Are you using your phone, watch, or other mobile device to get access places – a mobile pass in Apple Wallet, for example, instead of a plastic badge? That’s mobile access control and it’s very much on the rise. The potential it brings is huge, as it opens so many possibilities for increased convenience, efficiency, control, and security. With that great potential, however, comes important considerations. In a recent blog, we covered the security of mobile access control. Here, we’re looking at data privacy in mobile access control, which is in the same arena and is just as important. But it has different implications because the focus is more on protecting passholders.

Think about this – how much do you care about your data privacy when you’re using mobile devices?

According to Deloitte’s Connected Consumer Survey 2023, 67% of smartphone users worry about data privacy and security on their phone. And, as this graph from a GDMA report on data privacy shows, concerns about online privacy are global.

This doesn’t necessarily mean that people feel equipped to protect themselves, though. A survey by the European Union Agency for Fundamental Rights says that only 72% of people know the privacy settings on their smartphones, and 24% don’t know how to check the privacy settings on their apps.

 

So what is data privacy and why does it matter?

Data privacy is about defining who has access to what data and how they can use that information. It dictates how personally identifiable information (PII) can be handled – the kind of data often linked to mobile access control credentials, such as a person’s name, address, telephone number, etc.

But data privacy can also relate to data held about an organisation, such as financial details, intellectual property or government policy.

In mobile access control, data privacy is crucial. Without it, there are no rules for how the information provided by people needing access can be used, stored, or shared. This means their private details could fall into the wrong hands and the results could include spam emails, identity theft, harassment and more. The knock-on effect for an organisation that’s not ensured data privacy can be reputation damage and reduced trust from employees and customers, not to mention fines.

Data is now being seen for what it is – a valuable commodity that organisations have a duty to take care of. And, to help enforce data privacy, lots of countries have created regulations to govern how organisations can collect, store, use and share data. These include, for example, the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS).

 

What is data protection and how is it different from data privacy?

While data privacy regulates how an organisation uses and handles the data it holds, data protection focuses on the measures taken to safeguard that data. Data protection is about keeping confidential information secure and protected from theft, loss or compromise. It’s key to ensuring private data remains private, but easily accessible to the people and processes authorised to use it.

 

What do data centres have to do with data protection?

If you think about the data pipeline, data privacy is at the front end, controlling how data is collected and used. Data protection is at the back end of the pipeline, controlling how data is secured. And this is where data centres come in, because these high-security sites are where data is stored and kept safe on servers.

When you use our Nedap Mobile Access solution, for example, all the data we collate from you, your employees and other passholders is held in data centres in The Netherlands. These centres meet stringent certifications for both data privacy and data protection and are monitored continuously to ensure the data is available for use in granting access.

 

Who owns the data when it comes to mobile access control?

The data you collate and use for mobile access remains yours – the provider of your mobile access control solution just stores it on your behalf.

 

How secure is data in mobile access control?

Rest assured, the data used in a reputable mobile access control solution is very safe. Let’s look at this from a few angles.

1)    Device theft

Mobile passes are protected by the privacy and security features on the mobile device. These are increasingly more advanced and typically involve PIN, password or biometric access. Even if a thief found a way to access a mobile pass, they wouldn’t be able to access the data held on it. And the pass can be suspended remotely to prevent them using it.

2)    Data theft, loss or misuse

The provider of your mobile access control solution should store data according to strict standards and guidelines to ensure it’s kept private and protected from loss, theft or misuse. We use the ECv3 multi-layered encryption scheme, for example, to ensure the confidentiality of personally identifiable information.

3)    Snooping by operators and device providers

Providers of mobile service plans and devices can’t see the credentials stored on them – just like they can’t access bank details from banking apps. Neither can they see what people access, or when, via their mobile access credentials.

 

What’s the way forward?

The possibilities presented by mobile access control will continue to grow in line with the growth of new technologies and functionalities. To take advantage of these possibilities in a safe, secure way, data privacy must be priority. It’s the duty of mobile access solution providers, and organisations using mobile access control, to protect data privacy – and, in turn, the people using mobile passes.

Want to know more about mobile access control and the opportunities and considerations? Get in touch. We’d love to hear from you.

More news