3 Data and Security Considerations for Your Building Management App

Every office owner and property team wants to have the best building management app for their portfolio. It only makes sense. As we transition into a post-pandemic workplace, the commercial real estate (CRE) industry has been inundated with emerging technologies that support hybrid work models and make consumer-first experiences easier to achieve. 

On the building maintenance side, property management software can create efficiencies in the day-to-day operations of property teams — as well as connect them to the newest responsibilities in the modern property management role: the tenants. All of these capabilities are mission-critical in a digitally-obsessed world. However, what’s even more pertinent is understanding the new considerations that come with implementing these technologies.

The biggest of these considerations is data. 45.1% of property managers express a desire to improve efficiencies within their buildings, meaning that nearly half of this audience relies on data and analytics to meet their goals. As stated in an article about property management trends: “Property management software with in-built data analytics can help get actionable insights that can be customized in real-time. […] Technology-driven data analytics will be at the forefront in identifying opportunities, forecasting returns, and measuring tenant behaviors. ”

Here’s where it gets tricky.

With a large part of commercial property management software dedicated to data collection on building features and tenant behavior, how can you tell that you’re collecting data in the right ways? Is the data meaningful, and is it also protected in a way that respects the wishes of the people in your buildings?

We know a thing or two about data privacy and security compliance. Based on what we’ve seen and the steps we’ve taken to secure our own product, here are three things you should identify before adopting a tenant and property maintenance platform. 

1. What Kind of Data Do You Need?

You might be quick to declare that you need as much data on your building and tenants as possible, to help you identify building trends and investment opportunities — but data collection is not that straightforward. For example, do you really need specific details about your tenants, such as name, birth dates, or even phone numbers? Will that information help you work towards your larger company goals?

The short answer is that you shouldn’t require personal information. Personal Identifiable Information, also known as PII, has been a topic of discussion among other industries for years. We’ve all heard it — where large companies such as Facebook collected personal information without user consent, leading to large data breaches that expose thousands (sometimes millions) of individuals.

Even if you do require PII, the terms of consent need to be extremely clear. For example, certain large retailers ask for PII in return for exclusive benefits programs and memberships — making sure that consumers “opt in” to giving this information before using it for marketing or business purposes.

At the end of the day, CRE teams only need to know the high-level trends and happenings at their buildings. For example, a property manager won’t need to know if John Doe visits their office’s on-site cafe and orders a turkey sandwich every day of the week. That level of detail isn’t actionable or informative for company goals. Instead, the property manager may want to know if tenants at their building visit the on-site cafe at all. If they don’t, this might indicate tenant dissatisfaction with the cafe and prompt a new building investment. If they do, this would be a great opportunity for the property manager to offer discounts and perks to the on-site cafe as a means to support the retailer, show tenant appreciation, and open up additional streams of revenue.

2. How is this Data Protected?

Once you identify the types of data you need, you need to ensure that this data is secure. Customers have the right to privacy, no matter where they are or how their data is being collected. This means that companies need to account for the personal safety of their end-users by combining data privacy practices with data security practices to protect all data from internal and external crises. 

Fortunately, there are easy ways to identify technology providers and partners who handle data securely, mostly in the form of industry standards and certifications that require thorough examination and ongoing maintenance. Some of these certifications include ISO, SOC 2, CCPA, and GDPR.

• An ISO certification is a third-party approval for a company that runs to one of the international data protection standards developed and published by the International Organization for Standardization (ISO).
• SOC 2, which stands for System and Organization Controls 2, is an audit report that attests to the trustworthiness of services provided by a service organization, such as a SaaS company.
• The CCPA, or California Consumer Privacy Act, is among a growing number of state, national, and global data privacy and information security laws focused on consumer privacy rights.
• A GDPR certification means that the entity is legally compliant with the European Union’s General Data Protection Regulation. 

3. How Can You Create a Sustainable Data Protection Plan?

The best way to maintain safe data practices is to work them into your company infrastructure. NAIOP put together a full comprehensive list of actions that CRE teams can take to remain proactive and transparent:

• Prioritize cybersecurity and privacy as an organization: One of the most important parts of reducing data privacy breaches is aligning with key stakeholders, including those who would be at-risk in a security incident. As NAIOP states, “addressing them is an organizational imperative. While the company’s information technology group can lead the effort, the involvement and support of the greater organization is critical to the success of any cybersecurity and data privacy initiative.”
  

• Understand what you collect and why: Creating an inventory of company-held data will account for all systems and storage locations, as well as employee-owned devices if possible. This should include a detailed list of data, their purposes, and the applications or systems used to store or access it.
• Evaluate the legal obligations: Organizations should have a good understanding of what legal obligations apply to the data they’ve collected, whether from contracts with third parties or from state and federal data privacy and security laws.
  

• Evaluate risks from connected building systems: Though the Internet of Things (IoT) devices are incredibly valuable, they also present a certain amount of risk to any organization. Therefore, CRE companies should pay attention to internet-connected systems, as well as exercise caution during the implementation process.
• Have a written information security program: Preparing and implementing a written information security program will be critical for an organization’s success. Even with a simple privacy policy, the scope will vary per organization. NAIOP suggests looking at free publications such as Start with Security: A Guide for Business and Protecting Personal Information: A Guide for Business as starting points.
• Training and awareness: Once your plan has been determined, it’s important to create a culture of security through employee awareness and training. After all, employee carelessness is the number one cybersecurity and privacy risk for organizations. Championing a data privacy policy for employees through an official campaign will ensure that everyone understands the gravity of such practices.

• Incorporate privacy and cybersecurity in tenant agreements: To further reduce risk, organizations should consider addressing data privacy in the terms of tenant agreements. NAIOP provides the following scenario: “Examples include leases in which the tenant relies on the landlord to deliver IT services such as wireless internet or other IT infrastructure, and those in which a tenants’ IT systems are integrated with building management systems operated by the landlord. In either case, parties should consider clearly agreeing in writing on the duties that apply – and do not apply – to each party to protect the security and confidentiality of the services, systems or data involved. The agreement should also address who will be responsible for damages caused by a cybersecurity incident that affects those services, systems or data.”
  

• Vet your service providers: Third-party vendors will always pose a risk to a company, despite if an organization’s own policies are well-developed. Thus, CRE companies should thoroughly examine procurement procedures to identify if and when vendors need access to company systems or data. This will allow teams to ensure that vendors can uphold any internal privacy and information security policies and standards.
  
• Prepare an incident response plan: If an incident occurs, an organization will need a documented response plan. It should include assigned roles and responsibilities on the incident response team; steps to identify, investigate, contain, and remediate security incidents; when and how to engage with external resources; a strategic communications plan about the incident; and how to address any legal obligations that may arise.
• Consider cyber liability coverage: According to NAIOP, when traditional insurance policies don’t provide the necessary protections in the case of a cybersecurity incident, “the organization can purchase specialized cyber liability insurance that covers the organization’s exposure to the wide spectrum of issues arising from privacy and cybersecurity incidents. Coverage under those policies varies widely. There is no standard policy form and individual policies can contain substantial differences on what is covered, when coverage is triggered, and what events are excluded.”

A Protected Future

The more CRE teams leverage tenant and property management software, the more they will have to become acquainted with the many rules and regulations around data privacy and security. 

These policies, of course, are subject to change. Certain types of technology — such as facial recognition, artificial intelligence, and biometrics — are expanding the existing definition of PII. As these technologies reveal additional considerations in terms of security on the horizon, the ongoing maintenance of certifications such as ISO and SOC 2 will be more important than ever for companies looking to provide the highest level of security for their customers.

For more information on HqO’s data and security practices, visit our Security Practices page. To see how our product can securely enhance your portfolio, schedule a demo today.