Data Security In Facilities Management

A man working on a laptop Aisha Akhtar, a solicitor in the Commercial team at Blacks Solicitors, discusses what facilities managers need to consider when it comes to data security.

Data security has become a vital responsibility within the facilities management profession. With the potential for data breaches to impact the function and reputation of organisations, facilities managers hold a key line of security responsibility.

Depending on the size of an organisation and the sector in which it operates, as well as the volume of and purposes for which data is held and processed, data security should be on the agenda of senior management. Additionally, it may be appropriate to appoint a specific individual or team to ensure data protection policies and procedures are followed in the organisation.

Overall Responsibilities

Part of the specific responsibilities for facilities managers focuses on site security. A perimeter breach to any site that stores or processes data risks a data breach, which could have adverse consequences for an organisation. Computers, devices, or documents containing data are at risk during a site breach, and it is the responsibility of a facilities manager to ensure that these assets are at minimal risk. However, employees working from home or commuting to a site in possession of an organisation's assets pose additional data breach risks.

In order to provide optimum data security and avert potential breaches, there are several processes facilities managers should undertake.

Processes And Education

Becoming proficient and confident in relevant data breach and incident management procedures will allow a facilities manager to respond as quickly as possible to a security event. This includes understanding and complying with any internal reporting obligations for any confirmed or potential security breaches which might occur.

Any individual with approved access to a facility or site could be the source of an inadvertent data breach. Educating colleagues on the importance of data security and the process required should a potential breach occur will improve the likelihood of a rapid response. This training and education must be regular and not an independent occurrence. It’s also advisable for existing employees to receive reminder or update sessions in regular intervals to sustain a level of data security awareness, in addition to educating new employees on an organisation’s policy and standards. It may be advisable to have a written policy for individuals to refer to. This will reduce confusion in the event of a data breach and bolster the standards established through training.

Ensuring that data breach policy and reporting process information is easily and quickly accessible to all colleagues on site is advisable to ease the data security process, but additionally to reduce the risk of sanctions for late disclosure to the Information Commissioner's Office (ICO).

Offsite Data Security

Home working has exposed organisations to new data security risks. Employee’s homes do not necessarily share the same security measures as work premises, and certainly do not benefit from onsite security arrangements coordinated by senior management. However the security responsibilities of an organisation’s assets, both onsite and off, may still come under a facilities manager’s authority.

Commuting exposes an organisation’s assets to similar risks as home working, with the potential loss or theft of devices or papers containing data an increased risk compared to standard onsite operations. Facilities managers should be aware of the increased risks for employees working from home or commuting to a site with any devices or papers. Part of negating this risk comes from education and training, and potentially arranging for communications to reach colleagues to cement the importance of data protection in their professional processes.

Reminding staff of the common ways in which an organisation’s data can be breached can support more effective data protection. These include the disclosure of personal data to unauthorised individuals, clicking links within highly sophisticated phishing emails, or downloading software which would enable hackers access to an organisation’s IT infrastructure. Some scammers or hackers will use emails designed to mimic a known contact that someone is more likely to trust, including people within an organisation. Supporting and listening to a colleague with even a small concern could be key to avoiding a breach.

For more information, please visit

Data Security In Facilities Management