101 guide on GDPR for coworking spaces (I)
The EU General Data Protection Regulation (GDPR), a major European data protection law has been running for two months now, but we still get regular queries about it.
We teamed up with Leco (legalcoworking) to create another one of our 101 guides to help you understand how the GDPR applies to your coworking space.
The GDPR is a new set of data laws fit for the digital age, and its purpose is to harmonise data privacy laws across Europe and to give more protection, rights and control to individuals regarding their personal data.
In the coworking industry we are always dealing with data, including members, visitors and website users’ data. This guide aims to help coworking spaces plan how they are going to deal with all of this personal data in a clear, fair and transparent manner and what security measures they should take. It also establishes the affected party’s rights regarding their personal data. The guide is rather long though, so there will be 3 parts - fasten your seatbelts!
Here’s an outline of what will be covered in the GDPR guide for coworking spaces:
(Part I)
- COWORKING SPACES AND THE GENERAL DATA PROTECTION REGULATION (GDPR)
1.1. What is meant by personal data?
1.2. What personal data can a coworking space process?
1.3 Why must coworking spaces adapt their procedures to the GDPR?
- The GDPR
2.1. What are the main points of the GDPR?
2.1.1 A proactive approach
2.1.2 A lawful basis for the processing personal data
2.1.3 Principles relating to the processing of personal data
2.1.4 Transparency and information for interested parties
2.1.5 Provision of rights to those affected
(Part II)
- STEPS TO BE FOLLOWED BY A COWORKING SPACE TO COMPLY WITH THE GDPR
3.1 Decide whether you need to designate a DPO (Data Protection Officer).
3.2 Conduct a risk assessment.
3.2.1 Tools to identify threats and risks. Evaluating and dealing with such threats.
3.3 Review the coworking spaces’ existing protection / security measures
(Part III)
3.4 Establish a procedure for reporting security breaches.
3.5 Information for interested parties regarding the processing of their data
3.6 Consent
3.7 Establishing procedures through which interested parties can exercise their rights
3.8 Selection and contracting of those responsible for processing
3.9 Deciding whether you engage in international data transfers
- CONCLUSION
__________________________________________________________________________________
GDPR GUIDE FOR COWORKING SPACES
Following the introduction of the new European Data Protection Regulation, we have put together a GDPR Guide for Coworking Spaces, which aims to outline in a clear, detailed manner, with the use of examples, the steps you need to follow to be GDPR compliant. Our objective is for you to understand the key points and designate an individual to help your coworking space adapt to the GDPR regulations.
We recommend you read this guide carefully. It is rather long, but it contains only what is necessary to tell you everything that you need to know about GDPR and the steps you need to take to comply with it.
___________________________________________________________________________________
1. THE COWORKING SPACES AND THE GENERAL DATA PROTECTION REGULATION (GDPR)
Coworking spaces allow independent professionals from different sectors to share the same workspace and they facilitate the emergence of joint projects, as well as the growth and consolidation of individual professional projects.
In the exercise of their professional activity, coworking spaces handle personal data, which means they must conform to the General Data Protection Regulation (GDPR).
1.1. What is meant by personal data?
All information about natural persons, (NOT legal persons) that identifies them or makes them identifiable. Therefore, this includes data of a personal nature: names, surnames, addresses, email addresses, ID numbers, etc... Obviously, it also includes a person's image, since it allows them to be identified.
* This guide will refer to the owner of such personal data as the affected or interested party, or coworker as applicable.
*The guide will refer to the holder of the coworking space as the owner.
*To companies or professionals who provide services to the owner of the space, and as such have access to personal data in their files, we will refer to them as the person in charge of processing. They will only process data on the owner’s instructions.
1.2. What personal data can a coworking space process?
When we talk about "processing" personal data, we refer to any operation such as: collection, recording, storing, adaptation or alteration, retrieval...
Usually, the personal data that a coworking space will request from coworkers or its contacts will concern basic identification data such as names, surnames, emails, addresses, ID numbers, telephone numbers and the bank account or credit card numbers of those who pay for the service.
In addition, it may also process personal data of professionals who provide them with a service.
1.3 Why should coworking spaces adapt their activities to the GDPR?
Because in the exercise of their activities (providing coworking services) they deal with personal data and in addition the coworking services are conducted in an establishment with a person in charge (the owner of the coworking space, whether it be a natural person, or a company, etc...) within the European Union.
2. The GDPR
The GDPR is Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27 2016, concerning the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 EC. In other words, the General Data Protection Regulation (GDPR).
The GDPR is a directly applicable standard, which means it will be mandatory in all EU member states. Nevertheless, the GDPR allows each member European Union state to add or modify certain provisions of the GDPR in accordance with their own local laws, which means:
VERY IMPORTANT! Every coworking space must ensure that it also complies with the regulations that may be passed by its own country.
2.1. What are the main points of the GDPR?
2.1.1 A PROACTIVE APPROACH
The GDPR is committed to a more proactive approach, which means that coworking spaces must analyse the kind of personal data they will deal with in carrying out their professional activities, and what dangers this data processing may entail, and on this basis, adopt the security measures that it deems most appropriate and proportional, to prevent unauthorized third parties from having access to personal data, whether modified or erased.
In this way, the coworking space will plan beforehand how it will deal with personal data, the most appropriate and the least invasive security measures to implement (privacy by design), for the data it deals with. In other words, it will only deal with the data essential to provide its coworking services (privacy by default). Therefore, requesting names, surnames, identification numbers, addresses... is sufficient in order to provide a coworking service. Other data such as: health data, ideology, religion, etc. will not be requested.
The ultimate aim of the GDPR is to reduce to a minimum the risks that all data processing entails, rather than the elimination of all risks. Such risks always exist whenever personal data is processed.
2.1.2 A LAWFUL BASIS FOR THE PROCESSING OF PERSONAL DATA
The GDPR also states that any processing of personal data, in order to be legal, must be supported on a basis that legitimizes it. What does this mean exactly? That there must be a reason for processing the data, which the GDPR expressly stipulates.
In the case of coworking spaces, data processing usually occurs due to the existence of a contractual relationship, that is, the coworker enters into a contractual relationship with the space which provides them with its coworking services.
However... what about an individual who asks for information about the coworking space, whose personal data we collect to send them information, who subsequently does not end up being a client of the space? In this instance, consent would form the basis of dealing with this person’s personal data, which means they must specifically give their consent to the processing of their personal data, as we will explain below.
2.1.3 PRINCIPLES RELATING TO THE PROCESSING OF PERSONAL DATA
- Lawfully, fairly and transparently. In relation to the interested party, the data must be processed by the coworking space in a lawful, fair and transparent manner.
- Purpose limitation. Data collected for a specific purpose, may not be used later for a different purpose. For example, if the coworking space collects data from a coworker to provide them with coworking services, it will not be able to subsequently use this data to send them advertising related to other brands or products.
- Data minimization. Personal data must be adequate, relevant and limited, that is, only the data that is strictly necessary in relation to the purposes for which it is collected. Therefore, if a name and surname is enough to provide the service contracted, no other information, such as hobbies, health data, etc., will be requested.
- Accuracy. Personal data must be accurate, and where necessary, kept up to date.
- Storage limitation. The personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; therefore, the data will only be stored for the time necessary for the aim of the processing. This means that when the contractual relationship between the coworking space and the coworker ends, the space must not continue to store their personal data.
- Integrity and confidentiality. Personal data must be processed in such a way that adequate security is guaranteed through the application of appropriate control measures. Data must be processed in a way that guarantees its security, and that it remains confidential.
2.1.4 TRANSPARENCY AND INFORMATION OF THE INTERESTED PARTIES
The information that should be provided to the holders of the personal data that is being processed and also any communication provided must be done so in clear and plain language, in a transparent manner and in a concise and easily accessible form, as we shall see in section 3.5,
2.1.5 EXTENT OF THE RIGHTS OF THE DATA SUBJECT
Those affected will have the right of access, rectification, erasure (‘the right to be forgotten’), the right to object, restrict processing and the right to data portability of their personal data. We will address these later.
There you have it! In the first part of the guide we have covered what personal data coworking spaces can process, why spaces should adapt their procedures to the GDPR, as well as the main points of the GDPR.
Next week, Part (II) will cover some of the steps a coworking space needs to follow to be GDPR compliant... Not long to go now till you are a GDPR expert for coworking spaces, hang in there!
Related posts
-
Visitors Are Knock-Knock-Knockin' at Your Coworking Door
At Nexudus, we process close to 100,000 visitor interactions monthly. Managing these interactions isn’t easy, but some key strategies can help streamline the process for visitors and customers. Here are five key points we’ve identified and how technology can help make the experience smooth for everyone involved.
-
Customization and Learning: 2 Powerful Strategies to Boost Tenant Satisfaction in Your Coworking and Flex Space
Two key strategies that have proven particularly effective in enhancing tenant satisfaction are customisation and learning. By delivering customised services to your members and helping them learn and thrive within your space’s community, you can create a coworking space where tenants feel valued and invested. In this article, we’ll explore how these strategies can be implemented and how you can make the most of your Nexudus account to help you achieve this.
-
5 tools that WeWork is acquiring for millions and you already have in your Nexudus coworking software
We have come to a place in the world, where everything has a price, literally everything. So when it comes to great offers that are free, the right thing to do would be to grab the offers at all cost! At Nexudus we care deeply about our customers, which is why we have engineered the best white-label cost-effective solution platform because we understand that you shouldn’t have to break the bank to run an effective and successful business.
-
5 Ways to Build Community in Coliving Spaces
Discover five effective ways to build a thriving community in your coliving space, from hiring a gregarious community manager to leveraging digital tools. Learn how to foster authentic connections among coliving residents for a vibrant, connected community.
-
5 Ways a Strong Work Ethic Shapes Your Company Culture
Our latest blog explores the true essence of a strong work ethic. What do we mean by a strong work ethic? Are we still talking about working late and commuting to the office 5 days a week? Find out in our latest blog which explores the 5 ways a strong work ethic can shape your company culture!
-
How to Foster Inclusive Coworking Spaces
Discover how coworking spaces go beyond mere work environments to foster inclusive communities that promote social change. Learn how design, accessibility, and understanding of community needs can create spaces of belonging and empowerment.