Smart Buildings & Data Responsibility: What to Know Now

Editorial Team
January 7, 2019
Min Read
Smart Buildings & Data Responsibility: What to Know Now

2018 was a big year for changes in the way that people interact with technology. On the one hand, adoption of smart devices has never been greater, with more than 19 million smart speakers (Amazon Echo and the like) shipped in just the third quarter of 2018. On the other hand, the European Union’s GDPR (General Data Protection Regulation) went into effect, several large tech company CEOs testified before the United States Congress (including Mark Zuckerberg of Facebook and Sundar Pichai of Google), and the public was notified of data breaches on what seemed like a weekly basis. The more ubiquitous smart devices become, the more we must consider the responsibilities and the risks that come with their adoption.

A smart building’s purpose is to streamline efficiency and create a seamless experience for those who work there. This is done by gathering information about the environment inside and outside the building to optimize temperature, lighting, and other elements for the workforce. Information might include tracking which conference rooms are used, how frequently they’re used, and for what purpose (in-person meeting, video conference, or conference call). This information is then used to manage networked systems automatically.

With today’s technology, a person can pull into the parking lot, be directed to a desk that will optimize their performance based on location associated with distractions or other team members, customize environmental factors such as temperature and lighting to their preferred settings, and allow other team members to know where they are in the building. That customization enables improved workflow and optimization of one of the most expensive resources for any business — people — by monitoring a great deal about the individuals.

GDPR and Smart Buildings

By now, if you do any business overseas, you likely have some familiarity with the existence of the GDPR regulations. In an extremely simplified, one-sentence explanation of what GDPR does, it “states that all citizens have the right that their personal data is processed in such a way that it is ‘lawful, proper, and transparent.’”

If you are designing buildings or systems that collect and track any data with personal information, your systems must be compliant with this regulation. Here’s the catch, though: it only applies to those actually located in the European Union (EU). If you’re a citizen of an EU country but live in the United States, the business you conduct in the US is not subject to the regulations. In short, if you’re a US business that only has locations in the US then you have no requirements to comply with GDPR. That doesn’t mean the GDPR won’t affect US-based building developers, designers, and owners: scroll down to see the complex world you’ll be facing.

Smart Buildings Get More Complex

What does the GDPR mean for the growth of smart buildings? It means added complexity and a heightened level of awareness of what the systems are doing. If the systems are tracking any information then companies complying with the GDPR must provide the ability to opt out. They must provide the users control of that information. It also means that the company must take extra precautions if any of that personal information is sensitive — credit cards, personal identification numbers, addresses, etc.

The best way to navigate this is through outside counsel. That might sound like hiring an attorney familiar with GDPR compliance, and that’s one step in the process; however, the attorney is not likely to understand the complexities involved in how smart devices actually operate. Having a team member, on staff or from an outside firm, that can assist your company with understanding what information your company actually needs from the smart devices and what they can choose to capture or retain becomes the second vital piece of the puzzle.

This additional layer of complexity is something new. It requires a deeper understanding of how the devices you choose to place in your building are configured. It could also potentially alter your company standards if the products that you’ve used to date are not capable of providing the necessary flexibility in data tracking and user control. Having expert team members will help you navigate this successfully.

Data Privacy in the US

There are those that believe that data privacy in the United States is like the wild west. That’s a bit of an overstatement. The Federal Trade Commission (FTC) has been overseeing consumer data protection in the United States for years and provides resources for both businesses and consumers on how to deal with data breaches. However, the difference between what the FTC does and GDPR is that the GDPR is law while the FTC is regulation. There is no national consumer privacy law in the United States. This means that for each smart building that’s constructed, knowledge of the state laws regarding consumer privacy is required.

Constructing a smart building in California in 2020, for example, means that you must abide by the California Consumer Privacy Act, which was signed into law in June of 2018. This law follows in the footsteps of the GDPR by giving consumers the ability to discover what information is being collected, why that information is being collected, with which other companies that information is shared, and then opt out.

Another example from California is the law that bans default passwords from any devices that connect to the internet directly or indirectly, or which are given an IP address on the network or a Bluetooth address. This law will also go into effect in 2020. The intent of this law was to assist in securing the networks by not allowing common default passwords such as “admin,” “12345,” or “password” to be used when products ship to consumers and businesses, but it also means that for any company that’s manufacturing a product sold in California, there must be regulatory compliance.

It is, of course, best practice to always change default passwords prior to the final installation of any device. However, when it comes to smart buildings, many of the simpler devices like sensors used to gather and collect the usage data of systems are often left unchanged because it’s easier for maintenance. This law will require a great deal more coordination with in-house or third-party maintenance staff to ensure proper password management.

It also means that the partners your company works with should be monitoring the progress of product manufacturers as they seek to comply with this law. Consultants, architects, and contracted design firms must be aware of what their manufacturing partners are doing to comply with this law. It’s unlikely that the manufacturers will ship one set of product that will abide by the password law for California and have another inventory available for the rest of the country, so odds are we will begin seeing this affect all devices.

That’s the rub with regulation of smart devices in the United States. With no national privacy law or security law, only reactionary regulatory oversight, each state has the ability to determine what it wants to do. What works in one state may not work for another. Based on that, there will be a need to understand the technology laws for each state while the building is in design. This will add time and cost to each project as research will need to be performed and coordination between any trade that wishes to utilize a network connection capable of providing an error message via email, text, or other notification will need to ensure that the devices being installed are compliant with the local laws.

Experts at Networked Technology

Smart buildings are the future in efficiency for both energy and workflow. Designing them, however, requires connecting potentially thousands of devices to the network. The team required to execute these projects is going to shift in the near future from just architects, consultants, contractors, and company representatives for the end user to add compliance officers, legal analysts, and experts in each of the niche fields of technology to assist those new team members. It will soon be much more difficult to execute a smart building project with generalists. Having the right team on your side will make your smart building deployment an efficient, and compliant, success.