If you are, like many other real estate professionals or landlords, considering using Proptech platforms which collect data, then this article is for you. In a business which is inherently focused on the physical world, cyber security may be a daunting concept. However, in the age of advanced analytics and GDPR, it’s increasingly important to ensure that commercial real estate businesses understand their obligations.
Whilst the commercial real estate industry has – safely said – not been a pioneer of avid technological change, over the past few years we’ve seen significant innovation in the sector.
Dubbed “Proptech”, the rising tide of technology merging itself into a traditionally conservative industry has generated an exponential amount of data. Today, whether it’s facility management software or lead generation platforms, almost all commercial real estate activities can generate large amounts of valuable data.
In the year since the EU’s General Data Protection Regulation came into effect, many businesses are still scrambling to comprehend the legislation. GDPR has dramatically pushed data privacy into the spotlight, with the effects reaching far beyond Europe’s borders. The results represent a wake up call to businesses of all shapes and sizes collecting, storing and using data.
This has multiple implications for landlords as well as businesses who own their own building. To help clarify these murky waters, I reached out to our legal advisor at Office App, GDPR compliance expert Chayenne van Lavieren, a lawyer at Pels Rijcken. Whilst there are many finite responses to data security, she says, it all starts by knowing your responsibilities and your product.
The first thing is to simply check and map what data is being processed by your business, to define your responsibility as data controller (a legal advisor can provide advice), and make sure the processing of personal data is based on lawful grounds (e.g. collecting the necessary permission for the performance of a contract).
Establish a specified, explicit and legitimate purpose for the collection of the personal data with the Proptech platform you’re using.
Appoint a DPO (data protection officer) or external equivalent and make a plan to review your GDPR compliance each year, measure risks and evaluate third-party suppliers. Only engage with companies who put data privacy and security first.
Make sure you have a valid data processing agreement signed with third-party vendors that process personal data on your behalf. In the event of a data breach, this can mitigate legal responsibility.
Carry out a data protection impact assessment when the data collection may result in a high risk to the rights and freedoms of natural persons.
Make sure to inform the users of the Proptech platform (your employees or tenants) on what you do with their personal data, on what grounds, for what reasons and what security measures are taken. Also point out their rights under the GDPR (e.g. the right to be forgotten and the right to data portability).
Data privacy in the age of GDPR
“Make sure you understand your obligations and your responsibilities under the GDPR. Know exactly what personal data you process, why you process this data and if you have taken sufficient security measures.” Chayenne says.
The basics of the GDPR mean that any company which collects data must make sure the processing of personal data is based on lawful grounds (e.g. data-subject consent, or necessity for the performance of a contract) and be transparent to persons in how their data is used.
The legislation also gives individuals the rights to their own data, pushing privacy and security to the forefront of compliance. The risk of failing to comply with this new law can put companies out of pocket and result in a negative stigma and bad press.
For instance, take one of the most recent and biggest fines in the real estate sector. SERGIC, a property development company, was fined €400,000 for failing to comply with GDPR. The company was confronted by the French watchdog for both failing to protect user data and put in place adequate data retention periods. And they’re not alone. According to a recent Capgemini study, a third of companies believe that they’re not yet complying with GDPR.
The rise and rise of Proptech
Over the same period of time, commercial real estate & property focused technology – Proptech – has seen extraordinary growth. Fueled by rapid technological advances in artificial intelligence, the internet of things and advanced analytics, a new hybrid of businesses has been created offering a bridge between physical spaces and the cloud.
Dubbed “the future of real estate”, this relatively new phenomenon joins more established players including Fintech and Edtech on the Silicon Valley trail. The first wave of Proptech successes, think Airbnb, have become household names. From these early examples digging into a slice of the sharing economy pie, investors began to catch on to a new trend in tech.
Suddenly a sector which traditionally was slow to catch on to new technologies became infatuated with innovation, raising $12 billion last year in funding. And as we enter the maturing phase for an industry ready for disruption, Proptech shows no signs of slowing down.
What’s the risk to the commercial real estate sector?
Alongside GDPR, the growth in Proptech and big data analytics has brought a new awareness of cyber security to the commercial real estate industry.
And this is where it gets a bit tricky.
Whilst I won’t go into depth here regarding the obligations for commercial landlords under GDPR in this article (here’s a comprehensive document on the subject), I will expand on why it’s important to review your third-party data-processors.
“If you’re using a third-party’s software, the risk of non-compliance is not outsourced. A data controller (you) that engages with data processors (the proptech platform), is still responsible for the processing of personal data by that processor (and in many cases, sub-processor). In case of a security breach, due to e.g. a software hack, the data controller is often liable.”
“Any company that collects data is responsible for securing their own software and should take appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the data collected.”
“It is your responsibility to ensure that a provider (processor) adequately manages the data on your behalf. A solid data processing agreement can be helpful in defining responsibilities and divert liabilities,” says Chayenne.
Data collector under a GDPR
“In order to secure personal data when using a proptech platform, you may have to appoint a DPO, carry out a data protection impact assessment when the data collection is a high risk to the rights and freedoms of natural persons and frequently audit your processors and sub processors. It’s important to make sure this right to audit is laid down in the data processing agreement with the processor.”
It’s critical that you don’t presume that every proptech company takes cyber security or GDPR compliance seriously. This is the first mistake that many companies make initially and the only way to rectify it is by doing your due diligence. Make sure you regularly audit any third-party vendors’ processes and subcontractors to mitigate risk for your business.
“Third parties are obliged to take appropriate technological security measures under the GDPR. For instance, if they store the data in a data centre, technological and organizational security measures must be taken with the objective to protect any data collected against loss, misuse and unauthorized access, alteration, disclosure or destruction,” she says.
“Such measures can be the pseudonymisation and encryption of personal data or to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.”.
This includes only letting authorized people enter the building, undertaking thorough background checks for all staff and contractors, securing the software to prevent data breaches, having up-to-date contracts signed and not outsourcing any GDPR-related services themselves without written approval.
To round off, it’s important to closely manage your vendors and review the processes of every third-party who processes data on your behalf. If a vendor is not up to scratch in the department, it’s time to look for a company that is. In the case of engaging into a new agreement with a third-party, thoroughly vetting companies in advance is a must.