GDPR is coming. Is your facilities management company ready?

26 March 2018

There are a number of reasons why GDPR is such a big issue for facility management (FM) businesses:

  • they tend to have large and transient workforces;
  • they have large customer bases;
  • operate on multiple sites and locations, many of which they may not own but still hold responsibility; and.
  • they often acquire new or temporary workforces.

Due the above factors, FM companies hold vast amounts of personal data. And this puts them at a higher risk than many other types of business when it comes to GDPR compliance.   

The risks around transient workforces and data privacy are highlighted by a current legal case involving a high profile retailer. In 2014 the payroll information of 100,000 employees was posted on the internet including bank and salary details, addresses & telephone numbers. Over 5,500 individuals are now accusing the retailer of failing to prevent this leak and exposing them to the risk of identity theft and potential financial loss. The case is being viewed as the first data leak class action in the UK, with legal experts predicting it could have implications for every individual and business in the country.

It’s worth noting that this case was heard under the current legislation, where complainants have to prove both financial loss and distress. When GDPR comes into force in May, they will only need to demonstrate distress. And, as a result, cases like this could become commonplace.  

Risks surrounding GDPR compliance should not be underestimated – especially in light of the swingeing penalties for getting things wrong.

Disclosure of any breaches is mandatory, and they can attract fines of up to €20 million or 4% of global annual turnover, whichever is the greater. If this wasn’t incentive enough, with data protection top of public interest, there’s also the risk of severe reputational damage and class actions for privacy lapses.

For those who are getting ready, the implementation of GDPR offers an opportunity to change business behaviours around privacy by promoting a positive behavioural shift. By embracing GDPR, many may find that they benefit, particularly from a reputational standpoint.  

With this in mind, and May around the corner, the most important thing to consider is how much risk you may be carrying with your current systems. We recommend that you stress test existing systems around cyber attacks and crisis management, information subject access requests and the complaints handling process as a start. We’re already helping more and more FM clients navigate the journey to GDPR compliance, by providing them with a seamless, end-to-end service drawing on a wide range of expertise from across our firm.

For FM companies, the message is clear. GDPR is almost here, and it will bring profound implications for your business. Now is the time to embrace it. The clock is ticking.  


Raoul Rambaut  |  Partner, Risk Assurance, part of the PwC network
Email  |

Read more articles on