GDPR for FMs – Are you ready for the new data protection regulation?
GDPR is coming – and in its wake a lot of scaremongering and misinformation. Many businesses are still struggling to understand compliance obligations and how they translate to their activities.
With the enforcement deadline of May 25th looming ever closer, worry only increases. And yes, the deadline date is real and ignoring GDPR or getting it wrong could be costly. Nevertheless, it is important to realize that GDPR compliance is not a discrete point in time but rather a continuous process. With the new regulation, data professionals are on a journey to make privacy protection part of their ‘business as usual’. This means baking security into processes right from the start – not as an afterthought. When it comes to GDPR for FMs, this is also key.
GDPR myth #1: GDPR is only for big companies, the likes of Google and Facebook. No, GDPR compliance is for companies big and small that process personally identifiable data. The size or activities of your organization are irrelevant.
What is GDPR? And how does it impact FMs?
The General Data Protection Regulation was designed in an effort to update the existing Data Protection Directive. This legislation dates back to 1995 and worked in a very different world. At the time, Google didn’t exist (founded in 1998). Neither did social networks like Facebook (2004) or Instagram (2010). Amazon had only just started as an online bookstore. It was also before the internet and cloud technology created new ways of exploiting data. By strengthening the data protection legislation and introducing tougher enforcement measures, the EU wants to give subjects more control over how their personal data is used and increase trust in the digital economy.
GDPR myth #2: The regulation is not for business-to-business companies. Under GDPR there is no distinction between a person’s information whether it be their public, private or workplace data. For example, in a B2B environment where the customer and supplier are both organizations, the legislation takes into account the individuals involved in the process.
New EU data protection regulations come into force on May 25, 2018, following a 2-year transition period. Unlike a Directive, the GDPR does not require any enabling legislation to be passed by governments; meaning it will be fully enforceable May 2018. Companies that do not comply by then can be fined up to 4% of the company’s worldwide revenue or €20 million, whichever is greater. In addition to the high fines and compensation claims, potentially even more damaging could be a stop order.
GDPR myth #3: GDPR is only for European companies. The GDPR not only applies to organizations located within the EU but also to organizations located outside of the EU that
– Process personal data in respect to an activity or transaction within the EU territory
– Monitor the behaviour of EU data subjects.
This broadening of the territorial scope is one of the biggest changes of GDPR.
If you process personal data for activities and transactions that occur within the EU (incl. the UK despite Brexit), your organization has to become GDPR compliant. Clearly, this also impacts FM organizations, processing not just operational and asset data, but also data relating to facility workers and building users. FM service providers are doubly exposed, with an obligation towards their own staff, along with the systems they implement to service their customers.
GDPR myth #4: GDPR only concerns EU citizens and/or residents. GDPR has nothing to do with a person’s citizenship. The regulation applies if the data controller or processor (an organization that processes data on behalf of a data controller, e.g. cloud service providers) is based in the EU or the data subject’s personal data is processed for activities and transactions that occur within the EU.
10 guiding principles of GDPR
- DATA MINIMIZATION – The data you collect shouldn’t be used or kept longer than what is necessary for its original stated purpose.
- PURPOSE LIMITATION – collect personal data only for the specified, explicit and legitimate purposes; data must not be further processed in a way that is incompatible with those purposes (compatible use)
- STORAGE LIMITATION – Personally identifiable data cannot be kept longer than is necessary for the purpose for which the data is processed
- LAWFUL BASIS: processing of personal data always needs a lawful basis, e.g. valid consent, contractual relation, legal obligation, legitimate interest or vital interest.
- TRANSPARENCY – data subjects must be clearly informed that data is being captured; what data, why, and by whom; and the rights of the data subjects must be clearly explained
- ACCURACY: Make sure personal data is accurate and up-to-date; every reasonable effort must be made to erase or rectify inaccurate data without delay
- INTEGRITY: GDPR requires appropriate protection against unauthorized and unlawful processing of data, data loss as well as unlawful access and disclosure; You must understand the risks you are causing for others (harm or damage) and mitigate them; this includes audits and monitoring, consideration of encryption of pseudonymization and the use of advanced data protection technology in light of the possible impact of breaches.
- BREACH NOTIFICATION – GDPR defines notification requirements to both the supervisory authority and affected data subjects in case of personal data breach
- ACCOUNTABILITY: The data controller is responsible for – and must be able to demonstrate – GDPR compliance (maintaining a record of all processing activities)
- DATA PORTABILITY: the right to move personal data from one service provider to another
GDPR myth #5: Personal data is data about someone. Personal data is any information related to a natural person (‘data subject’) that can be used to directly or indirectly identify the person. It can be anything from a name, photo, or email address, to a computer IP address or cookie. But also GPS coordinates, a bank account number or vehicle registration plate. Or an inspection report or ticket booked for an FM intervention. Or even more sensitive data like payroll or health information. Often overlooked is CCTV footage or data captured by an access control system.
GDPR for FMs
Facility organizations (and their outsourced service providers) collect personally identifiable data during operations, both from their own (field) teams and building occupants. It’s vital to perform a data audit to get a detailed view of how personal data is currently collected and managed. FM organizations will indeed be expected to know what data they have on each person and where it is exactly stored. This won’t be too difficult if the data is stored centrally. However, things become more complicated if you use paper-based workflows. Or if facility data is scattered across the organization in multiple tools and spreadsheets.
GDPR myth #6: GDPR only applies to digital records. Paper records of personal data, for example, also fall under the GDPR. In fact, it does not matter what type of support is used.
Integrated FM software (aka IWMS/CAFM) that runs on a single database keeps all data in a central repository. This makes it easier to control, update and secure information, and to avoid duplicate records and inconsistencies (‘data accuracy’ principle).
The FM department within an organization is not an island of course. As an FM leader, seek advice from your Data Privacy Officer (if this role has been created). Or align with the privacy lead within your organization to ensure GDPR compliance.
It is imperative that FMs also consider their commercial partners and service providers in terms of how they protect personal data that is entrusted to them. The data remains the responsibility of the FM. Therefore, they have a duty to make sure that their partners and service providers also play their role in meeting the demands of GDPR.
GDPR myth #7: GDPR only relates to data that has been provided by users. No, the law applies to all personal data, regardless of whether it was provided directly by the data subject, or was collected indirectly
What about FM software compliance?
Let’s be clear, software is only a tool, it doesn’t make your operations and data processing automatically GDPR compliant. But it can help make data governance and GDPR compliance easier. FM software that centralizes all data offers a clear advantage. So is the ability to give appropriate access rights. This will effectively prevent people from accessing personal data that does not concern them. With GDPR’s increased focus on data security, the ability to protect (sensitive) personal data at the source is vital. This can be done through data encryption, another key advantage that software may offer. Expect your FM software provider to understand what’s at stake and evolve their software for GDPR compliance.
At MCS Solutions, for example, we have implemented new features in the next release (March 2018) of our software platform. These modifications take into account key GDPR principles such as:
– ‘DATA MINIMIZATION’ (UDI fields replacing standard personal data fields)
– ‘THE RIGHT TO BE FORGOTTEN’ (anonymization of data)
– ‘TRACEABILITY’ (full history logging)
– ‘DATA ACCURACY’ (making it easier for data subjects to update or correct their own data)
– ‘DATA SECURITY’ (encrypting data at rest)
Flexible and modular, MCS IWMS grows with your business and helps you tackle today’s challenges. And that includes the GDPR. Feel free to contact our team if you have questions about GDPR compliance issues.