Page 24 - RC2020-EDGEMagazine_SummerEdition
P. 24

CRE firms must also understand that the notion of privacy
                                                               is not constant across borders; it is both a cultural and
                                                               legislative chameleon. A nation’s stance on privacy is shaped
                                                               by individual expectations and government regulations, as
                                                               well as market and societal norms. Also keep in mind that
                                                               COVID-19 is likely to continue to rewrite the rules of data
                                                               privacy and regulation in ways that are not yet known.

                                                               Best Practices for Privacy
                                                               In their headlong rush to adopt new digital services
                                                               for tenants and occupiers and prepare buildings for a
                                                               post-pandemic reopening, CRE businesses are amassing
                                                               massive volumes of data—often without adequate
                                                               planning or a judicious regard for privacy.
          scrutiny by government regulators, which are responding   An effective data-privacy strategy cannot be founded on
          to the rush of information collection with tighter   a check-the-box compilation of technology controls and
          data-privacy regulations. Most notable is the EU’s   tools. What’s needed is a holistic approach that combines
          General Data Protection Regulation (GDPR), the sweeping   a precise mix of technologies, processes, and people
          data-privacy law that aims to protect the personal data   skills to meet current and future data-privacy threats.
          of EU citizens by giving them more control over how their   CRE companies should assess their current capabilities
          information is used.                                 against these best practices:

          Closer to home, the new California Consumer Privacy
          Act (CCPA) requires that organizations fully disclose   •  Data governance: Manages collection, storage,
          the collection and use of sensitive personal data.       retention, and destruction of data for specific
          Businesses must be prepared to demonstrate that they     business purposes.
          have implemented “reasonable security” and processes   •  Data classification: Classifies data based on timing
          to protect consumer information, respond to inquiries    and its current state, and tags relevant data for
          about use of personal data, and delete data on demand.   analytics and proper application of relevant controls.
          In addition to California, Maine and Nevada have also   •  Data minimization: Curbs the potential for privacy
          enacted data-privacy laws, with legislation pending in a   violations by limiting the collection of personal data.
          handful of other state legislatures.
                                                                 •  Role-based access control: Limits user-access
          These heightened regulatory obligations present a        rights to the minimum permissions employees need
          fresh challenge for CRE. In part, that’s because the     to perform their work.
          industry is largely unregulated and has not been required   •  Health data governance: Contact tracing provides
          to implement specific security controls and prove        information related to individuals’ location, which
          compliance. Regulation entails an unfamiliar set of      is correlated with data of other individuals to help
          processes that will likely confound CRE companies.       understand health risk factors.
                                                                 •  Regulatory compliance: Manages all evolving
          The first step will be to identify what privacy requirements   regulations regarding health data tracking
          apply to individual CRE firms in this rapidly shifting   requirements, as well as existing compliance
          regulatory and pandemic environment. Another imperative   mandates.
          is an up-to-date data management plan that enables owners
          to identify and map sensitive data to understand where it   •  Network segmentation: Divides networks into
          resides, how it is transmitted, and with whom it is shared.  smaller zones that contain data with similar privacy
          Organizations that share data with third parties should have   requirements and allows IT to incorporate specific
          contractual agreements in place that spell out the partners’   security controls.
          cybersecurity and privacy capabilities and obligations, as   •  Centralized device management: A managed
          well as with what entities they can or cannot share data.   secure layer, often implemented in the cloud, that
          Also critical is stipulating who is responsible for the loss of   enables businesses to create common controls and
          sensitive information resulting from a data breach.      processes for remote access to corporate networks.




          22
   19   20   21   22   23   24   25   26   27   28   29