Last May the GDPR (General Data Protection Regulation) has been introduced in the EU. Could it contain a fateful course for smart buildings? Under the new law, companies are required to protect privacy. Whoever leaks data – intentionally or through negligence – can expect fines of up to twenty million euro or up to four percent of annual turnover worldwide. Awareness of pitfalls and prospects in smart construction industry are lacking, though.

The new GDPR, applicable throughout the EU, states that all its citizens have the right that their personal data is processed in such a way that it is ‘lawful, proper and transparent’. Citizens also have the right to access and withdraw their personal data from registration, providing there are no pressing public concerns. All in all, there must be a legal basis for storage of personal data, whether it is because of security (military, airports) or through labour contract, consent, agreement or legal duty. Storage and processing of specific personal data (like race, religion, sexual preference or health) and the use of cameras (face recognition) are prohibited, unless there is a legally pressing need (hospitals, airports).

Who is responsible for personal data?

Handling these SARs (subject access requests) already pose a challenge for employers to come to terms with requests of (former) employees. The challenge for project developers of smart buildings is even the bigger due to the multitude of different systems. Who is responsible for storage and processing data of guests entering (and leaving) the building? GDPR contracts between building parties – from clients and employers to contractors and subcontractors - are becoming increasingly necessary.

Take, for instance, two examples. A smartphone entails high risks of violation of the GDPR when an employee is tracked by GPS on his or her phone and link one or more guests onto this employee during negotiations in the building. Talks between this employee and these guests may not be recorded but when a malicious hacker knows beforehand an important deal will be made and has both locations, it’s fair to say espionage is a real possibility.

Also sensors that monitor and store data for smart building processes (such as temperature, heat and lightning) contain risks. In most cases, the sensor ‘remembers’ individual preferences of employees permanently. Owners may overcome this hurdle by storing personal data temporarily, i.e. each time when a person enters or leaves the room in which sensors are installed. Another option is to use heat sensors that only measures movements of people, not their personal data, and can turn temperatures, heat and lightning on a standard setting when persons enter or leave the working space.

Can construction industry minimize personal data?

One of the best ways to secure privacy – for employees and guests alike - is data minimization, known as ‘privacy enhancing control’. Ideally, the minimization standards are determined in the design phase. After a ‘privacy impact assessment’ measures have to be taken by ICT and installation experts to separate smart building data from personal data. In case they are interconnected, malicious access to the smart building network can result in, for instance, deviating temperatures in the working place that, eventually, may lead to a shutdown of computer server rooms.

According to Jan Kerdèl, expert building management systems and member of the innovation committee to the branch organisation Techniek Nederland (formerly Uneto-VNI), smart buildings aren’t the end but just the beginning of a process in which privacy and safety are two sides of the same coin.

‘The Internet of Things (IoT) is accepted by most - if not all - clients in the construction industry’, he says. ‘According to the latest report of the Dutch NCSC (National Cyber Security Center) IoT is the main source of most virtual burglaries. Privacy violations and cyber crime are increasingly coming from within.’

On the bright side, data minimization and ‘privacy by design’ offers prospects for those in charge. It is not only – legally and technically - safer to separate building management systems from storing and processing personal data. Ensuring and executing more intelligent management of data in smart buildings also reduces data storage capacity up to forty percent and thus its costs, Smart Cities World’ states.

Are smart buildings on a fateful course?

That varies from case to case. Based on a 2018 survey of the Ponemon Institute – which sets standards for cybersecurity worldwide – costs of data leaks are between 75 and 408 USD per person affected. When tens of thousands of personal data are involved – which is often the case - these costs could thus run into hundreds of thousands of euros, not to mention reputational damage and legal penalties. The challenge for the construction industry is to determine beforehand which party is responsible for what part, as well as to develop alternatives and to test (networks of) smart buildings periodically on all GDPR protocols. Maintenance – especially by adapting the security of servers to the latest standards – also deserves more attention.

Kerdèl is rather worried. ‘Because of work pressure and lack of financial capacity, SMEs hardly have room for innovation in the area of privacy and security. The construction industry has a great need for tools but little help from outside. Without awareness and proper training, I fear that SMEs, from clients to installers, are not sufficiently prepared for the new GDPR’, he concludes.

Image: Dennis van der Heijden. Courtesy: Convert GDPR.
Source. CC BY 2.0 licence.