Last reviewed 18 December 2019
Over one year from the introduction of the General Data Protection Regulation (GDPR), Laura King looks at levels of compliance and some areas that managers need to consider.
Over a year ago, on 25 May 2018, the General Data Protection Regulation (GDPR) came into effect in Europe. The regulation was designed to give citizens across the European Union more control over their personal data, as well as improved assurances that their data was securely protected.
The definition of personal data is relatively broad — it includes the more obvious such as names and addresses, but also encompasses any information that can be directly related back to an individual, for example data related to your location or your computer’s IP address. The regulations make no distinction regarding data from people’s personal or working life, or whether that data is collected manually or electronically.
Enshrined in the legislation are some basic rights that put individuals firmly in the driving seat. Among other rights, this includes:
the right to access (an individual is allowed to know what data is held on them, and how that data is used)
the right to be forgotten (customers have a right to have their data deleted)
the right to be informed (people have a right to know if there has been a breach of data)
the right to restrict processing (people can stop their data from being used).
Level of compliance
According to the Information Commissioner’s Office’s (ICO’s) Annual Report and Financial Statements for 2018–19, the introduction of the GDPR as well as high-profile campaigns, has led to higher public awareness around personal data. Indeed, 64% of data protection officers surveyed either agreed or strongly agreed with the statement that “I have seen an increase in customers and service users exercising their information rights since 25 May 2018” and the ICO saw a 72% increase in traffic to the areas of its website targeted at individuals.
Although the report was positive about the level of support data protection officers were given within their organisation, some recent surveys show that despite increased public interest, and the online guides and help offered by the ICO, many companies are still not compliant. For example, a recent study of 250 companies conducted on behalf of Egress, a provider of people-centric data security solutions, found that over half of companies were not GDPR compliant and nearly 40% had reported an incident to the ICO.
GDPR affects all organisations in the EU, and those in breach could face hefty fines as high as 4% of turnover or €17 million — whichever is the greater. When compared to fines under the original Data Protection Act which were set at a maximum of £500,000, this jump is quite significant.
Although no fines were issued under the new laws in 2018/2019, the ICO is starting to flex its GPDR regulatory muscles. Indeed, although 2018/2019 fines issued under the previous DPA 1998 were record-breaking and totalled around £3 million, they were a drop in the ocean compared to the £189.4 million the ICO intends to fine British Airways this year under GDPR, or the £99.2 million fine expected by hotel company, Marriot.
Considerations for Facilities Managers
These fines highlight both the seriousness of GDPR and the seriousness with which the ICO is perusing reported breaches. For facilities managers (FMs), here are some potential areas to consider.
Staff and building data
Facilities managers will likely hold a lot of data about staff, for example, identification numbers or location. To fully grasp the extent of data collection and processing, an information audit should be undertaken to understand what data is collected, why it is being collected, as well as what is done with this data. This can then identify any risks, and what action needs to be taken to mitigate the risk.
Make sure that the net is cast wide when conducting an information audit. For instance, data collected by smart building technology may need to be included, if, for example, it provides information about occupancy. Businesses must also check who has copies of their information, including sub-contractors, and ensure that those companies are also compliant.
One way to check compliance is to make sure systems are stress-tested. This would include checking how well electronic databases stand up to cyber attacks, reviewing how well data protection policies are being implemented, and looking at how easy it is to process GDPR-related requests.
CCTV is covered by GDPR and, as such, it needs adequate signage so that people know that their data is being captured, as well as who is operating the system and who to contact to find out about how the data is being used.
Access to CCTV images must also be secure so that only relevant people can see footage — for instance, displays must not be visible to the public if located at a reception desk. Images also need to be properly managed when shared with third parties (for example, the police).
One overlooked area is reception desks and sign-in books. In a survey by software company Proxyclick, 62% of visitors to a building checked who had signed in before them. This is in breach of GDPR which requires that any material that is routinely collected (manually or electronically) must be compliant.
Destruction of paper
Where paperwork is used, it needs to be stored and destroyed in a proper manner. This will often mean the use of locked bins and secure shredding. To help keep paperwork safe, one solution is to scan it and keep it in an encrypted archive.
Destruction of IT
The legislation also applies to the recycling or destruction of data held on old electronic devices such as obsolete phones or IT equipment including laptops and servers. The data needs to be properly cleared before the equipment is disposed of, re-sold, recycled or refurbished.
Full compliance requires an understanding across the company, which inevitably means that staff will need to be trained. For example, are receptionists aware of their responsibilities to ensure that personal data is not accessible by other members of the public? Is the clean desk policy properly enforced?
When looking at training, consider the following.
Do staff know what GDPR is and what it means for their job?
What processes are in place to control data?
Do staff know who to speak with regarding data protection, and what to do if they recognise a breach?
Although many companies have taken steps to address the new requirements under GDPR, there are still issues with compliance. Facilities managers are likely to handle significant amounts of data and so will have responsibilities for ensuring correct procedures are adopted within the company. Some steps to take include the following.
Conduct an audit of what data is collected and why, and review policies in relation to data collection processing and storage. This includes implementing a procedure for reporting breaches.
Understand the legal basis for processing data.
Conduct a data cleansing exercise to securely delete any data that is not necessary.
Make sure any contracts with data processors include a reference to GDPR and that any companies processing data on your behalf are compliant.
Make sure that there are clear systems in place to gain consent for data collection and processing, and that privacy information is provided to people when they give consent for their data to be collected.
Understand the rights of individuals, and make sure that you are able to process any requests.