How to Make Office Buildings People-Oriented While Complying with Privacy Regulations such as the GDPR
Data privacy is on everyone’s lips. This is exactly how it is supposed to be. Nowadays, data means power. This entails consequences – both good and bad. All too often we hear news about data abuse that can discredit individuals, ruin companies or even lead to major national crises.
Smart Buildings rely on data; big data. What might seem an impossible undertaking after the implementation of the GDPR, does in fact not have to be a trade-off if you play by the rules and consider the 8 Principles Employee Privacy in Smart Buildings.
This article points out why the GDPR and other regulations are no reason to panic
With the implementation of the General Data Protection Regulation (GDPR), which was put into effect as of 25 May 2018, the European Union took a stand on the significance of data privacy. The GDPR is structured around six key principles:
- Transparency on how data will be used and what it will be used for.
- Ensuring that the data collected is used only for the purposes explicitly specified at the time of collection.
- Limiting the data collection to what is necessary to serve the purpose for which it is collected.
- Ensuring the data is accurate.
- Storing the data for only as long as necessary within its intended purpose.
- Prevention against unauthorized use or accidental loss of the data through the deployment of appropriate security measures.
The GDPR is a European regulation designed to harmonise data protection law across the EU. Its intention is to improve the rights of individuals with regard to their personal data and its protection. The regulation applies to all EU-based businesses, as well as anyone processing the personal data of EU citizens.
An alleged trade-off for Corporate Real Estate Professionals
The public is increasingly sensitive about data protection, while companies are predominantly interested in making objective, data-based decisions. Cost pressure and a lack of overview over a company’s second largest cost factor, real estate, force corporate real estate and facilities managers to become active.
At first glance, this might appear to be a typical trade-off. However, by abiding by the applicable law and common sense this alleged trade-off can be transformed into a win-win situation for all involved parties.
8 principles to adhere to in order to combine the privacy interest of your company and individuals
Admittedly, modern office buildings are a treasure trove for data collectors. Just think of the abundance of information you can gather from employee behaviour and working patterns. The advent of big data, the Internet of Things (IoT) and machine learning enhance the possibilities, bearing enormous potential for workspace analytics. However, regardless of what kind of information you are looking for, whether it is space utilisation or insights into mobility and collaboration behaviour, there are rules you must follow to prevent abuse of data. By considering 8 principles, companies can receive detailed information while complying with privacy regulations.
1 – Respect Personal Data
Do not save personal data but rather anonymise any kind of identifier and aggregate the data before analyzing. A strict anonymisation safeguards your employees’ privacy.
2 – Do not observe and control your employees
Unless you fulfill the following three conditions when collecting data, you must not monitor your employees as you are not able to protect personality rights:
- The existence of a clearly overriding interest.
- A proportionality between the employer’s interest in monitoring and the employee’s interest in not being monitored.
- The involvement of employees regarding planning, establishing and operating times of the monitoring and control systems as well as the storage duration of the collected data.
3 – Stick to the to laws and regulations
You must establish strong internal IT privacy principles and stick to local and international laws and regulations, e.g. the GDPR.
4 – Check what kind of data sources you already have
Your company already possesses a lot of data. Your office building, for example, is a veritable goldmine of information. Rather than developing collecting mania, focus on the data you already have, you are allowed to use and you really need.
5 – Retain control of your data
The best way to keep track of data is to keep it within your radius of operations, also geographically speaking. Having control over your data automatically includes the integration of relevant security measures.
6 – Define who gets access to which data
Not everyone needs access to all data; this would be neither helpful nor necessary. In order to prevent overextension and potential abuse of data, data access rights must be provisioned according to clearly defined roles.
7 – Be transparent about why, how and what you measure
haring the purpose and outcome of the analysis of your measurements with the persons concerned may not only be required by laws or regulations but also helps building trust and acceptance.
8 – Keep your eyes and ears open
Big data is a buzzword and depending on the solution you are looking for you will find a large quantity of solution providers. It is therefore all the more important to rely on trustworthy companies and their established solutions.
Locatee Analytics implements strong measures to protect your employees‘ privacy and complies with local and international privacy laws and regulations
Locatee supports companies to intelligently optimise their office buildings across an entire real estate portfolio and shape the way people interact with their workspace, with the patented Workplace Analytics solution Locatee. The software analyses real-time connections of employee devices, such as laptops, with the existing network infrastructure. It allows insights into space utilisation, mobility and collaboration behaviour of the entire organisation.
The solution’s real-time space utilisation capabilities undisputedly raise data protection issues: Is a company allowed to capture such data for workspace optimisation purposes? – Yes, and here is why.
The real-time recording of office utilisation enables the regular review and optimisation of the workplace concept regarding efficiency and appropriateness. Typically, a company is interested in how often a workplace is available or utilised in a certain time period, whereas whom it is used by is not of interest. Based on the quantity of people working in the office building at certain periods, HVAC systems and cleaning cycles can be adjusted and optimised.
Strict anonymisation
Locatee highly values privacy and security and therefore implements strong measures to comply with local and international laws and regulations. In order to preserve the employees’ interests, Locatee pursues the so-called “Privacy by Design” approach. This includes technical measures that prevent behavioural surveillance and provide maximum data protection. Even in the case of unauthorised access to the data base level, it would not be possible to retrieve information on individuals. Regardless of the level of detail of the analysed data, your employees’ privacy has top priority. No personal data are being saved and only irreversibly anonymised and aggregated data is stored.
Consequent aggregation
For the data analysis on a team level, Locatee ensures that each team consists of at least 10 employees to prevent statements about the behaviour of a single employee based on the exclusion principle. The only exception to this rule is the employee app, through which employees have the choice to opt-in/-out if they want to be found by their colleagues. However, even when opted-in, individual data is only used for the live view and is not stored for historical analysis.
Use data from, and keep it within your company network
Locatee’s software-only approach to workspace optimisation is based on the rationale that the customer requires no upfront investment in new costly infrastructure. The Locatee Analytics platform is based on existing IT infrastructure, with LAN and Wi-Fi networks used as primary data sources. Thus, no additional hardware-installations are required. The data remain in control of your company as the application is installed on premise, in your company’s own data centre. No data leaves your IT infrastructure at any time.
Role Based Access Model
The insights are provided via a web interface, which is protected by access control. To prevent potential abuse of data, a role-based access model ensures that only authorized personnel can analyse the collected data. These roles can be defined depending on the employee’s area of responsibility and the information they require. Usually, access is limited to specific roles within the corporate real estate department.
Transparent communication
Besides technical and organisational measures, Locatee recommends and supports a transparent communication towards your employees. It is essential to inform every involved stakeholder about the implementation of Locatee Analytics and its reasonableness to prevent any uncertainties or obscurities that may arise.
In close collaboration with customers, the in-house developed solution has been implemented by some of the largest organisations nation- and worldwide. Locatee Analytics is trusted by companies like ABB, Zurich Insurance, Swiss Post, Biogen and UPC.
What does GDPR mean for Locatee?
As an internationally acting company with customers on several continents, Locatee too must ensure that the General Data Protection Regulation is met.
This new EU data protection law represents a huge shake-up for some companies, who had (or still have) to rethink their internal processes as well as their solution portfolio. For Locatee, however, the introduction of this regulation endorsed the Privacy (and Data Protection) by Default and by Design approach that had been considered in Locatee Analytics from its very beginning. As the above-mentioned key principles form the foundation of Locatee’s product development, GDPR compliance is not a problem, neither for Locatee, nor for your company.
Locatee is committed to continue to comply with the GDPR across all provided services. Individual privacy will stay a top priority when it comes to data analysis.
Let’s sum up how Locatee can help you
Gaining detailed insights while observing privacy and security regulations is an interplay between your company and the solution provider and means exercising responsibility for both sides. While it is your company’s obligation to ensure that the collected data and the software is not used in any way that is unlawful, illegal, fraudulent or harmful, Locatee supports you with the following:
- Enable you to gain insights into space utilisation for optimisations;
- fully protect your employees’ privacy;
- comply with local and international data protection regulations;
- prevent unauthorized access to Locatee Analytics utilisation data;
- discuss data protection with involved stakeholders such as your workers’ council and the IT security officer as part of the rollout;
- build trust by supporting transparent communication about the purpose and outcome of data analysis.
Now it’s your turn
Do you want to learn more about how your company can extract more out of already existing data? Or do you have questions regarding the safeguarding of your employees’ privacy?
Please call us, write an email to info@locatee.ch or request a demo through the “Get Started” button at the top of the page.