Workspace design have been relying on utilisation data for over a decade, but what impact will General Data Protection Regulation (GDPR) have on the industry?
Initially Intended as a single set of rules across Europe to enable individuals to have greater control over their ‘personal data’ within the Digital Single Market, GDPR’s definition of personal data is not limited to the digital world but covers any personal information, with no distinction between private, public, and/or work related data:
“Any information relating to a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person”.
The regulation makes a clean cut between data controllers (“determines the purposes and means of processing personal data”) and data processors (“responsible for processing personal data on behalf of a controller”), and clearly describes how that data can be used. Data controllers can only work with data processors that provides “sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject”.
And “When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations.”
Where does that leave us with our utilisation surveys?
In short, your surveys will be GDPR compliant only if your surveys are conducted in such a way that doesn’t allow to distinguishing one particular individual, unless “demonstrable consent” is granted by the data subjects within the clearly define purpose of the study.
GDPR is 200 pages long, but in a nutshell unless the data is pseudonymise at the source or consent is granted by the data subjects, organisations in Europe can no-longer do:
This, however is providing a great business boost for the lucky few alternative workplace attendance and utilisation measuring tools that were designed differently and are capturing the data, and/or of pseudonymising it, making it GDPR compliant.
Contact us for more information.