Buildings around the world are becoming smart. It is possible to track the activity of the users of these buildings, connect customers with special offers and even analyse their moods. Technology enabling such analysis is used, for example, in shopping centres to have a better understanding of the activities of building users or at offices to create more effective and harmonious workplaces. Before such technology is introduced to a company’s buildings, the GDPR and local laws should give pause for thought.
It’s all about staying on top of the competition
Nowadays it is possible to control various systems in a building, such as lighting, water usage and heating, through smart technologies. It’s the new normal if an office car park elevator knows which employee is walking towards it and is ready to take the person to the right floor without the person separately choosing the floor in the elevator. Knowing the number of users inside a public building, the average time spent inside the building and the most popular walking routes in the building are becoming important parts of the so-called people analysis for many businesses.
It is clear that smart systems are becoming increasingly popular and the use of smart building technologies will only evolve. In many business sectors, being on top of the competition even requires riding the wave of smart technology. Naturally, nobody wants their business to fall behind.
Stop and think
We at D&I have had the pleasure of seeing the revolution of smart buildings at the forefront and being part of developing new ways to serve our client’s customers and helping our clients to make their offices nicer and more efficient places to work. Starting from questions related to finding ways to help employees to locate free working spots at an office by using location technology and moving to assess the lawfulness of mood recognition in public buildings has provided us with a wide range of visibility to different smart building possibilities.
From our experience, introducing smart technologies to a company’s buildings should not be rushed – not even for the sake of staying on top of the competition. Instead, legal analysis from, e.g., data protection point of view should always be an integral step before the introduction of new smart technologies. The sooner this step is taken, the better.
Usually the first questions to be asked and answered when assessing the new possibilities seem very simple. Is the data personal data? In what ways can relevant data be extracted? What kind of data is to be collected? Does the company have the right to process such data and how could the necessary legal basis be obtained? What measures should be taken to protect the rights of a person visiting the building? Who are the data subjects – employees or customers?
Sometimes it turns out that the simplest questions are the hardest ones. For example, information capable of amounting to personal data is wide and varied and, hence, identifying whether certain information falls within its meaning may be complex. Essentially, anything that may relate to an individual can fall within the definition. Also, when an individual can be identified from combining information from several databases of a company, the data will amount to personal data.
Anonymisation may be the key
But what if the data is anonymous or anonymised – could this be the key to introduce smart technologies to buildings in a more simple way?
When carried out effectively, anonymisation can be used to protect the privacy rights of individuals. When anonymising personal data, the data is modified with the result that there is and remains no connection of data with an individual and, in consequence, the GDPR does not apply to such data. Therefore, in many cases, anonymisation may be the key.
However, if the objective of data anonymisation is to be safely out of the GDPR’s scope, it must be carried out with due care and utmost diligence. For example, location data, which is often used in smart building technologies, is rarely anonymised just by removing the identities of data subjects or by partially encrypting some attributes. This is because the mobility patterns of individuals may be unique and, therefore, identifiable. Also, it should be kept in mind that the activity of anonymising data itself is considered being processing of personal data. In practice this means that even if the data collected from smart buildings is being quickly anonymised, personal data may still be processed and the GDPR could apply.
Another important aspect to be noted is that the measures for data collecting might be under specific regulation. For example, collection of location data often requires the possibility of capturing device signals which is subject to conditions laid down in the electronic communications legislation.
So where to start?
The essential element in developing smart buildings business is to understand thoroughly the technology and its effects and identify the challenges of the desired outcomes – regardless of whether they are related to the nature of data, the challenges of anonymisation or the group of data subjects. Just to name a few.