From May 2018, the EU GDPR will replace the 1995 Directive. It will place far greater demands on FM organisations, regarding the management and security of personal data. Crucially, the penalties for non-compliance will range in severity, with fines increasing in percentage for continual ‘failure to comply’. Regardless of how high the financial penalties could be, the challenge for FM organisations to prepare for GDPR remains significant, so, it makes sense to prepare your business properly.
Start now, and you’ll thank yourself later.
To help you, here are five areas to consider on your journey to GDPR compliance as an FM provider:
1 Involve, prepare and train your people
To execute change successfully you require teamwork. Especially when those changes need to happen quickly. Whilst FM workers are scattered across a variety of locations and roles, it’s important to try and help them understand why things are changing, as well as what they need to do to make it happen.
Take the time to talk to them, and be clear about the potential implications if they don’t fulfil their responsibilities. It’s not about scare tactics, just common sense. For example, ensure they’re clear on what information they need to provide to employers, and their rights to privacy.
Among the privacy professionals preparing for GDPR, the primary focus is being able to demonstrate compliance from the outset. Over two-thirds of businesses are creating a new internal privacy accountability framework. This means establishing or upgrading privacy programs, putting additional data protection mechanisms and policies in place, and potentially defining consequences for employee non-compliance.
Well over half, 58 percent1, are investing in privacy training for their staff and employees to ensure that everyone knows and understand the implications for themselves and the organisations they work for. For FM organisations this is critically important as the exposure to risk reaches far and wide due to the tendency to offer multi-tiered staffing arrangements spanning direct employees, sub-contractors and temporary workers. FM businesses that do not take steps now to train staff, create robust policies and communicate implications are leaving themselves significantly exposed.
More specific advice would be to use the technology inside your business that already controls this data (or should at least) to govern this process, the requisite security and roles within your business and across your teams. Help them by putting in a technology framework the helps control and evidence compliance should the worst ever happen. If you have software you use everyday and it contains lots of sensitive data, start to investigate the security models and data protections it can provide out-of-the-box and see if you already have answers to the challenges you face.
2 Keep your data close
GDPR is about data security. So, once you’ve explained what needs to be done, provide best practice guidelines or advice for making sure you get there. Clear policies in unambiguous terms, circulated to all and possibly signed up to leave less room for error. Establish how you’ll keep your sensitive information safe, and who and where will have access to it, inside and outside your business.
A high volume of U.K. companies across the board, including many FM organisations are diligently complying with Article 30’s obligation to appoint a data protection officer, with approximately 4 out of 10 respondents to a recent study1 saying they are naming one.
One sensible rule of thumb to ensure your FM organisation is demonstrating it is doing all it can to protect data is to urge employees only to share the information they absolutely need to. If someone asks them to email something, advise your FM employees not to just send the whole document or file, but send the relevant part only. Most damage or exposure to breaking data compliance regulations can be prevented simply by making sure people think properly and don’t share any information that could get into the wrong hands.
As an FM organisation think also about how you’ll manage data across devices, whether professional or personal. Your employees, like anyone else, own smartphones, tablets and laptops. They need to be able to access data quickly and easily as they do in their personal lives – but you also need to ensure that your systems include secure sign-in, so your employees can only view information that relates directly to them. FM businesses are doubly exposed here, with a need to ensure their own staff are equipped and protected, along with the systems they implement and manage for the customers. Start by asking your software partners to help you with this. Understand what you have as standard and no doubt you’ll be pleasantly surprised. Any software worth its salt will offer you some reliable, well thought through security in this respect. If it doesn’t, dump it as it’s a hole in your organisation you can do without!
3 Review processes, and partners
GDPR effectiveness and compliance requires slick processes and strict governance. Take a detailed look at how you’re currently doing things with regard to data security and confidentiality. Be honest about any shortcomings, and develop a plan to eradicate them quickly. If necessary, put new processes in place to ensure compliance.
In order to comply with GDPR, you must produce and maintain a wide range of documentation that will not only help you meet the explicit and implicit requirements for specific records (especially proving you have obtained consent from data subjects), but you will also need to ensure you have evidence to support your claims should the supervisory authority have any cause to investigate.
Although there are different requirements for data controllers and data processors, the responsibility for the documentation’s accuracy will generally be the controller’s. This is because they’re likely to suffer the consequences of a data breach regardless of who is to blame for it.
For FM organisations this can be a big ask, so don’t be afraid to ask for help. Your technology partners can be your biggest asset here. In fact, as your own employees may have their hands full with other tasks, third parties may be your best option of ensuring success on a tight timescale.
Make sure your partners take this seriously too. If the organisation doesn’t offer you ISO27001 as a comfort around how they do business, are they really the partner for you?
4 Don’t be afraid to automate
When time is tight and there is no room for error, or you simply need to move data between parts of the business or applications without manual intervention or sight, automation can make all the difference. Of course, it doesn’t work for everything, and your business will still need ‘the human touch’ in some areas. But for more mechanical or repetitive processes, where accuracy is crucial but interaction isn’t, explore the benefits of automation to ensure your FM organisation meets compliance demands every time.
Automation offers you some data security benefits but more often the focus is on saving you significant time and therefore costs for FM businesses. For example, you could enable your employees to access and update their personal information online in a secure way, as well as giving them access to be able to update their work availability, request holidays etc saving time and cost. This takes away forms and data floating around on paper. All this information could then be protected and updated with little risk of exposure to data breach and therein GDPR compliance.
5 Act now
You’ve no doubt heard this before, but let’s keep saying it, because it’s so important. Don’t underestimate GDPR and the preparations you need to make prior to its introduction. With the stakes so high, why leave it to the last minute? Start taking the appropriate steps now, and understand what you specifically need to do before May 2018.
If you don’t know, don’t panic: plenty of help is readily available. Contact your partners and just begin to feel your way through the issues. No doubt they are equally engaged in this conversation if not more so. If they aren’t, is it time to think hard about their on-going services to you?
At Innovise, we specialise in securing data and enabling your employees to work more productively. We are ISO27001 and so are our partners. Our Timegate and Servicetrac solutions keep your sensitive information protected so you can focus on your day-to-day business. Built specifically for facilities management, continuously innovating and improving, our software grows with your business and helps you tackle the challenges in times like these.
Sources: 1 The Register