Smart Buildings and GDPR

What is a Brand Discovery ?
IP Expo

This article was delivered at IP EXPO Europe 2018, and provides you with a snapshot of the insight you can expect to see at Digital Transformation EXPO Europe 2019!

This session bought together several topics relating to smart buildings, IoT, supply chain and their connection with GDPR. Anyone who is responsible for smart buildings must adhere to the new GDPR regulation, not only must they comply, but they will have to prove how they are actively compliant.

Demonstrating compliance with data protection/GDPR for smart buildings is a difficult process, it requires compliance in not only selecting vendors who understand security and data protection, but installers, integrators and consultants too who also need to understand their role to be compliant. Sarb Sembhi described the regulatory obligations as well as identifying some of the key roles and responsibilities related to data protection in smart buildings.

Data Protection was fine! Why GDPR?

Sarb started the session by saying “GDPR is not the most exciting topic you will hear about today, however, it is very important that we understand the new regulation and ultimately how we must comply.”

He went on to say that “we need to remember that technology is a tool and there are so many IoT devices available on the B2C and B2B markets. I believe we call things smart that are not truly smart or even needed, but they are most definitely collecting data and need to be monitored.”

Reasons for GDPR:

  • Growth of the Internet
  • Use of sensors and surveillance devices
  • The increase in volume of databases from every device
  • Regulations protecting the “new oil” being ignored and frustrating regulators and citizens
  • The impact of the growth of social media
  • IoT facilitation of data collection


If a building is reactive and predictive it needs to be secure, and any new device brings with it another set of new challenges and ultimately makes venders vulnerable. Sarb went on to say “If we don’t secure these systems we are allowing them to be owned and weaponised by criminals or state actors against our privacy / security, so that smart buildings and cities will become danger zones and not the good tools we want.”

Despite GDPR seemingly creating a huge to do list for organisations fully embracing smart buildings, we have to remember that GDPR has given smart buildings a reason to be secure and as Sarb highlighted, this is actually pretty great.

A key driving point to be noted by Sarb is that “the data controller for a smart building should adopt internal policies and this should be a massive driving factor.”


  • Device / system defined functionality can’t alter when it is too late
  • Additional devices / systems introduce new vulnerabilities
  • Every additional stakeholder is able to alter configuration
  • Every additional stakeholder is not able to verify the data protection or security of the previous stakeholder in the supply chain
  • Vendors don’t control the maturity of data protection or security capabilities of the supply chain
  • Specifiers don’t know how to specify building data protection and security in by design and default

Planning ahead

Products take time to produce and Sarb urges companies to consider GDPR early in the production process, he compared this to a ‘chicken and egg’ situation and asked the question as to whether the data impact of a new device should be considered pre or post protection in terms of security.

He also highlighted the importance of including all stakeholders in agreeing the security setting implications and this will help to cover all variables.

Interested in reading the full article? Follow this link to download the ebook and get even more great content like this.

Read also :