FACILIO and GDPR
Facilio is an IoT and AI-driven operations and maintenance software for large real estate portfolios This includes SaaS applications for facilities, sustainability and property and tenant management that helps customers like commercial real estate owners, property developers and building owners to centrally manage their operations, maintenance, asset performance, sustainability - energy performance and the tenant experience across their distributed portfolio of buildings, in real-time.
We have end-to-end capabilities like help desk, work order management, service portal, pre-scheduled and preventive maintenance,predictive maintenance, asset management which includes fault detection and diagnostics, false alarm detection, etc., Comprehensive energy management including M&V, regression analysis, heatmap analysis, load analysis, consumption analysis, EnPI, baselining, benchmarking energy efficiency, etc. Service catalogs, portals for tenants, and Vendors.
Facilio can integrate with existing Building Automation Systems and make use of all data (used or currently unused) to deliver real-time facilities management.
Facilio is available to its user via web or as dedicated apps in mobile platforms.
GDPR -General Data Protection Rights gives an individual the right to know what personal data is being held, how the data is stored, processed, and it also provides the end-user with the rights/consent to have their personal data to be erased upon request.
What is Personally Identifiable Data
Personally identifiable data includes any information that can be used to identify or track and individual uniquely. It includes Name, personal email Id, Personal phone number, home address, age,and other sensitive data like medical information, Social security numbers, Credit card information, etc.
What is Facilio’s role in GDPR
Facilio acts as a Processor of Data, and we do not explicitly collect any end-user personal data as a part of signup or Onboarding. The controllers (or the clients that use Facilio's service) are encouraged to collect only official information like office address/phone numbers and email id's when adding users to use Facilio's Services. They also hold the responsibility to remove a particular user when the user leaves their organization. Facilio does not hold any of the information removed from the application in our servers or databases.
There are many rights in GDPR , but at Facilio we basically
Do not insist on collecting any personal information explicitly, and the customers are encouraged to use their official email ID and phone numbers during the signup process.
Facilio does not hold any personal data longer than necessary. The data will be removed in immediate effect from our servers and databases if the controllers request us or delete the information directly.
Facilio is clear on how and who and why a person accesses the data - the access is provided only to specified personnel through IAM control.
Facilio is clear on how the data is processed.
Facilio never collects / stores any sensitive personal data either directly or indirectly from any other websites.
Facilio is obliged to make clients aware in case of any data breaches that occur.
Facilio trains all employees about GDPR.
Personal Data Collection, Storage, and Processing Details that happen in Facilio: This section details the forms in our product that collects the data, how it's segregated, stored, and how it's processed.
Signup Form
Name and work email (Specifically tagged as work email) is collected and stored in a database table called Account_Users. This is the only table where the information gets stored, and an ID is generated for the corresponding user in that particular organization. Only the ID is referred to in all other places in the database. This specific table can be encrypted. In this form, only Name is the PII collected and can not be avoided. Usually, the Facility Manager signing up for Facilio's services uses this Page, and he becomes the Super Administrator for the account, for their organization, and has access to all data that is entered in this account. The Facility manager becomes the controller of all data belonging to the organization. Facilio acts as a processor.
Add Users/Requesters/Tenants/Labour Form
Name and email ID is collected and stored in a database table called Account_users. This is the only table where the information is stored, and an ID is generated. Only the ID is referred to in all other places. In this form, the Name, email ID, and phone number are collected and can not be avoided. For Labour addition, the work location address is collected. Email ID and Phone numbers are collected to send a notification to the technician when a work order is assigned to him or if he must manage an asset. The controller has to make sure that the email ID and phone numbers are official email id/phone numbers. Facilio also performs a regular audit ( once in 3 months ) of the data in the Account_users table. If we identify any personal email IDs ( like @gmail/@yahoo, etc.), we notify the controller to get the consent. However, this kind of validation cannot be performed for phone numbers. Hence, phone number detail is not mandated in these forms. Further, the details entered in the Account_users table are integrated with 3rd party tools (Email Server for sending email notifications) and (Twilio for sending SMS notifications ). Facilio triggers notifications only on tasks related to Work order management/alarms/asset management and does not send any other notifications to the end-user. Further, all data that is transferred from and to the 3rd party tools are managed to secure TLS lines.
Visitor and Vendor Management Forms
When Facilio Visitor Management/Service portal is used for a visitor management system, the Facility Manager and the Tenants in a Facility can use Facilio to invite people, Invite Vendors and record visits of Guests. In all these forms, the Name, phone number, Email ID, and Address of the visitor is collected, which are all classified as PII. This information is stored in the "Visitor" table of the database, and this storage is encrypted. Again this email ID and phone numbers are processed for email generation /SMS generation for Invite/ check-in and check-out of the visitor. All transit data is handled through secured lines. The information that goes into this portal is directly done with the consent of the visitor/vendor, and if there is a need/concern regarding this data, the Facility manager/controller can delete the visit/invite, and the data gets removed from the database immediately.
Vendor Management Form
A Facility manager or a Tenant can add Vendor related information and is stored in the "Vendors" table. The Name, phone number, Email ID, and Address of the Vendor - which must most probably be an official address, but it can also be personal information. Again this email ID and phone numbers are processed for email generation/SMS generation for Invite/ check-in and check-out of the vendor since Vendor management is interconnected to visitor management. All transit data is handled through secured lines.
A reference number value will be created for each of the user/visitor/vendor stored in the above table, and these values will be referenced in at least 20 other places like:
Tables that track login and Logout
Tables that track active users
Tables that manage the visits
Tables that manage Invites
Work order scheduling
Asset management etc.
The data stored in the above tables will be referenced and displayed in the following places: Work order assignment, workflow criteria, Stateflow Criteria, Asset and purchase request management, Contract, and SLA management pages.
The Work request submissions will have the affect person's Name and details of the location where the issue is seen. This detail is essential to check the location within the Premises where a particular issue is seen.
Who from Facilio has access to the Data
At Facilio, the access to the databases where the customer data is stored is strictly prohibited to office IP addresses and only to very few members. Since the tables that contain PII are encrypted, the data can not be locally imported.
Specific members from customer support have access to the Super Admin logins of the customers as a part of the Onboarding process. Once the Onboarding is complete, the Customers are encouraged to change the password to prevent any data breach.
Responsibilities of a the Controllers / our Clients
Every Facilio client's implementation of Facility management is different, and many not exist with some degree of customization. Each of Facilio's clients as a Data controller must make their assessment and take into account all the configurations used / reports generated and check if photos or other attachments uploaded contain any personal data and must perform a regular audit on what they are collecting and controlling.
Conclusion
The main areas where personal data is held in Facilio is found in Person/Users, Labour/Tenant/Visitor/Vendor. But there are many more places like custom modules where there is a potential to store personal data. Email ID and Phone numbers are often referenced with User Name as a unique key, that gets referenced as a numeric value generated in one of the above-mentioned tables.
Facilio Databases are designed to determine if a person's data is no longer needed / or if a concern arises regarding storing one's data, then the data can be removed with immediate effect without creating referential integrity issues by the controller
Through the above two practices that are followed, GDPR compliance and security of personal data is significantly controllable by the controllers/facility managers that use Facilio.