24 June 2019

Building for the future: Is your data protection as smart as your buildings?

With an estimated global revenue of £6.7 billion next year, smart buildings in the commercial and residential markets are popping up in major cities across the UK. Marketed as a means to improve asset reliability, reduce energy consumption and optimise use of space, whilst allowing for more intelligently designed living and working spaces, technology is gate-crashing the property world in ways that it has never before.

By using automated processes to control how buildings operate, smart buildings are changing the way we work and live. Technology, in the form of sensors, actuators and microchips, can be used to collect and manage data based on the needs, lifestyle and preferences of building operators and end users, delivering a uniquely tailored experience.

At present, smart buildings can control operations such as heating, ventilation, air-conditioning, lighting and security, though, in this swiftly expanding market, further technological advances are on the horizon and destined to impact upon the property landscape.

Amongst the rush to keep up with developments, the question is, how does this relate to personal data and potential risks to individuals?

When operational, a smart building will be collecting large amounts of data and some of this data may be personal data. Personal data is information relating to natural persons who can be identified or who are identifiable, directly from the information in question or who can be indirectly identified from that information in combination with other information. Identifiers can include, but are not limited to; name, identification number, location data and online identifiers such as IP addresses and cookies. Whilst data which simply monitors temperatures or numbers of users may not identify individuals, data collected may also include user information in apps used to communicate with the building’s systems, and data such as that from camera systems, access fobs or fingerprint sensors which is more clearly linked with an individual user.  Personal data is subject to the UK’s data protection regime under the General Data Protection Regulation and the Data Protection Act 2018 (Data Protection Legislation).

Data Protection Legislation requires a privacy impact assessment for any system that collects and processes data for example where there is extensive automated profiling with significant effects on individuals or systematic monitoring of public areas on a large scale. The need for a privacy impact assessment should be considered (and if appropriate the assessment should be carried out) prior to construction of smart buildings. The assessment should consider and report on the nature, scope, context and purposes of data processing and it should also assess the necessity, proportionality and compliance measures linked to the data use. Importantly, the assessment should identify and assess risks to individuals and identify measures to mitigate those risks. This exercise contributes to the development and design process as it highlights concerns or potential data weaknesses which can be dealt with at the outset by means of enhanced security or integrity measures or by minimising the amount of data collected or the period for which it is retained.

End users, including tenants, are also becoming increasingly savvy in respect of their data protection rights and want confirmation that these issues have been properly considered and thought about in the areas in which they live and work. Alongside the privacy impact assessment, operators of smart buildings should have transparent and accessible privacy policies in place which can be accessed by users of the building to understand what data is collected, the purpose for processing, how long data is held for and their rights to access or deal with such data. This should be available and updated throughout the life of smart buildings. Technology is constantly evolving and as the systems are modernised, the type of data and how this data is used might also change along with the security measures needed to protect the data. Any material updates will require a renewed privacy impact assessment to ensure that personal data is properly considered and managed.

Organisations should also consider how they deal with data breaches. Under the Data Protection Legislation, organisations who control personal data only have 72 hours to notify the Information Commissioner’s Office of a personal data breach. Much has been written in recent times about the consequences of failing to notify a breach when required to do so, and it is important, to have clear and effective procedures in place to react to any security incident.

The above steps place organisations in a far better position to ensure adequate security measures are put in place at the outset and are continuously monitored and updated. It is also significant in enabling organisations to evidence compliance with the accountability principle set out in the Data Protection Legislation by providing an evidence trail that data protection issues have been properly considered from the outset.

The Shulmans Commercial team has extensive experience in providing data protection advice and compliance support for organisations, along with reactive, pragmatic solutions and support when a business suffers a security incident that may involve personal data. Please get in touch with any member of the team if you would like to know more or to discuss how we can help support you.