CCTV cameras act as a tangible deterrent and are an effective aid to protecting not only an organisation’s site but also organisational data which, if not properly secured, can be vulnerable to breaches. That said, there are many other ways to ensure physical security is as secure as possible. 

An onsite physical security review identifies and mitigates potential vulnerabilities in organisational security and covers a comprehensive assessment of how well your data is secured in practice. For example, inappropriate placement of CCTV cameras could lead you vulnerable to invasion of privacy claims. Similarly, how you destroy your physical files such as hard drives and internal data destruction policies all assist to protect you from breaching the protective security principle of UK GDPR.  

While, understandably, lots of resources are spent on defending against electronic threats to data, the physical security standards are often overlooked. They are an essential part of ensuring compliance with data protection laws like the UK GDPR and Data Protection Act 2018 which require organisations to take “appropriate technical and organisational measures” — and physical security is a key part of that. 

Many organisations have infrastructures critical to their business, such as servers holding vast amounts of medical records, power supplies allowing access to trading software or physical copies of data stored in filing cabinets, such as employee records. An unsophisticated burglary of your premises could cause massive loss of data, damaging confidence in your organisation, not to mention a significant monetary fine as has been the case in the past when organisations have been sanctioned for failing to prevent straightforward thefts. 

In 2021 NHS Surrey was fined £200,000 by the UK’s Information Commissioner’s Office (ICO) after sensitive patient data was found on a second-hand computer that had been sold on eBay. The ICO found that the organisation had failed to protect data and had inappropriate asset disposal controls, leading to a serious data breach.  

On a similar note, a laptop that had been stolen from the Royal Veterinary College was found to have sensitive personal information of applicants on – none of which was encrypted and therefore accessible to the thieves who had taken the laptop.  More recently, a burglary resulting in theft of sensitive data resulted in a significant fine for Greater Manchester police. 

A breach of any data, even something as simple as a visitor reading other visitors’ details, name, vehicle registration etc, from a visitors record book would be a data breach. This could have serious consequences for the individual and the organisation itself if unauthorised access is gained to personal data.  

Effective physical security measures restrict opportunities for unauthorised access such as thefts, especially as it is becoming increasingly frequent that criminals are recognising the value of illegally accessing, selling or holding people’s data. 

What is involved in a physical security review? 

A physical security review can help limit and mitigate any vulnerabilities in organisational security, reducing the risk of a serious data breach.  

Our team will visit your location(s) and assess the physical, technical and organisational security, whether that is adequate locks, suitable storage solutions or procedures for visitors attending your premises.  

This will provide a formal evaluation of the physical safeguards in place to protect the organisation’s information systems, data storage, and personnel from physical threats such as theft. 

What do we look at in a physical security review? 

Each site is different, but our standard inspection will include: 

Site Perimeter Security

• Fencing, gates, barriers etc
• Security guards (where needed) 
• Vehicle access controls and limits

Building Access Controls

• Controlled entry points, e.g. ID cards, PINs etc
• Visitor management
• Out of hours access/security measures

Internal Security

• Access to secure rooms such as server rooms or data sensors 
• Appropriate personnel access to specific areas 

Workstation/Device Security

• Security of laptops/desktops and other devices 
• Any locking mechanisms in place for unattended employee equipment 
• Clear desk policies and any other relevant procedures 

Surveillance and Monitoring

• CCTV  
• Alarm systems 
• Logging/reviewing access and footage  

Environmental Controls

• Fire detection/suppression systems in key locations 
• Water/floor protection 
• Air conditioning where required 

And many other actions and scrutiny dependent on the industry and organisation! 

A comprehensive report and recommendations are then drawn up by our experts, to complete the physical security review.  

When might a physical security review be required? 

Organisations typically request a physical security review as a starting point to develop from or when wishing to confirm their data protection procedures are secure. This provides peace of mind and a base level to begin building and further securing personal data. It is a good idea to perform a physical security review after a data breach, or even a theft or break-in, to ensure the systems and procedures are still relevant and appropriate.  

Office relocations, onboarding new third-party vendors, changing IT infrastructure, personnel restructuring, board assurance reports etc. are all good opportunities to perform a physical security review of the data protection security within your organisation and there are many more reasons beyond this.  

Sometimes, it is simply a case of understanding what is going well and what might need to be improved and gaining this insight from an outside perspective. There may also be insurance premium reductions because of such inspections. 

A physical security review is highly bespoke to each individual organisation and their premises. Our team has years of experience in performing audits in such way and provide our reports and recommendations specific to your business. If we can help, please do get in touch or find out more on our website pages here.