Data Privacy and Security in Commercial Real Estate: Why You Should Care and What to Know

Data Privacy and Security in Commercial Real Estate | HqO
Reading Time: 5 minutes

Collecting data is useful. No matter what line of work you’re in, you need it to make more informed decisions. Whether you’re a small shop trying to figure out how people perceive your brand, or a large company trying to influence sales and consumption habits, data collection is necessary to stand out from competition and sustain your business.

In today’s digital-first world, data is more accessible than ever. More than 2 quintillion — yes, that’s 18 zeros — bytes of data are generated each day across every industry. This data is so valuable that 62% of companies claim self-service business intelligence is essential in 2021.

The commercial real estate (CRE) industry is no different in its needs. Since the COVID-19 pandemic, the implementation of proptech for office buildings has exploded at an exponential rate. Each integrated technology serves as a new source of data for your portfolio — data which can be used to reveal how tenants really feel about the office, and how they’re engaging with your building’s amenities and programming. As you might imagine, these insights can really optimize current and future investments, create efficiencies, and attract and retain key tenants.

However, the need to collect meaningful data shouldn’t be overshadowed by the need to protect said data. Shockingly, about 48% of employees report their companies do not offer or make it clear that they provide any sort of data training. Additionally, 56% of global CRE leaders said the pandemic “has uncovered shortcomings in their company’s digital capabilities and affected their plans to transform,” citing both cybersecurity and data management as top concerns for digital workflows and transformation.

HqO is a CRE technology provider who takes data privacy and security seriously. We’ve gone through rigorous processes to provide the highest level of service and trust for our customers. That’s why we feel confident that we can help you not just collect the right data, but protect it.

What it All Means

Data privacy or information privacy is a branch of data security concerned with the proper handling of data. This includes consent, notice, and regulatory obligations. Practical data privacy concerns often revolve around whether or how data is shared with third parties, how data is legally collected or stored, and regulatory restrictions such as GDPR, SOC 2, HIPAA, GLBA, or CCPA.

These security and compliance practices are important for two reasons. The first is that many companies have found immense value in data collection practices. For the office, data collection can bring property teams closer to their end-users than ever before, and serve as a competitive advantage in a challenging industry. In order to build trust and display accountability with partners and customers, companies need to remain transparent about their data collection practices — including how they abide by privacy policies, request consent, and manage and use the data that they collect.

Secondly, data privacy is a personal right. Customers have the right to privacy, no matter where they are or how their data is being collected. Companies need to account for the personal safety of their end-users by combining data privacy practices with data security practices that protect information from internal and external crises. In short: to leverage data in a meaningful way, you need to protect it in a meaningful way for both your company and your customers.

Best Practices

Not sure how or where to get started? Here are a few best practices that any CRE team can take into consideration:

    • Consent comes first. Before you collect any data about your tenants, get their consent to do so! There are some horror stories out there where facial recognition technology was used on a tenant-base without their consent, which landed the operator in a lot of legal and financial trouble. To avoid placing your company and its end-users in a compromising situation, make sure the user knows what’s being collected and what it’s being used for before you do so.
    • Avoid recording faces. Although it’s only one facet of personally identifiable information (PII), the market is very sensitive to images being recorded and disseminated to the internet. If you are exploring using facial recognition for access or people counting, make sure that the solution is not connected to the internet. People will be way more likely to give consent to facial recognition technologies if they know that the data only exists on-premise.
    • Understand the data lifecycle. Ask the following questions about your technology provider: What PII is collected? How does data get into the system? Where does the data ultimately live? Is it encrypted at rest? How many systems have access to identifiable data? How can users manage their own data? What’s the process for Right to Be Forgotten? How is data used or scrubbed in non-production environments? What is the data retention policy?
    • Understand access reviews. Ask the following questions about your technology provider: How often are logical access reviews conducted? How is access to production environments provisioned and de-provisioned? How can the TeX provider access data?
    • Understand the vendor management system. When it comes to selecting a vendor, you will want to know: What vendors/sub-processors have access to user information? How are these sub-processors vetted and how often? How are sub-processors off-boarded, especially those with access to user information
    • Understand the software development lifecycle. You will also need to know about ongoing maintenance: How often is code deployed? How is code reviewed prior to code deployment? What tooling is in place for static code analysis? What tooling is in place for vulnerability management?

In addition to our recommended practices, NAIOP (the Commercial Real Estate Development Association) created a list of 10 actions that CRE teams can take to remain proactive and transparent about data privacy and security. Their suggestions help form a fully comprehensive plan, including evaluating risk, training and awareness, and preparing an incident response for potential situations.

HqO and Data Security

When it comes to our product, we’ve done the diligence on our end to make sure that every CRE client is collecting data in safe and secure ways. Our Digital Grid ensures that you’re only looking at the high-level anonymized and aggregated trends that are most meaningful to your business — omitting the PII that could put you at potential risk.

In addition, we have the certifications to prove our diligence for our native product, and we pre-vet all HqOS Marketplace partners to ensure their compliance as well. In fact, HqO’s dedicated Information Security team is responsible for the overall periodic review process, implementation, maintenance, and compliance of our product. Here are just a few ways that we ensure safe practices for our customers:

  • Technology leadership reviews user access on a quarterly basis. Logical Access is modified on an as-needed basis dependent on the results of the access review consistent with the Access Management policy.
  • Customer access is reviewed on at least an annual basis. HqO is a multi-tenanted architecture model that segregates customer data programmatically from each other.
  • In the HqO platform, a role/permission-based permissioning scheme is used to limit user, customer and staff access to view and interface with the data they should have access to. Resources are protected through the use of native system security that identify and authenticate users and validate access requests against the users’ authorized roles. Pre-defined security groups are utilized to assign role-based access privileges to the in-scope systems.

For more information on how HqO can enhance your data collection practices while heightening your company’s security, schedule a demo today. If you want to learn more about our recent data privacy and security certifications, click here.

Enjoy the article? Feel free to share it.