101 guide on GDPR for coworking spaces (II)

Good news, the wait is over! Here is the second part of our GDPR guide for coworking spaces. In this part we will start exploring the steps coworking spaces need to take to be GDPR compliant.

3. STEPS COWORKING SPACES NEED TO TAKE TO COMPLY WITH THE GDPR

Next, we will outline the steps a coworking space located in the European Union needs to take to comply with the GDPR.

IMPORTANT! As we mentioned earlier, we recommend you consult the specific provisions approved by each Member State.

3.1. Decide whether you need to appoint a DPO (Data Protection Officer).

The Data Protection Officer is an individual with expertise in personal data protection that ensures compliance with data protection regulations, in this instance, in a coworking space.

However, coworking spaces won’t necessarily need to appoint a DPO, since according to the GDPR, this individual is only a legal obligation when:

  • The processing is carried out by a public authority or body.
  • When the activities consist of processing operations that require the regular and systematic follow-up of the individuals on a large scale. For example, drawing up profiles for digital marketing which affect more than 1,000 people: In general, this is not the type of activity that coworking spaces engage in.
  • When the activities consist of large-scale processing (as defined by the internal regulations of each Member State) of special categories of data (political ideology or opinions, trade union affiliation, religion or religious opinions, beliefs or philosophical beliefs, ethnic or racial origin, data related to health, sex life or sexual orientation, data on gender violence and ill-treatment, the processing of genetic data or biometric data for the purpose of uniquely identifying a natural person obtained from the analysis of a biological sample, data requested for police purposes without the individual’s consent, data related to convictions and criminal offenses). It is unlikely that coworking spaces would be engaged in this kind of activity.

Nevertheless, the GDPR leaves open the possibility that the internal regulations of European Union Member States establish the obligatory nature of designating a DPO under other circumstances, meaning every coworking space ought to check whether such a need exists according to the internal regulations of the country in which they are located.

3.2 Carry out a risk assessment.

The coworking space ought to evaluate the existing risks involved in the processing of personal data that it performs.

What is a risk assessment?

"It is a set of tasks that will allow a coworking space to determine the possibility of a threat materializing". This can be carried out in THREE STAGES:

First stage: Identification of threats and risks

Firstly, it is important to understand that the risk is derived from the exposure to threats, and therefore, a risk is nothing more than the possibility of a threat and its negative consequences (a violation of the rights and freedoms of the interested parties).

So what CATEGORIES OF THREATS are involved in data protection? They can be classified into three main groups:

  • Unauthorised access to data: If an unauthorised third-party accesses personal data owned by the interested parties (our customers/coworkers) the confidentiality of the data is threatened. Examples of unauthorised access to data: leakage of information; intentional access by unauthorised personnel; Illegal use of personal data.
  • Unauthorised modification of data: In this case, the integrity of the data would be compromised, since it could be modified by adding or distorting the data of the interested parties. Examples of the unauthorised modification of data: errors in the collection of data (if registration for the coworking space is by means of an online form, a way to verify the veracity of the data would be by means of a check box of the type "I confirm that the above data is accurate and current"). Another example of unauthorised data modification would be a hacking attack.
  • Unauthorised removal of data: This would obviously affect the coworking space’s access to the data, threatening the availability of personal data. Examples of the unauthorised removal of data: power outage or faults in communications services, human error or intentional attack that results in the deletion or loss of data, natural disasters.

Second stage: The evaluation of the inherent risks of the threats
The next stage begins once the threats and risks have been identified. The coworking space holder must determine the RISK LEVEL involved in all data processing (its inherent risk). How can this be done? By assessing what damage can occur if the threat materializes.

Third stage: Dealing with previously identified risks.
In the final stage, the coworking space needs to decide what SECURITY MEASURES it will take to minimize the possibility of these threats occurring.

3.2.1 TOOLS FOR IDENTIFYING THREATS AND RISKS. EVALUATING AND DEALING WITH SUCH THREATS.

The GDPR establishes THREE INSTRUMENTS for dealing with thepreviously identified risks depending on the type of personal data involved:

  1. a) Basic risk analysis and risk management by default
  2. b) Registration of processing activities
  3. c) Data protection impact assessment (DPIA)

a) Basic risk analysis and risk management by default

This is the instrument that will be used in activities when processing data with an exposure to low risk. Generally, it will be the instrument that coworking spaces typically use, since in order to carry out the provision of coworking services it is sufficient to have a coworker’s basic identifying data.

1. How to conduct a basic risk analysis? By establishing the LIFE CYCLE of the data processing, which consists of TWO STEPS:

Step 1: Global analysis of the processing activities

This stage is intended to analyse in a generic/global way the activities for which we are going to use the data of a personal nature. These activities are divided into the following CATEGORIES:

  • Recording data. The person in charge of processing must ascertain how personal data of the interested parties is obtained, for example, paper-based forms or web-based forms, surveys, social media…
  • Classification/Storage. Coworking spaces ought to assign categories to personal data for subsequent storage on their systems or files. For example: coworkers, suppliers, individuals who attend workshops...
  • Usage/Processing. A set of operations carried out on personal data or sets of personal data, either through the use of electronic devices (computers, mobile phones, tablets, etc.) which we shall refer to as automated means; or through manual data procedures. For example: using the data to draw up a contract with the coworker, to send coworking space advertisements to clients, to issue invoices.
  • Assigning or transferring of data to a third party for processing. Transfers or sending of data by the coworking space to a third party, whether a natural or legal person. Examples: sending coworking space invoices (where our coworkers’ personal data is included) to a manager/accountant; A computer technician from outside the coworking space that comes to repair a computer belonging to the coworking space’s owner...
  • Destruction. As the final stage in the processing of personal data, only mechanisms which prevent the recovery of personal data from the data storage, files or systems that contain from the storage media must be used. Example: deleting personal data contained on a hard disk so that it cannot be recovered.

Step 2: Classification of the elements involved in processing activities:

At this stage, what we seek is to classify each of the mechanisms we use to carry out the processing activities outlined above:

  • Activities or operations. In recording data, for example: a paper-based or online form, web page... In the destruction of data, for example: a program used to delete the data.
  • Data. Identify the personal data that will be processed. E.g. The contact’s name and surname, address and telephone no.
  • Interested parties. The obligation to identify individuals or legal entities which, individually or collectively, are involved in carrying out personal data processing activities. For example: the person in charge (coworking space owner), an interested party (a coworker, an individual requesting information, a supplier...) the person in charge of processing; this being the individual or company that provides a service to a coworking space and who, due to the provision of said service, has access to coworkers’ personal data (an administrator, a computer company, a video surveillance company that has access to images recorded by coworkers)
  • Technology. The obligation to identify devices/media/technological systems involved in the processing of personal data. E.g. Personal computers, tablets, mobile phones, etc.

EXAMPLE OF THE LIFE CYCLE of personal data that is recorded on paper by a potential coworker who becomes a real customer.

 

THE LIFE CYCLE OF DATA IN PROCESSING OPERATIONS

 

Recording of data

Classification / Storage

Usage / Processing

Granting or transfer of data to a third party for processing

Destruction

ELEMENTS INVOLVED IN THE

PROCESSING OPERATIONS

Processing activities

Data recorded on form

Data entered into a computer database


Paper-based document stored in a physical file

Draw up a contract for the provision of coworking services


Send publicity


Create invoices

Send the coworking space’s invoices to an accountant/

administrator

Completely erase the coworker’s personal  data when the contractual relationship ends

Data processed

Name, surname, ID no., address, telephone no., email, account no.

Name, surname, ID no., address, telephone no., email, account no.

Name, surname, ID no., address, telephone no., email, account no.

Name, surname, ID no., address, telephone no., email, account no.

Name, surname, ID no., address, telephone no., email, account no.

Concerned parties

Manger and potential coworker

Manger and potential coworker

Manger and potential coworker

Manger, potential co-worker, person in charge of

Manger, potential co-worker, person in charge of processing

Technology employed

Paper-based documents

Computer,

Physical file

Computer and paper-based documents

Computer and paper-based documents

Computer and paper-based documents

 

 2. How do we ensure risk management by default?

Once we have determined the life cycle of the personal data, in which we have established the processing activities that were carried out, and we have identified the data to be processed, the individuals and the technologies involved, we must ask ourselves what risks we face. To do this, when dealing with personal data of a low level of protection such as basic identification data, account number and so on, we must follow the steps below:

(Continuing with the previous example of personal data that is collected on paper from a future coworker who ends up contracting the coworking space’s services)

Step 1: Identify the processing activities.

As we saw in the processing life cycle, a processing activity would occur during the recording phase: collecting the coworker’s identifying data by means of a paper-based application form.

Step 2: Identify the main potential risks involved in the processing activity:

Once we have identified the processing activity we must decide what risks might affect it. In order to do so, we will address it from the following PERSPECTIVES:

  • The integrity of the personal data: integrity refers to the fact that the data that we have collected from the interested parties remains the same throughout the processing.

The risk associated with integrity, would be a modification of the personal data without consent.

Two protection/security measures can address this risk:

*Create user profiles and passwords on computers and tablets which prevent unauthorized access to the content of data of a personal nature

*Install an updated antivirus program.

*Pseudonymisation. It is recommended that numbers are assigned to prevent the direct identification of the person whose data is being processed

- The availability of personal data: availability means that at all times the
coworking space can access the personal data it has stored.

The risk associated with the availability, meaning an unintentional loss or deletion of personal data.

*Regularly perform data backups

*Store backup copies, external hard drives, USB pens, the cloud..., in two different locations.

- The confidentiality of personal data: confidentiality refers to unauthorized third parties accessing the personal data kept by the coworking space.

The risk associated with confidentiality, is unauthorized access to data of a personal nature by a third party, whether the data is published or not.

*Access by a coworking space employee, for example, would not be considered unauthorized access by a third party. They would have the status of user, and the coworking space would continue to have responsibility. The employee must undertake to comply with the coworking space’s technical and organizational security measures, confidentiality, etc.

Two security / protection measures can address this risk:

*once again, the establishment of user profiles and passwords

*network segmentation: for example, the coworking space’s advertising department is unable to access coworker billing information.

- Guarantee the Rights of the interested parties in the processing of personal data: meaning that coworking spaces must establish procedures that ensure the exercise of the rights of access, rectification, erasure, opposition, limitation and portability (we shall deal with these concepts in greater detail below)

- The risk associated with exercising these rights by the interested parties would be an absence of procedures to exercise these rights.

The following security / protection measures can address this risk:

*Establish a procedure for receiving and managing requests by interested parties to exercise their rights.

- Guarantee the principles relating to the processing of personal data: legality, loyalty and transparency, limitation of purpose, minimization of data, accuracy, limits to the period of storage.
The risk associated with these principles can be, among others: The absence of legitimacy for the processing of personal data (the absence of a contract between the coworking space and the coworker, failure to obtain consent on a contact form)
The following security / protection measures can address this risk:
*Existence of a contract with the appropriate information clauses regarding data protection
*Existence of a form to record consent which includes the appropriate information clauses. These will be explained in section 3.5 of the guide.

b) Maintaining a record of processing activities

Maintaining a record of processing activities, is a medium-intensity instrument, which is used in addition to the basic instrument of risk analysis and risk management by default. In other words,since, according to the GDPR, the coworking space is obliged to record its processing activities, it will also have previously carried out a risk analysis and risk management by default.

A coworking space is unlikely to be subject to the obligation to maintain a record of processing activities. This is because, according to the GDPR, this obligation only exists for companies or organizations with more than 250 employees.

The GDPR also states that a company must maintain a record of its processing activities even if it has less than 250 workers, if the processing is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or if deals with data related to ideology or political opinions, trade union affiliation, religion or religious opinions, beliefs or philosophical beliefs, ethnic or racial origin, data related to health, sex life or sexual orientation, data on gender violence and ill-treatment, the processing of genetic data or biometric data for the purpose of uniquely identifying a natural person obtained from the analysis of a biological sample, data requested for police purposes without the individual’s consent, data related to convictions and criminal offenses.

This is also unlikely to be the case for a coworking space, however, each coworking space must assess its individual circumstances, whether it fulfils any of these characteristics, in order to decide if it must maintain a record of its processing activities.

If it is necessary for a coworking space to maintain a record of its processing activities, it should contain the following INFORMATION:

  • The contact details of the person in charge (those of the coworking space owner), representative, DPO.
  • Purpose of the processing (for example: to record the relationship of coworking services)
  • Categories of interested parties (customers, event attendees, suppliers...), personal data (names, surnames, addresses..), recipients of the personal data (agencies, computer companies)
  • International data transfers (if they are carried out). An international transfer of data involves the transfer of personal data outside the territory of the European Economic Area (EU), as will be discussed below, in section 3.9.
  • The envisaged time limits for erasure of the different categories of data (where possible)
  • Description of the security measures implemented in the data processing process (where possible)

c) Data Protection Impact Assessment (henceforth DPIA).

This can be defined as the highest-intensity instrument, of a preventive nature that forces certain coworking spaces to identify, evaluate and manage the risks to which their processing activities are exposed in order to guarantee the rights and freedoms of natural persons.

In most coworking spaces it will not be necessary to use this instrument. Therefore, we shall only give a brief outline here.

Coworking spaces will only be obliged to carry out a DPIA when the processing of personal data entails a high risk for the rights and freedoms of natural persons (Article 35 GDPR)

When is there a high risk to the rights and freedoms of those concerned?

  • If a systematic, exhaustive evaluation of personal aspects of the interested parties is conducted by means of automated processing. For example, profiling in order to subsequently sell them a product or service.
  • Large-scale processing (according to each Member State’s definition of large-scale processing) of special categories of data (as detailed in section 3.1)
  • Systematic monitoring of a publicly accessible area on a large scale. For example: CCTV on a public street which records members of the public.

We can divide the PHASES OF A DPIA into three distinct stages:

 First phase: Context

Stage 1: Life-cycle of personal data.

We take for granted what was already stated in section 3.2.1 regarding the life-cycle of personal data.

 Stage 2: Proportionality in the processing.

The coworking space, together with the person in charge of processing and the Data Protection Officer, should answer the following BASIC QUESTIONS:

  • Who are the owners of the data we are going to process? For example clients, contacts, social networks, among others.
  • What personal data have we decided to process? Are we going to collect the identification document, address, telephone number, health information, political and / or religious ideology, data on sexual orientation, among others.
  • What are we going to do with the data that we are processing? What is the purpose of processing it? Are we going to use the data to produce statistics, or to manage the provision of contracted services, to send advertisements...
  • Is all the data necessary? An assessment needs to be made as to whether all the data being collected is needed for the intended purposes: there is no need to request data on sexual orientation in order to manage the provision of coworking services, for example.

 Once the questions have been asked and the answers have been obtained, the coworking spaces should ask themselves if they have the consent of the interested party or the contract for the specific purposes of the processing. If the answer is in the affirmative, we will decide whether the processing we are going to carry out is proportional to the purposes we have established.

 Coworking spaces must decide whether the purpose pursued with the processing of certain personal data can be achieved by other means. Examples of the latter would be if coworking spaces can use less invasive technologies for data collection; if they can reduce the amount of data that the coworking space collects, either by reducing the number of individuals whose data they require, or by checking what type of data they collect; among other options.

 These questions must be answered in writing in the document outlining the impact evaluation. If it is found that it does not comply with any of the principles, the processing ought to be stopped and reconsidered.

 Second phase: Risk management

Is divided into 2 STAGES

Stage 1: Identification of threats and risks.

In this section we refer to the points raised in point 3.2.1.a), which means the coworking space must carry out each of the actions established in said section, with the following CHARACTERISTICS:

The risk which exists for each data processing activity involves TWO CONCEPTS:

- The probability that a threat will occur, and

- The impact, that is, the consequences that occur when the threat materializes.

Both the probability and the impact are assigned values ranging from 1 to 4: with 1 being a negligible probability/impact, and 4 a high probability/impact.

Any impact which causes damage can be categorized as: physical damage (physical aggressions derived from the unauthorized publication of intimate data: sexual orientation), material damage (hard disk failure) and personal damages (loss of business value).

Stage 2: Dealing with threats and risks.

Once the threats and risks have been identified, MITIGATING MEASURES must be established, which is the ultimate objective of a DPIA. Risk mitigating measures include:

  1. Technical measures: these are aimed at enhancing the physical and logical security of information assets. Examples: data encryption (creation of passwords), access controls, among others.
  2. Legal measures: are aimed at complying with the rules. Examples: express consent collection clauses.
  3. Organizational measures: are aimed at establishing procedures within coworking spaces. Example: establishing procedures for the exercise of rights by interested parties.

The adoption of these measures will result in what is known as a residual risk with values which range: from 1 to 2 (low risk), from 3 to 6 (medium risk) from 7 to 9 (high risk), from 10 to 12 or more (very high risk).

There are FOUR PATHS we can choose to addressing risk mitigation:

  1. The elimination of risk. cease the processing activity if we realize that we do not wish to accept the risk.
  2. The acceptance of risk. Understand that the measures we have implemented to mitigate risk are sufficient for said risk and no further action need be taken.
  3. The reduction of risk. Through the implementation of measures that either allow the probability and/or the impact associated with the risk to be reduced.
  4. The transfer of risk. We can contract other public or private entities that allow us to mitigate the material consequences associated with the risks. In these cases, it will be necessary to carry out additional analyses.

Third phase: Conclusion.

The DPIA ends with the phase involving the conclusion, composed of TWO DISTINCT STAGES: the plan of action and the report on the conclusions. 

Stage 1: Action plan

The action plan consists of a set of initiatives that must be carried out to

implement the controls that help to reduce the inherent risk of all processing activities.

Stage 2: Report on the conclusions

The conclusions report must include the residual risk obtained during the risk management phase, assessing whether the risk is high or considered acceptable and within reasonable limits.

If the conclusion of the DPIA is not favourable, additional control measures must be carried out to reduce the level of exposure to the risks, reducing them to an acceptable level. If the processing is not possible, it would be necessary to activate a consultation procedure prior to the Control Authority.

If the conclusion of the DPIA is favourable, the processing activity can be carried out, provided that the control measures included in the action plan are carried out. 

Nevertheless, it is recommended that when a DPIA is mandatory, it ought to be carried out by a specialist in the field of data protection and compliance with the GDPR rules.


3.3 Review the coworking space’s existing protection / security measures

The GDPR states: "Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement APPROPRIATE TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE A LEVEL OF SECURITY APPROPRIATE TO THE RISK "

This means that the GDPR does not establish specific security measures that must be adopted to carry out the processing of personal data, but that each coworking space must decide which are the most appropriate SECURITY MEASURES in its specific case, depending on the type of personal data that it deals with, the existing risks to this personal data, the purpose for which it processes the data... as we have previously seen when outlining the basic risk analysis and risk management by default, in section 3.2.1.a

 Thus, among many other existing protection / security measures, coworking spaces can adopt the following:

  • Protect computers, hard drives, tablets... with suitably complex passwords, which include numbers and letters in both lowercase and uppercase, which are changed periodically.
  • Perform regular backups, either to the cloud (provided this complies with the provisions of section 3.9 regarding international data transfers) or external hard drives, NAS... and store at least one of them in a different location from where the personal data is stored.
  • Install antivirus programs on the computers.
  • Establish profiles that can access the personal data, so that only those individuals who are actually authorized can access personal data.
  • Activate automatic locking following inactivity on the device
  • Use lockable cupboards to store all the coworkers' documentation containing personal data.

Right, you are now more than halfway through the guide! In this second part we evaluated whether or not your coworking space needs to appoint a DPO. We also covered what a risk assessment is and the three stages needed to carry it out, as well as the tools for identifying threats and risks, and how to deal with them. Finally, about coworking spaces reviewing their existing protection/security measures.

In the final part (Part III), we will finish going through the steps coworking spaces need to take to comply with the GDPR and conclude with the key points from the guide. You are nearly there!