Modern facilities generate vast amounts of data through physical security systems. This includes video feeds, access control records, visitor logs, and license plate information, among others.
For facilities managers, it’s an operational concern that affects risk management, compliance, and day-to-day decision-making. Responsibly protecting this data has become a core part of running safe, compliant, and trusted environments.
By following a few best practices, you can help make sure your organization’s data remains private and is used only for its original purpose. You don’t have to sacrifice data privacy for security.
1. Implement Strong, Ongoing Cybersecurity Measures
Protecting data is not a one-and-done responsibility. For IT teams, this means regular system hardening, vulnerability management, and timely updates to address cybersecurity risks that could compromise personal information. Treating cybersecurity as a continuous operational responsibility helps maintain a stronger overall security posture.
When selecting a new security solution, look for trusted technology partners. Evaluate vendors based on how they govern personal data, define limits on data use, and communicate their privacy practices. Independent security standards and attestations, such as ISO/IEC 27001, ISO/IEC 27017, and SOC 2 Type II reports, offer important assurance that systems and data are properly protected and managed.
Cloud-managed and software-as-a-service deployments can also help organizations stay current with security patches, privacy controls, and compliance. Software updates and patches are managed and pushed out by the manufacturer to keep your system up to date.
You may want to consider a hybrid deployment approach that allows you to balance scalability, control, and data residency requirements across on-prem and cloud environments.
2. Prioritize Privacy-First Technology
Transparency around data handling practices plays an important role in building trust with employees, customers, and the public. Technology choices can support privacy without compromising operational effectiveness. The gold standard in security technology is a concept called “privacy by design.” Privacy controls are embedded from the first lines of code to system design and third-party integrations. Privacy-enhancing technologies, such as automated anonymization and masking, help protect individuals’ identities while preserving the operational value of security data.
This concept extends to the day-to-day use of security systems as well. You can put in place “privacy by design” practices by collecting and retaining only the data required for defined objectives. This method intentionally limits the amount of personal data collected and clearly defines how that data is used. Strong security measures, including encrypting data in transit and at rest, enforcing strong authentication, and applying granular access controls, help reduce the risk of unauthorized access.
3. Define Internal Guidelines on Data Governance and Accountability
Many stakeholders within a company collect and work with personal data from security and operational systems. At every step of the process, people make decisions that can impact data collection and security. Poor data management practices can accumulate “privacy debt”—risks and liabilities associated with handling personal data without proper oversight.
One way to address this is through a framework that specifies who’s responsible, accountable, consulted, and informed when it comes to data collection and security ownership.
- Start with understanding what data you collect and why. Establish a cross-functional committee of data owners, legal teams, and the IT department to make sure nothing important is overlooked. Be clear on why and when each department collects information.
- Compromises could be required, but having a joint plan will help with an overall facility approach and data protection policy. Some departments may advocate for collecting as little information as possible to reduce the risks of a data breach. Other parties may have their reasons to want more information on file.
- Regularly assess your plan and understand why you collect data, where you store it, how long you retain it, and who has access to it. Documenting these practices helps identify policy gaps and support ongoing compliance. As policies evolve, teams can update retention rules and access controls without overhauling their entire system.
4. Use a Digital Evidence Management System
When people hear the word “evidence,” they often think of criminal investigations. In practice, digital evidence includes everyday incidents such as workplace disputes, slip-and-fall claims, or safety events. Video footage, access control logs, license plate scans, and incident reports often contain personally identifiable information (PII).
A digital evidence management system (DEMS) allows administrators to assign role-based permissions so users have access only to the information they need. Auditability is also critical. Built-in audit trails track evidence throughout its lifecycle to indicate who accessed a file, when it was viewed, and who shared it.
Data retention is another key aspect of compliance. Organizations must make sure that data is kept for as long as required, but no longer. A DEMS allows teams to define and automate retention policies based on incident type, regulatory requirements, or internal policies.
5. Implement a Responsible AI Approach
Artificial intelligence (AI) has also had an impact on data privacy. AI-enabled systems can process large volumes of security data in seconds. AI is increasingly used in software to improve the analysis of the vast amount of data collected.
As AI becomes a core part of security systems, look for solutions that are designed and used responsibly and transparently, minimizing data risks.
Responsible AI follows three guiding principles:
- Privacy and data governance: Use only datasets that meet local data protection regulations and treat them with care. Limit access to sensitive information and make sure appropriate data retention policies are in place.
- Trustworthiness and safety: Minimize bias in AI models, rigorously test them, and understand how they really work.
- Humans take the lead: AI systems should help human decision-making, not replace it. Critical security decisions must be made by a human.
Choose AI-enabled systems with built-in privacy features to limit and protect access to sensitive information. It’s also a good practice to broaden data protection strategies to ensure strong cybersecurity measures, including regular system audits and updates.
Protecting Privacy—Without Compromising Security
As the amount of data collected continues to grow, your employees, visitors, and customers have the right to know how their personal data is used, shared, and stored. Protecting data is an important part of a facility’s overall security policies.
Work with your internal teams, system integrators, and technology manufacturers to develop and put in place strategies that prioritize both cybersecurity and privacy protection. By adopting a privacy-by-design approach and selecting technologies that support privacy regulations, you can protect sensitive data while maintaining compliance and security.
Mathieu Chevalier is the manager and principal security architect at Genetec Inc., overseeing the compliance and information security infrastructure team. Chevalier also leads the Bureau of Software Security in charge of the cybersecurity aspect of the company’s product portfolio. He originally joined the company as a software developer in 2010 and holds a bachelor’s degree in software engineering from the Université de Sherbrooke in Quebec.