Expert Speak
Privacy and Security: Are They Mutually Exclusive?

Written by Ephrem Tesfai, Engineering Manager, Middle East, and Africa at Genetec
In our modern connected world, it’s unsurprising that privacy concerns, particularly those related to personal data, are on the rise. It is crucial to question who has access to what data and for what purpose.
Earlier this year, the UAE launched its Federal Person Data Protection (PDP) Law providing a legal framework to ensure the security and privacy of personal information. To date, 71% of countries around the world have enacted similar forms of legislation to ensure data and privacy protection. These regulations aim to restrict and monitor the collection, processing, and access to personal data, including video footage, in order to maintain privacy and mitigate the risks of criminal cyber activities.
Simultaneously, acquiring digital information is critical for protecting people and property. Governments and private businesses often collect data from individuals frequenting their facilities. This data can include personally identifiable information (PII), such as surveillance footage, photos, access control data, and license plate information. However, does this imply that we must forego our privacy for the sake of physical security?
What is personally identifiable information?
Security professionals frequently wrestle with questions about where to draw the line when it comes to personally identifiable information (PII). For example, when is surveillance footage of public spaces considered personally identifiable information?
The answers to these questions are not always straightforward as legislation surrounding PII varies from place to place. Although video surveillance isn’t necessarily a problem, capturing a specific image of a person can be. If the video resolution is low enough to make it impossible to clearly identify an individual, it would not be considered PII. However, with the quality of video surveillance technology improving every day, it is more crucial than ever for security professionals to remain well-versed in their local legislation around PII.
New regulations and restrictions regarding PII and data privacy are introduced regularly. Therefore, it can be challenging for private citizens and small businesses to stay up to date with these reforms, especially when legislation is not communicated in a clear and accessible manner. Vendors and integrators can help educate end users on these guidelines and promote awareness of best practices. Those capturing or accessing video or access control information containing PII must be mindful of who has access to the data as well as local privacy regulations and restrictions.
You don’t need to compromise on privacy to ensure security
Balancing security and privacy isn’t a zero-sum game. In fact, a majority of organizations today are going beyond regulatory requirements concerning privacy to ensure not only that personal data is protected but also that those who have access to it are accountable.
Although most privacy regulations establish a minimum requirement for the storage and management of personal data, however, businesses can do more than the minimum. Modern video management software (VMS), access control systems, and automatic license plate recognition systems (ALPR) enable the restriction of data to authorized personnel only.
VMS platforms with privacy protection capabilities can pixelate individuals in videos to conceal their identity and provide audit trails to document who accessed data and when. They have improved the cybersecurity and accountability of their systems to ensure data protection. On the other hand, modern ALPR systems can render license plate data untraceable by private businesses, and seal vehicle owners’ names, addresses, and other identifying data, making them accessible to only local, state, and federal registration and law enforcement databases.
Regulations typically focus on how end users operate the system, whether their data is stored securely and if they have a clear process to access sensitive data. Yet, protecting personal information is a shared responsibility.
End users can research the privacy policy and capabilities of their vendors, while software vendors can incorporate tools such as encryption, authentication, security, and facial blurring that enable end users to protect the data. Similarly, systems integrators can effectively configure systems and educate end users on how to use them in a manner that respects privacy, and end users’ operators can be trained on internal processes to guarantee that the data is secure and cannot be accessed without valid authorization.
Mindful data collection leads to better decisions
Security systems are more prominent and sophisticated than ever before, and analytics have advanced significantly. More companies and individuals are adding or upgrading cameras now that it is less expensive and easier to gather and interpret video footage, ALPR, and access control data.
Yet, acquiring more data does not always result in better decisions, and can lead to information overload. Therefore, it is crucial to employ technologies to filter the data, ensuring that only the most relevant information is highlighted, while the security of the other data is effectively maintained.
One method to do this is to minimize the quantity of data that is stored, keeping only what is necessary to your objectives, while another way is to ensure only those who require the information, and can provide the correct authorization, have access to sensitive data. Modern ALPR systems, for example, often retain simply the ‘read value’ of a license plate rather than the image of the plate itself and may offer the option to retain information only if the plate matches a hotlist.
Another alternative is to implement the “four eyes principle,” which ensures that personal data is only seen by authorized personnel, by requiring two people to provide credentials to access particular types of data. Faces on video recordings, for instance, can be pixelated by default. If an operator observes an event taking place, they can request a supervisor to unlock the video. For very sensitive data, some companies require two supervisors to authorize a request to access data.
Trust is essential
Privacy is directly connected to trust. Stakeholders must be able to trust that data is stored securely and that the technology and systems being used are functioning optimally. Improperly installed or inadequately secured cameras and door controllers that are part of the network can expose private data to hackers. Therefore, it is critical to evaluate the typed of data a system is acquiring, the quality of that data, and the effectiveness of the checks and balances in place.
Transparency is fundamental. Context is everything when it comes to data and privacy protection. For example, people may consent to share their location while using certain apps on their phone but would not want those apps to continue tracking and sharing their location indefinitely.
Access to personally identifiable information recorded by surveillance cameras, license plate readers, and access control systems must be warranted in the same way. In certain situations, authorizing access to sensitive data is necessary, and this does not violate privacy ethics if the people affected are informed about what data is accessed, when, and why.
How to develop ethical privacy standards without compromising security
There are several ways organizations can develop ethical privacy standards without jeopardizing security:
- Organizations should be selective about the data they collect and critically evaluate the information required to accomplish their purpose. For instance, when collecting data on visitors, is it truly necessary to obtain their full home address, or will simply verifying their ID suffice?
- Organizations can create an internal privacy policy that specifies the sort of data gathered, where it is stored, and who has access to it and appoint a data protection officer to oversee and maintain it.
- Organizations should also employ security software vendors who have been certified for privacy protection. A privacy certification involves a thorough check of the source code to ensure data cannot be accessed without authorization. This applies not only to the product but also to the infrastructure that surrounds it, including any linked websites that hold user data.
In summary, organizations should primarily work with vendors who develop tools that include privacy protection from the outset. To alleviate concerns about system vulnerabilities, organizations can select and deploy solutions that have undergone rigorous testing by manufacturers against cyber threats. These solutions allow organizations to have complete control over their data, enabling protection protocols to be adjusted based on evolving regulations.
Moreover, this also allows organizations to configure the system and define the individuals or parties that are authorized to access sensitive data without slowing down response times or investigations. When these measures are in place, it is a team effort to ensure that security with strong privacy protection is achieved.
Cyber Security
Addressing Challenges in Artificial Intelligence Security and Supply Chain Management

Written by Eng. Abdulaziz Al Nuaimi, Chief Security Officer, Huawei UAE (more…)
Expert Speak
Talking to the C-Suite About Cybersecurity

Written by Filippo Cassini, Global Technical Officer, SVP of Engineering at Fortinet (more…)
Cyber Security
The Human Factor: Why Cybersecurity is as Much About People as Technology

Global Entrepreneur Roman Ziemian explores why organisations must prioritise human awareness and culture to build a truly secure future. (more…)
-
Artificial Intelligence1 week ago
DeepSeek-R1 AI Poses 11x Higher Harmful Content Risk
-
Artificial Intelligence6 days ago
DeepSeek Popularity Exploited in Latest PyPI Attack
-
Artificial Intelligence6 days ago
SentinelOne to Spotlight AI-Driven Cybersecurity at LEAP 2025
-
Cyber Security3 days ago
Employees Are the First Line of Defense
-
News5 days ago
Sophos Completes Secureworks Acquisition
-
Homeland Security1 week ago
Daimler Truck Focuses on Growth in the Defence Sector
-
Cyber Security3 days ago
Proactive Threat Intelligence Can Keep Threats at Bay
-
Cyber Security1 week ago
Tenable Plans to Acquire Vulcan Cyber