Bricks, Mortar and Data

15 / 03 / 2022

The building blocks of modern real estate are no longer confined to construction materials. With the proliferation of new technologies and digitalisation of the real estate sector, data protection is claiming its place in commercial real estate projects, services and transactions.

While data protection is something tenants used to fuel feuds with their management companies in the past, the use of connected devices and unchartered opportunities for the exploitation of data puts data protection at the centre of commercial and public interest.

Data protection will likely apply when operating an online service, deploying CCTV monitoring, denying someone entry for lack of vaccination or collecting energy usage data as part of an environmental, social and corporate governance (ESG) initiative. 

Do not take their word for it

Emerging technologies seem to offer efficient, effective and economic solutions to real estate problems. Tracking, scanning, monitoring and benchmarking will help optimise operations, plan ahead and drive alternative revenue streams. However, one should be sceptical about any claim that a product or service is GDPR-compliant, particularly if coming from the service provider.

Even if the core service may be uncontroversial, some desired features could be privacy intrusive and will require careful implementation. There is often confusion about what constitutes personal data. Getting this assessment wrong could put the entire project in breach of the GDPR. For example, technical energy usage data could reveal an occupier’s location or infer information about their daily routine and habits. Automated number place recognition may result in automated decision-making about the individuals, which triggers additional compliance requirements.

The Information Commissioner’s Office (ICO) is particularly vigilant when it comes to the use of CCTV and, more recently, facial recognition and biometric verification technologies. However, due to the accountability principle which requires organisations to be able to demonstrate compliance at any time, even established technologies could give rise to complaints and expose non-compliance.

Are you a controller or processor?

Landlords and property managers will typically be controllers because they determine why and how personal data is processed. Controllers are responsible for compliance with the data protection principles and obligations.

On the other hand, any third party service provider hired for specific tasks or services will typically act as processor,if services are provided on the landlord’s or property manager’s instruction. However, controllers will be responsible for their processors.

If sensitive occupier data is disclosed to a malicious third party due to the processor’s negligence or data becomes unavailable due to a system fault, this could result in liability for the landlord or property manager. This is why providers must be chosen with care, subject to appropriate due diligence assessments and data processing agreements.

Landlords and property managers could find themselves in the position of a processor if they sublicence add-on technology or over-the-top communication services to their tenants. Diligent data protection compliance will help maintain and develop these additional revenue streams.

Key steps towards GDPR compliance

  • Carry out a data map and understand your personal data.
  • In respect of each activity, establish why you process personal data and on what lawful basis.
  • Update your privacy notices and make them easily accessible by all individuals.
  • Implement appropriate data protection policies and procedures and provide training to staff.
  • Designate suitably skilled staff to look after your data protection compliance.
  • Review the reliability of your third parties and enter into appropriate agreements.
  • Review your data sharing arrangements and assess each law enforcement access request on a case-by-case basis.
  • Ensure that personal data transferred outside the UK is appropriately safeguarded and that the transfer is lawful.
  • Keep a record of your assessments, such as legitimate interest assessments, transfer impact assessments, data protection impact assessments, data breach log, information security assessments, etc.
  • Implement state of the art information security measures to safeguard personal data including regular monitoring, logging and testing.
  • Consider data protection implications early in projects.
  • Implement a responsive complaint handling and data protection rights process.
  • Register as a fee payer with the ICO.
  • Monitor the effectiveness of your compliance framework.

How do data protection principles and rules apply in practice?

The accountability principle can only be met if your data protection compliance is guided by  appropriate policies and procedures. If your staff or providers do not understand their data protection obligations, this will become the controller’s problem. 

Data must be processed lawfully which typically means that you have obtained consent, you process data to provide a service, you rely on legitimate interest or you are fulfilling a statutory obligation. For example, collecting visitor details may be necessary for your legitimate interest in ensuring the security of premises and property.

While tenants may consent to participating in an ESG initiative, most processing will probably be necessary for your legitimate interest, for example, in providing appropriate services to the public, such as lost and found, reuniting the child who got lost in the shopping mall with parents, or ensuring safety and security. Or you may process data to fulfil your legal obligations, for example, to ensure health and safety, or fulfil a duty of care.

Organisations must carry out a legitimate interest assessment to consider the purpose, necessity and impact towards the individual’s interests. Tracking data for ESG initiatives would clearly serve the wider public interest in optimising the use of commercial property and public transport, but one should judge with caution if tracking may be too intrusive.

Organisations must ensure that personal data is processed fairly. In other words, only do what the individual would reasonably expect and avoid doing anything that could have an adverse effect on the individual. For example, sharing adverse credit-related information about your tenant who is an individual with a credit referencing agency, must be approached with particular caution.

Transparency is a key part of ensuring that individuals know how their data is used and what to expect when they set foot in your premises. Typically, you should provide a privacy notice online as well as in hard copy at the reception.

The rules require clarity about the reasons why data is processed. If you are collecting user IP addresses for the provision of WiFi or email addresses through the use of an app, you need to explain each purpose for which this data will be used. Organisations really have one shot to define their purposes at the outset. They must not process personal data for any new incompatible purposes, without amending the privacy notice in the appropriate manner. Any retrospective change may require obtaining consent.

If you are collecting emissions data for an ESG initiative, you must ensure that the data is adequate, relevant and not excessive in the context of your purpose. Typically, occupier details or detailed property descriptions will not be necessary, and processing them could increase the risk of a breach of data minimisation or even a personal data breach. This also means that where you cannot control the volume of data you collect, for example, in relation to critical CCTV footage, it should only be accessible to a small number of designated and suitably qualified personnel.

You must take reasonable steps to ensure that data is accurate and up to date to be useful in fulfilling your purpose. If your CCTV does not capture a sufficiently clear image for crime detection purposes, this may defeat the purpose and result in a breach of the accuracy principle.

Data must be kept for no longer than necessary for each specific purpose. However, several years of data are likely necessary to provide useful insights for ESG benchmarking and monitoring purposes. Techniques such as anonymisation, pseudonymisation or other privacy-preserving technologies will help to justify longer retention while reducing the risk to individuals. Tenant financial details must be protected by implementing an appropriate retention period.

Special category personal data such as people’s disabilities process for building accessibility purposes or vaccination status to enforce COVID restrictions will be subject to particularly restrictive conditions. An appropriate policy document must be put in place for staff to follow. The issue with Big Data, such as the data collected through modern technologies in property management, is that even seemingly unexciting information about lighting, heating or electric consumption could be used to infer special category data about individuals, such as health conditions. Additional compliance requirements will be triggered. 

Data security is an essential part of data protection compliance. The ICO’s highest fines relate to security shortcomings, typically exposed through complaints or personal data breaches. If an organisation fails to secure data with appropriate technical and organisational measures, it will struggle mitigating its exposure to regulatory fines or awards of compensation.

Risks

One might get complacent thinking about the many organisations with suboptimal data protection compliance. However, with the general focus on this area, consumer awareness and cyber security risks, it is likely that sooner or later a compliance issue might arise.

Organisations must be prepared for individuals to submit access or information requests, for contracting parties enquiring about data protection as part of their due diligence process or the ICO asking for evidence of compliance. Without such preparedness, the much needed quick fix could come at a great cost and not even providing a meaningful long-term solution.

Any inability to provide evidence of compliance to the ICO could be an aggravating factor in its regulatory investigation. Organisations with operations in Europe are subject to a risk of fines even for trivial GDPR breaches.

There is a growing trend of claims for compensation for inadvertent disclosure of personal data and no-win-no-fee law firms specialise in this increasingly lucrative area. Whilst the courts are pushing back on trivial claims, the cost of litigation and resource allocation will be suffered, unless your organisation is ready to deal with these situations properly as soon as they arise. Ultimately, the cost of compliance will likely be lower than the cost of non-compliance.