The Effectiveness Of Technical And Organizational Measures
The following measures shall be implemented to address the regular testing, assessing, and evaluating of the effectiveness of technical and organizational measures:
- Security concept,
- review by the data protection officer,
- external reviews, audits, certifications.
Feel free to contact us at firstname.lastname@example.org if you have any questions or concerns about potential safety and security risks.