[Skip to content]

FM World logo
Text Size: A A A


Martin Read looks at data compliance issues facing workplace and facilities managers as they add wearables to their data-aggregating tools.


Related articles

Read: Dealing with data here

Read: Wearables and well-being here

03 June 2019 Martin Read

By some estimates, 2020 will see there being seven times as many connected objects in the world as there are people. It’s a fascinating figure as much for what it doesn’t say about this brave new digital world as for what it does. How can any single organisation deal with all of the data that needs analysing? How can there be a broadly standard way of approaching such a task? And at what stage do you sign off on a data analysis project when the technology underpinning it keeps on changing?

These are still early days for the Internet of Things (IoT). It’s a market in the process of seeing threefold growth between 2017 and 2021 (with the market for cloud-based software and services quadruple in value over the same time frame).

James McHale, managing director of smart building research consultancy Memoori, has spoken about the need for buildings to increasingly understand occupants rather than occupants understanding how best to operate the building.

“Starting with the user in mind, a smart building can become what its users want,” says McHale. “We are not robots, our actions not always logical. Technology is a means to an end and not an end in itelf. We need buildings that are built to provide outcomes, not outputs.”

McHale warns of “a lack of communications protocols in each individual business silo” having been until now “a barrier to integration”.

Too many of a firm’s technical services are acquired separately from each other, he says, belying a lack of “joined-up thinking” across an enterprise. Quality of data analytics is the key, believes McHale: “We need a fundamental shift in thinking, looking at outcomes, not outputs.”

The speed at which the workplace is seeing the impact of all of this is breathtaking, with ‘breathtaking’ rather apposite given one of the latest parallel streams of data development and analysis: personal health and well-being tracking. Wearable technology and its effect on the supply of facilities services such as catering (nutrition, hydration), break-out space (meditation, mindfulness taking a break) and maintenance (temperature control) is changing discussions about future workplace provision. The market for wearable tech (smartwatches, wearable scanners, ‘FitBits’ and the like) is growing exponentially with organisations pressured by consumers using their own such tech at home as the cost of doing 

so comes down.

As we report elsewhere in this section, there is considerable risk as well as opportunity from the introduction of wearables into the equation. Increasingly, how an organisation interprets its workplace data will determine its property leasing decisions and thus its wider CRE risk. Indeed, technology consultant Antony Slumbers used the recent IWFM Conference to call the digital revolution engulfing the corporate real estate sector an ‘existential threat’ to it.

The three ‘P’s impeding progress

Creating a standard model to deal with all this data is an aim that suffers from a lack of measurement precedent, lack of capable personnel – and lack of confidence about privacy issues.

The first of these comes down to a lack of templates; what models for data management should the typical organisation adopt? Shifting towards a data-first strategy is an unprecedented activity, making the costing and timing of such projects all the more problematic.

Allied to this is the personnel problem; a lack of internal or external capability. Few specialists exist to serve this new market for data management because of a lack of critical mass around a few data management skill ‘types’; instead there are myriad vertical specialists and few competent integrators.

Thirdly and perhaps most recently is the issue of privacy – and as we reach the first anniversary of the introduction of the EU’s General Data Protection Regulations (GDPR) regulation, it’s clearly an issue that is not going away soon.

The concerns of workers that the health data they create will lead to discrimination in the workplace (rather than a personalised service nirvana) is no small issue. In a research report, Deloitte has called for organisations to consider carefully the implementation of wearables given the very personal sensitivities people have to their use.

In any conversation about an individual’s self-generated data integrating with an organisation’s systems, the impact of GDPR must be discussed. In the year since the regulations became law, the EU Commission has received over 95,000 complaints, the most notable example being the £44 million fine Google incurred over how the site uses data to target ads.

Forget further data analysis – many companies still need need to change their attitude towards GDPR, argues Hellen Beveridge, privacy Lead at data protection services firm Data Oversight.

Organisations frequently try to mould legislation to fit into their existing processes, she says – a potentially big mistake with GDPR.

“Organisations fall broadly into two camps,” says Beveridge. “Risk-averse and risk-tolerant. The former are working hard as they want to do the right thing by their customers and, more importantly, don’t want to fall foul of the Regulator. The latter group is still waiting to see if any of their peers get caught, and then they might take action.

”Many companies in the UK are still just tickling the legislation at the edges. They haven’t invested in governance as a budget item and simply have their fingers crossed that they won’t get caught. There are multi-million pound turnover businesses who simply haven’t grasped the nettle.”

It’s the manufacturers of physical security solutions that are quickest to highlight the existing gaps. According to OfficeDepot, hundreds of businesses across the UK are still guilty of breaching GDPR guidelines, its research suggesting points at which sensitive data remains at risk of being lost.

One year on from the original GDPR deadline, Office Depot’s survey of more than 300 office workers with sight of GDPR in their companies found that while those surveyed believed their companies to be ‘fairly’ compliant, there were still alarming levels of bad practice being adhered to, putting businesses at risk of facing fines of up to €20 million or 4 per cent of annual turnover.

Office Depot’s Peter D’Amery believes organisations should see the 25 May 2018 compliance deadline as signalling the beginning of an ongoing process requiring maintenance and checks.

“Our research shows that not all businesses check their GDPR adherence regularly enough, a quarter admitting that they assess processes randomly, and some even fail to review at all.

“Businesses should think seriously about their compliance and ask themselves ‘have we done everything we can to protect our data?’” 


Fingerprint biometrics: a touch more secure?

The use of fingerprint biometric smart cards can boost security further because the fingerprint is held only on the card; accordingly, unlike most facial or iris recognition systems, there is no database of biometric data to be hacked or stolen. That’s a huge advantage anywhere security is paramount, such as healthcare or law enforcement facilities, and puts fingerprint biometrics ahead of many other biometric systems, let alone passwords and PINs.

A similar scenario applies to the use of fingerprint smart cards for access to IT networks, where it may be possible either to connect fingerprint biometric readers to the network or attach individual readers to each device. This type of authentication can be used to generate robust and reliable audit trails of network and data access.

Indeed, fingerprint biometric smart cards can help businesses to gain pinpoint control of operations, either in real time or retrospectively (e.g. for disciplinary or legal proceedings). Using biometrics in this manner tells managers exactly who is in which building / network / system and when they accessed it. By adding fingerprint biometric capabilities to portable or employee-owned devices, the ability to manage remote or flexible working staff is simplified; management can always see when staff are logged in and working the hours they claim.

Fingerprints vs.facial recognition

Some argue strongly in favour of facial recognition, especially for building access. Facial recognition is a perfectly good biometric in many situations and is a valuable addition to the armoury of biometric authentication methods. However, as Apple discovered when they launched the iPhone X, it is not without problems. Apart from the furore surrounding Face ID’s alleged inability to tell some people apart, Apple itself has admitted there are problems with the camera technology required to make facial recognition work and have issued formal instructions for iPhone users experiencing them.

To identify a face, the cameras involved must be able to achieve a reasonable degree of resolution. In addition, a significant proportion of the face 

must be presented to the camera. Ambient light, clothing (e.g. the wearing of scarves and glasses) and even the angle of the face when being scanned, can also reduce the effectiveness of facial recognition.

David Orme is senior vice-president at IDEX Biometrics

Taking GDPR seriously?

New research by office supplier ACCO Brands indicates that businesses may not be as GDPR-compliant as they think.


of survey respondents believe GDPR only applies to digital data

While digital data breaches tend to grab most of the headlines, physical data noncompliance is just as much of a risk. The paper documentation a business keeps may contain private and sensitive data.


have not yet updated their approach to physical data management

Many firms have invested in new or improved cybersecurity measures in order to become compliant, but three quarters have yet to address issues with physical data. Many have moved their vital documents into digital or cloud-based storage systems but have failed to devise an appropriate solution for handling the physical records once they have been digitised.

The loss or theft of paperwork are among some of the most common incident types reported to the Information Commissioner’s Office (ICO) , the UK independent authority upholding information rights.


confirm they have not purchased paper-shredding equipment as a result of GDPR legislation And 53 per cent of businesses still have zero or one shredder.


of consumers still don’t understand shredding security levels

Though GDPR does not specify which level of shredding security is required to be compliant, cross cut and micro cut shredding are seen as the most secure options as they produce small paper particles that cannot be pieced back together.