As artificial intelligence and predictive analytics become increasingly important to the performance and profitability of commercial office buildings, owners and landlords must address issues related to occupant data privacy.
The standard of laws and regulations governing the use of personal data set by the European General Data Protection Regulation (GDPR) represent strict guidelines for the use of occupant data ,which applies beyond the territorial scope of European data protection laws and are poised to significantly impact the U.S., Asia and other markets.
With hefty fines which could be up to 4% of worldwide group company revenue, 20,000,000 building owners and landlords using occupant personal data will need to think carefully about how they comply with the GDPR.
When it comes to the privacy laws and data protection in smart building applications, several key issues need to be addressed in technologies used by individuals in the workplace.
What does GDPR entail?
What GDPR entails are widespread and far-reaching but, in general, GDPR states that all EU citizens have the right to have their personal data processed in a way that it is “lawful, proper and transparent.”
Citizens have the right to access and withdraw their personal data from registration, as long it is not a matter of public concern and must be a legal basis for storage of personal data such as of security, through labor contract, consent, agreement or legal duty.
Storage and processing of specific personal data regarding race, religion, sexual preference or health and the use of cameras with facial recognition are prohibited unless there is a legally pressing need such as in hospitals and airports.
Who’s responsible for what?
Any organization that decides what personal data is collected and the purposes for which it is used is considered a data controller and therefore has to comply with the local and GDPR laws.
This means that usually controllers who own the data, which in most cases is either the tenant or landlord, are under the biggest obligation to comply with GDPR directives, not necessarily the data third-party vendors who collect and process it for their clients.
While this may seem like a clear distinction, underlying difficulties exist with its application–part of the problem with smart buildings is that multiple stakeholders are involved in the creation, development, operation, maintenance and use of smart buildings technology.
Often times data processors can easily cross into data controller territory if they start to collect and use the data for their own purposes or combine it with information obtained from elsewhere.
GDPR & meaningful consent
An important aspect of GDPR is the concept of “meaningful consent” wherein tenants and landlords deploying smart building technologies which collect and analyze occupant data must inform occupants about how their data is used and provide meaningful consent if required. While most stakeholders are able to comply with these requirements things often get muddled when a secondary use of data emerges on part of the owner, vendor or tenant that many require re-identification of anonymized data.
Due to often unforeseeable multiple uses of data in the future, it’s often difficult to be completely transparent in privacy notices and statements. For this reason, building owners and tenants must consistently evaluate their compliance with GDPR as new use emerge.
Minimize the amount of personal data
While most smart building technology vendors integrate GDPR compliance into their data management and security protocols, it’s important for owners to understand the importance of minimizing personal data.
One of the ways to mitigate the likelihood of GDPR violations is to minimize the amount of personal data which is collected. The larger the volume of data collected the harder it is to ensure that it is processed in a compliant way and higher risks related to keeping the data secure.
For example, to optimize tenant experience, sensors that monitor and store data for smart building processes such as temperature, heat and lightning contain risks often “‘remember” individual preferences of employees permanently.
This can be overcome by storing personal data temporarily, i.e. each time when a person enters or leaves the room in which sensors are installed. Another option is to use heat sensors that only measures movements of people, not their personal data, and can turn temperatures, heat and lightning on a standard setting when persons enter or leave the working space.
By limiting the volume of data to what is necessary immediate use and not what a technology controller may wish to have for future – owners and tenants can minimize their risks in of non-compliance and data breaches.
Keeping smart building data secure
It is also a requirement of GDPR to keep data secure. Building owners, tenants, and vendors must look at security from both technical perspectives ie encryption measures, but also ensure that those involved in handling personal data needs are aware of best practices and issues and can act quickly in the event of a security breach. GDPR requires organizations to consider how they will ensure compliance at the outset and throughout the implementation of any new product, service or technology.
Data minimization and privacy strategies offer a means of protecting both occupants and owners from GDPR non-compliance and make it both technically and operationally safer to separate building management systems from storing and processing personal data.