Are your office data privacy policies up-to-date?
Keep your data safe through the HqOS operating system.
Data Privacy and the Office: Why Does it Matter?
The logistics around where, when, and how people work have changed drastically within the past year. To triumph over hybrid workplace models and evolving health and safety regulations, commercial landlords and property teams have to navigate uncertain waters and ensure that buildings remain a safe workplace environment, as well as discover new and unique ways to retain and attract talent by focusing directly on the needs of their building occupants. Fortunately property technology — otherwise known as proptech — can help teams meet all of these needs and more.
What is Data Privacy?
Before we dive into modern office best practices, we first need to define data privacy, and address the question: Why is data privacy important?
According to cybersecurity experts Varonis, data privacy or information privacy is a branch of data security concerned with the proper handling of data – consent, notice, and regulatory obligations. More specifically, practical data privacy concerns often revolve around whether or how data is shared with third parties, how data is legally collected or stored, and regulatory restrictions such as GDPR, HIPAA, GLBA, or CCPA.
These security and compliance practices are important for two reasons. The first is that in today’s world, many companies have found immense value in data collection practices. For the office specifically, data collection can bring property teams closer to their end-users than ever before, and serve as a competitive advantage in a challenging industry. In order to build trust and display accountability with partners and customers, companies need to remain transparent about their data collection practices — including how they abide by privacy policies, request consent, and manage and use the data that they collect.
Secondly, data privacy is a personal right. Customers have the right to privacy, no matter where they are or how their data is being collected. This means that companies need to account for the personal safety of their end-users by combining data privacy practices with data security practices that protect this data from internal and external crises. For these reasons alone, the benefits of data privacy across all industries are clear: in order to leverage data in a meaningful way, you need to protect it in a meaningful way for both your company and your customers.
The Different Data Privacy Laws
There are many approaches to data privacy laws by country, as well as data privacy laws by state. Together, they form a patchwork of laws and regulations that address data collection, storage, and sharing needs across every industry.
According to Osano, “the US has hundreds of data privacy and data security laws among its states, territories, and localities. Currently, 25 US state attorney generals oversee data privacy laws governing the collection, storage, safeguarding, disposal, and use of personal data collected from their residents, especially regarding data breach notifications and the security of Social Security numbers. Some apply only to governmental entities, some apply only to private entities, and some apply to both.”
How to Manage Data Privacy Policies for the Office
Commercial real estate (CRE) companies collect and handle a lot of information, ranging from personal information to financial information. In order to mitigate risk associated with collecting this data, NAIOP suggests 10 actions that CRE teams can take to remain proactive and transparent:
- Prioritize cybersecurity and privacy as an organization: One of the most important parts of reducing data privacy breaches is aligning with key stakeholders, including those who would be at-risk in a security incident. As NAIOP states, “addressing them is an organizational imperative. While the company’s information technology group can lead the effort, the involvement and support of the greater organization is critical to the success of any cybersecurity and data privacy initiative.”
- Understand what you collect and why: Creating an inventory of company-held data will account for all systems and storage locations, as well as employee-owned devices if possible. This should include a detailed list of data, their purposes, and the applications or systems used to store or access it.
- Evaluate the legal obligations: Organizations should have a good understanding of what legal obligations apply to the data they’ve collected, whether from contracts with third parties or from state and federal data privacy and security laws.
- Evaluate risks from connected building systems: Though the Internet of Things (IoT) devices are incredibly valuable, they also present a certain amount of risk to any organization. Therefore, CRE companies should pay attention to internet-connected systems, as well as exercise caution during the implementation process.
- Incorporate privacy and cybersecurity in tenant agreements: To further reduce risk, organizations should consider addressing data privacy in the terms of tenant agreements. NAIOP provides the following scenario: “Examples include leases in which the tenant relies on the landlord to deliver IT services such as wireless internet or other IT infrastructure, and those in which a tenants’ IT systems are integrated with building management systems operated by the landlord. In either case, parties should consider clearly agreeing in writing on the duties that apply – and do not apply – to each party to protect the security and confidentiality of the services, systems or data involved. The agreement should also address who will be responsible for damages caused by a cybersecurity incident that affects those services, systems or data.”
- Vet your service providers: Third-party vendors will always pose a risk to a company, despite if an organization’s own policies are well-developed. Thus, CRE companies should thoroughly examine procurement procedures to identify if and when vendors need access to company systems or data. This will allow teams to ensure that vendors can uphold any internal privacy and information security policies and standards.
- Prepare an incident response plan: If an incident occurs, an organization will need a documented response plan. It should include assigned roles and responsibilities on the incident response team; steps to identify, investigate, contain, and remediate security incidents; when and how to engage with external resources; a strategic communications plan about the incident; and how to address any legal obligations that may arise.
- Consider cyber liability coverage: According to NAIOP, when traditional insurance policies don’t provide the necessary protections in the case of a cybersecurity incident, “the organization can purchase specialized cyber liability insurance that covers the organization’s exposure to the wide spectrum of issues arising from privacy and cybersecurity incidents. Coverage under those policies varies widely. There is no standard policy form and individual policies can contain substantial differences on what is covered, when coverage is triggered, and what events are excluded.”
HqO and Data Security
As you embark on your journey to find the best data security practices for your organization, you’ll need a way to determine the quality of the technology partners you find for the office. The solution resides in HqO’s marketplace of pre-vetted systems and amenity providers. By leveraging the HqOS™ Marketplace to procure new partners, commercial office owners can shop for technologies they know will be interoperable with the overall platform, and whose business relationships and deal structures are already in place.
Additionally, landlords and property teams can trust that each HqO partner, as well as HqO’s dedicated team of technology experts, follows the latest safety protocols to ensure that each technology is the best fit for your business. Below are just a few of the protocols that HqO takes to ensure safe information practices for any corporation’s information:
- Technology leadership reviews user access on a quarterly basis. Logical Access is modified on an as-needed basis dependent on the results of the access review consistent with the Access Management policy.
- Customer access is reviewed on at least an annual basis. Logical Access is modified on an as-needed basis dependent on the results of the access review consistent with the HqO Access Management policy. HqO is a multi-tenanted architecture model that segregates customer data programmatically from each other.
- In the HqO platform, a role/permission-based permissioning scheme is used to limit user, customer and staff access to view and interface with the data they should have access to. Resources are protected through the use of native system security that identify and authenticate users and validate access requests against the users’ authorized roles. Pre-defined security groups are utilized to assign role-based access privileges to the in-scope systems.
- Passwords are an important part of HqO’s efforts to protect its technology systems and information assets by helping ensure that only approved individuals can access these systems and assets. For staff access to high-risk systems, additional authentication methods that provide higher levels of assurance and accountability than passwords are used, like two-factor authentication. For these systems, passwords must be a minimum of 12 characters and must be updated quarterly.
- When a staff member is onboarded, the access they are granted is determined by their job function. A checklist that the staff member has received the correct access is documented. When a staff member requires a different level of access, the staff member must submit a form to the Information Security Team. The request is logged, audited, and executed by a member of the Information Security Team.
- Our team of experts can also help consult across tech stack implementation and interoperability; third-party assessment, procurement, and management; evolving compliance frameworks; data capture and transparency; and building access and facility management systems. Not only can our product improve upon workplace environments and make them more desirable for building occupants, but it can also resolve safety concerns relating to data and information.
To learn more about how we heighten your company’s security, as well as improve your building’s technology systems, schedule a free demo today.
Disclaimer: This is not legal advice from HqO, but only a guide to understanding data privacy and security in the industry as far as HqO is concerned.
Upgrade your office technology in a safe and secure way:
The best tenant experiences are built with HqO
Create smart spaces
where people want to work
The pandemic has dramatically changed where, when, and how people work. Your properties need to be more than just a space, but a community that offers real value to the workforce. HqO helps landlords enhance physical spaces with digital experiences and provides the data they need to make informed decisions about their buildings.
Solve the 3 major commercial real estate challenges – attraction, fragmentation, and differentiation – with HqOS™
HqOS — the tenant experience operating system for commercial office buildings — enhances physical spaces with digital experiences, accelerates the implementation of innovative asset strategies, and enables data-driven decision making
- Create rich digital experiences for the people who occupy your buildings with the Tenant Experience Platform
- Find and manage apps in one place with the Marketplace
- Capture & structure all data on how people use your buildings with the Digital Grid™
- Deploy your tenant experience strategy with Headquarters