Data In The Built Environment and GDPR, Friends or Enemies?
Nick Kirby
Managing Associate, Mishcon de Reya, London UK
Right hi everyone; I am Nick Kirby, Managing Associate at Mishcon de Reya. I am also our firm’s real estate technology specialist. Part of my role as being the technology specialist is to run our real estate category for MDR Lab which is our in-house incubator and I also build relationships with start-ups that we might be thinking, we might think might be interesting for our Lab or that our clients will find interesting because they will change the way that property is owned and managed in the future. So today I am going to talk a bit about GDPR and how data collected in the build environment will be affected by GDPR. So we are going to talk about, a bit about data you might be collecting now either intentionally or inadvertently. What data you could be collecting in using the technology that’s available at today’s date and what does the future look like and then I am going to cover how GDPR will impact the data that’s going to be collected. So for those of you that are only here because you are panicking about GDPR, please don’t worry, I am going to cover some hints and tips to get GDPR compliant and then we are going to hand out our top ten tips at the end and there are two people handing those out so you can collect those.
So what is GDPR? It’s the General Data Protection Regulation. It was adopted on the 27 April 2016 so you know really we’ve had a long time to get to grips with it but I think you know to be fair to everyone, no one’s really given it enough thought until very recently. It comes into force in about three weeks on the 25 May 2018 and GDPR is a European law so unfortunately I’m going to have to mention Brexit – sorry. Our UK version is called the Data Protection Bill. It’s going through Parliament at the moment. Its aim is to put something materially similar in place and we want the UK rules to be materially similar because we want to be able to have this adequacy finding which means that we can move data to and from the EU. GDPR is all about the protection of individuals and their personal data and it’s about making businesses accountable and transparent. So most of you are probably here representing your company but many of the businesses that you will interact with on a daily basis will be holding data on you as an individual and when I say put your consumer hat on when you are thinking about GDPR, it is worth taking a step back and just thinking ‘how would you want those businesses to use and process your personal data’. So what is personal data? The definition in the legislation is so wide I think it pretty much covers any information you are going to hold on an individual and there are numerous sort of obvious things that would be considered to be personal information like someone’s name, their email address, maybe their physical address and then there are some less obvious examples like location data or maybe where people have recently visited so their shopping habits. As an example, Mark Zuckerberg was asked by the US Senate which hotel did you stay in last night or who have you messaged in the last few weeks and he didn’t want to answer that question and I imagine that’s because he considered those things to be his personal data that he didn’t want anyone to know.
So as I mentioned I am going to cover what could you collect, what are you collecting now so whether or not you’re doing so intentionally, you are going to be collecting personal data if you own or manage a building. At your reception desk you might have a security guard who collects business cards and he uses those business cards to print off security passes to make things quick and easy. You might even keep some of that information, maybe put it into a CRM system. Maybe you have free Wi-Fi in your building, in your property and in order to use that the individual has to log in, give you their email address, maybe give you their birthday and you know, if you have CCTV maybe in combination with the log book of people arriving, you have that video that could now become personal information because you can identify the person in the video as the person who signed in at the same time. The point being that almost everyone is going to be collecting personal data on a daily basis and they will need to consider what to do with it as part of GDPR.
So what could you collect now if you used some of the latest technology that’s out there? So as I mentioned earlier we’ve been building relationships with start-ups that we think our clients will find interesting because they’ll change the way the built environment is owned and managed in the future. Those start-ups are likely to be collecting and processing personal information to facilitate their success so some of those start-ups are presenting at our stand, it’s number 24, so please do go and visit them and have a look at what they are about. So one that I’d like to mention is Hoxton Analytics. They are a market leading footfall company, they provide 95% accurate footfall, 80% accurate gender recognition, they can track outside traffic, in-store occupancy, 12 x group size, demographic and brand recognition. So you know that provides real time data with rich analysis. Another one of the start-ups that we work with is a company called Savvy. They are very new and they’re working with landlords to enable them to offer their buildings as a service, to occupiers, employees and create building communities. The service will organically create data and provide real time analytics to landlords and enabling them to make informed decisions backed by data not opinion and they are doing this by connecting the people and the employees within these buildings to a local marketplace of providers and services helping them to improve their workplace experience and engagement. High definition satellite imagery might be used to give you a macro view of what’s going on in your building you know, what are people doing, where are they coming from, how is traffic arriving, how many people are coming to your building. Autonomous vehicle networks in the future will enable companies to track people from where they’ve been, when they arrive at your building and where they go afterwards. Much like you can do online. So online Google can track where you’ve shopped, what you buy and where you go afterwards and so I imagine that these AV networks will allow the built environment to do something quite similar and I think the same with facial recognition you know, if it’s widely adopted and consumers accept it, it will allow the built environment to display bespoke adverts to people that arrive at their building much like again you can do online. Google can advertise to me because it knows who I am and it can give me relevant adverts directly on each page that I land on. So you know if all of this additional data is collected there’s no doubt all of the businesses that hold it are going to need to become experts in using AI systems to process the data in order to actually gather powerful insight about what buildings are being used properly and which are most efficient.
So how will GDPR all of this data? The two key themes of the GDPR are transparency which is telling people what you are going to do with their data in a clear language and accountability which is being able to show what you’ve done is in accordance with the law. Businesses will need to get used to using plain speaking language and explaining their compliance more often. As some of you may know, any individual can request that you provide them with a copy of all the personal data you hold. So with way more publicity about what rights people have and the dropping of the ten pound fee, you should all expect that more subject access requests will be made and you need to respond within a month so you need to understand what you have and where it is. Expect more people to claim one of the other rights they’ve got so correction, deletion, rectification and portability. So the big headline for GDPR has always been the damages. It’s now 20 million of 4% of global turnover which could be a massive number. The ICO has tried to dampen down that issue but we’ll just have to see where it goes.
In our view the bigger concern for businesses is, is private litigation. So claims for damages and distress or reputation loss. You know every business should have a reputation management strategy in place for dealing with a data breach. It will be very hard to manage what you need to do when you are in the middle of a crisis.
I don’t have enough time to go through this slide in detail but just remember that your employees are data subjects too. If you are going to be tracking what they are doing on a more detailed level you will be holding loads of personal information about them and it’s worth understanding what you hold and whether or not you need to hold it. You know, do you need to hold all of the old employee records? Just imagine if one of those old employees asks you for their personal data and you hold it, you have to provide it. It’s very important also to train your employees properly because you want to reduce the risk of a GDPR breach occurring.
So it really is vital to understand what types of data you hold before a potential incident occurs. Knowing the risks and the privacy impact of each data type will enable you to protect your organisation and your data subjects properly. Generally required to notify the ICO and the data subjects of any serious breach within 72 hours so if you can imagine that your employee leaves a laptop on a train on a Friday night, you really don’t have long to deal with that. So that’s why we are saying it is very important to have a proper plan in place with what you need to do in those circumstances and it’s not enough to be saying that you are working towards compliance. You need to have and you need to be able to demonstrate that you’ve got thorough protective technical and organisational measures in place. You have got to think about your third party suppliers that are processing your data. If there are any you need to have an agreement in place with them and its equally important to think about the reputation of damage that might occur if one of them do something wrong because ultimately you’ll be the one in the press. You might be able to blame them for the mistake but ultimately they will have lost your data so you need to be careful about what you let them do. And in the rush to be compliant, don’t forget to protect the information that matters most. Your crown jewels. The GDPR require organisations to take appropriate and protective steps to protect data so this means you need to be able to demonstrate that you’ve got the right cyber security controls for the sensitivity that you hold.
So I’ve talked a bit about you know, using and processing data and if you are going to use personal data once you’ve collected it you need to have a lawful reason for processing that data. So I’ve listed a few of the examples from the legislation up there but there are more of them. For example, obtaining a proper consent from an individual under GDPR is really, really difficult and it’s much easier to try and rely on one of the other limbs of lawful reasons so it’s necessary for the purposes of the legitimate interests of your business. It really is a very complex area and it’s obviously brand new so the one thing I would say is if you are processing data make sure you get bespoke advice on your specific set of facts.
So I thought I’d just quickly summarise some take home points about what I’ve talked about, the key things that you need to know. Know what data you hold, that’s very important. Be clear about what you are doing with the data. Be prepared to be accountable. Have a clear plan in case something goes wrong and make sure you document it. You need to have actual documents setting out what your plan is, what you’re doing with data and what you hold. It is not enough to say we did that but we didn’t write it down. And if you are processing data make sure you have a lawful reason for processing it in the data that you are collecting in the built environment. So that’s it from me, I think we’re running really short on time so if you do have any questions then feel free to email any of the guys on my slide and as I said, please do go up and collect our top ten tips on GDPR. Thanks very much.