According to the latest report by the IMARC Group, titled “India Facility Management Market: Industry Trends, Share, Size, Growth, Opportunity and Forecast 2023-2028” is primed to rise in the coming years. The study provides a detailed analysis of the industry, including the India facility management market size, share, trends, and growth forecasts. The report also includes competitor and regional analysis and highlights the latest advancements in the market. The instruments and services used to guarantee a building’s safety, comfort, functioning, sustainability, etc. are referred to as facility management (hereinafter FM).
It includes things like administration of leases and accounting, occupancy and space management, energy management, emergency management, and business continuity. Wi-Fi, smart devices, Internet of Things (hereinafter IoT) sensors, artificial intelligence (hereinafter AI), and other technologies that are used by FM services to offer cognitive capabilities, accomplish real-time visibility, and other functions. They have a wide range of uses in both the business and residential sectors as a result.
The rise of the real estate industry is boosting the facility management market in India due to the increase in urban development projects and changing customer preferences towards clean, safe, and secure surroundings. In addition, the booming Information Technology (hereinafter IT) and e-commerce industries are driving up the need for necessary infrastructures and organised spaces, which is further boosting market expansion. The Indian industry is also being boosted by the growing use of AI and IoT technology to automate FM services for energy efficiency audits.
The following are the key stakeholders of Facility and Management Industry which plays a vital role in influencing and shaping the growth of the sector-
i. Facility Managers
Facility Managers are those professionals who ensures that the services so provided should fulfil the need of the workers it houses by way of inspection, repairing or for any plumbing issues etc. Their primary responsibilities are the security and the maintenance.
ii. Contractors and Vendors
Contractors and Vendors are those who sell products which are comparable or similar to another pre-existing product to different types of the clients. They generally deal or distribute materials or provide the data processing services for the project as may be prescribed.
iii. Building Owners
The building owners are those who own interest in the private or public buildings. They are supposed to take the required measures to minimise risks by way of insurance coverage or building codes, during the time they keep the overall integrity of the buildings that are in order.
iv. Maintenance and Operational Staff
Maintenance and Operational Staff include those workers who are required to maintain the equipment prior to any issue arises like- cleaning, lubrication, inspections etc. They need to perform day-to-day activities that is required. It includes custodial staff, security personnel etc. and the other employees need to ensure the physical safety and its functionality.
The Facility and Management Industry and the data protection laws have a very complex interrelation which in turn protects the sensitive information and at the same time influences the management of businesses. The data protection laws plays a very vital role by serving as a critical safeguard to the vast amount of personal data which are processed and stored in the increasing digital world. Following are the laws prevalent on Facility and Management Industry –
1. Digital Personal Data Protection Act, 2023 (hereinafter “DPDP Act“).
2. Information Technology Act, 2000.
3. Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
IMPLEMENTATION OF DPDP Act, 2023
India is heading towards digitalization in every area like- Facility and Management Industry, banking, education etc., so the need to protect the data stored had also increased with time. The data processing activities needs to be as much transparent as possible so as to collect the complete and correct data. Following are the ways by which we can implement DPDP Act, 2023 on Facility and Management Industry-
a. Notice and Consent
Section 4 of DPDP Act says that the personal data subject must give the consent to process the personal data. Section 5 (2) (b) of the Act says that such consent may be withdrawn at any time, till then the personal data may continue to process. Section 6 of the Act says that the consent given by Data Principal should be free, specific, informed, unconditional and unambiguous and should be utilised only for specified purposes. In the context of Facility and Management Industry, they provide their own privacy policies wherein it has been stated that the consent should be taken, before processing any personal data of an individual and as soon as the individual withdraws their consent, the stored personal data has been deleted immediately.
b. Facility and Management Industry as a Data Fiduciary
It is to be noted that Section 2(i) of the Act states that the data fiduciary is a person who determines the purpose and means of processing the personal data. Meanwhile, Facility and Management Industry can be classified as a Data Fiduciary because they collect the information or personal data of the data subject like login credentials, passwords etc. on the basis of number of times the data subject visits on the website of the Facility and Management Industry. Here, Facility and Management Industry directly get the access of the personal information of the data subject. Consent of the data subject for providing the personal information of the data subject is taken directly by generating a pop-up window as soon as a visitor accesses their website.
c. Rights and Duties of Data Fiduciary
Facility and Management Industry may be categorised as the Data Fiduciaries under Section 2(i) of the DPDP Act, 2023 which defines any person who determines the purpose and means of processing of personal data. Thus, the following obligations shall be applicable upon such companies which falls under Facility and Management Industry as being a Data Fiduciary: –
GRIEVANCE REDRESSAL MECHANISM
Section 8 (10) of the Act, states that the companies being the Data Fiduciary must establish an effective grievance redressal mechanism for the data subjects so as to address their issues properly. Also Section 13 of the Act, states that it is the right of the data subject to get the means of grievance redressal by the companies to which they are giving their personal data to store or process and it also states that the data subject while approaching to the Board for the issue related to personal data breach, must consult to the grievance redressal mechanism first, so resolve any type of issue related to data breach.
GREY AREAS IN DPDP ACT
The DPDP Act, 2023 lays out procedures on how corporations and the government itself can collect and use information or the personal data of India’s citizens. It applies to all processing of personal data within India where such data is collected online or offline and is digitized but has some flaws regarding the enforcement, time limits etc., within the Act which needs to be addressed by the Government. Following are the drawbacks of DPDP Act, 2023 in relation to the Facility and Management Industry-
NO TIME LIMIT FOR THE NOTICE OF BREACH
Section 8 (6) of the DPDP Act states that the Data Fiduciary must give intimation about the breach to the Board and to the data subject in the manner as may be prescribed. But the Act does not talk anything about the specific time period informed for providing the notice to the Board in case of data breach. So, its significant to consider the same to be at the earliest as and when the reporting of data breach is made. Also, the data subjects must not be kept in dark and there must be transparency in case of data breach. In the context of Facility and Management Industry, the companies must address to the Board or create a mechanism to look into the cases wherein the breach of data has occurred at any time for the protection of the personal data provided by the customers to fulfil their requirements.
CROSS BORDER TRANSFER OF PERSONAL DATA
Section 16 of the DPDP Act states that the Central Government, by notification, may restrict the transfer of personal data to any country outside India.
However, Section 75 of IT Act 2000, states that an offence committed outside India by any person on a compute or related computer network located in India shall be punishable. In the context of Facility and Management Industry, major companies are transferring the data to other countries, such countries have different standards of data protection then DPDP Act. Hence, DPDP Act must clarify about the cross-border transfer of data.
NO TIME LIMIT FOR ERASING DATA AFTER THE CONSENT IS WITHDRAWN
Section 6 (4) of DPDP Act states that the data subject have the right withdraw his consent to process the personal data at any time. Section 8 (7) (a) of DPDP Act goes one step ahead to state that the Data Fiduciary should erase the data as and when the withdrawal of consent is received. But the Act does not mentions anything about the time period within which the Data Fiduciary is obliged to erase the data. Therefore, in the context of Facility and Management Industry, once the data is stored and if the data subject withdraws of consent to process the personal data, there is no time period specified in which Facility and Management Industry should erase the personal data.
SAFEGUARDS AND LEGAL INSTRUMENTS
Businesses must modify their strategies to comply with the new standards due to their emphasis on permission, data subject rights, openness, and responsibility. To do this, extensive data audits must be conducted, privacy policies and procedures must be reviewed and updated, staff members must be trained, and data protection specialists must then be consulted.
Following are the legal instruments, other than the DPDP Act, which have a significant impact on data privacy obligations on the Facility and Management Industry-
Information Technology Act, 2000.
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (hereinafter “IT Rules”), 2011.
Section 5 of IT Rules states the Collection of Information wherein it has been stated as following-
Section 5 to 7 of the Rules 2011, regulates collecting, storing, processing, handling, retaining, using, transferring the data. The definition of personal data includes; passwords, sexual orientation, medical records, biometric information, physical or mental health etc. but it does not include the data that is available freely, or is available under IT Act, 2000 or is accessible in public domain. Section 5 also gives the right to data subject for review, update or to withdraw the consent. There is no data localization, as it freely allows sensitive personal data or information to be sharing outside India.
The Rule 5 (2) of Privacy Rules 2011, states that the companies should collect sensitive personal data information when it is required for the lawful purpose. However, in the Facility and Management Industry, companies can only collect the sensitive personal information of the data subject to carry out lawful object which is connected with the functions of Facility and Management Industry.
The DPDP Act specifically mentions the protection of personal data and mandates that businesses notify data subjects of the reason they are collecting their data, identify the goal of that collection, and seek their consent before processing that data, however, it also has its fair share of flaws since it is unclear about the transfer of cross-border data and much of the specific rules and regulations are yet to be notified.
However, even in its present stage, Facilities and management companies will now be required to set up complaint procedures like grievance redressal mechanism, that support the investigation of any personal data breach and provide clients complete control over their personal information.
Companies in the Industry must provide data privacy notifications which specifically mandate that the data principal be informed and given the choice of whether they want to limit how their personal information is used. Data fiduciaries who aren’t businesses (consent managers) will record the date consent was granted as well as the justification and criteria for maintaining the data. Additionally, if a parent or guardian provides identification, the firms must put in place measures to verify its validity, if they store any data of the children.
Team AMLEGALS assisted by – Ms. Aradhana Jain (Intern)
For any query or feedback, please feel free to get in touch with email@example.com or firstname.lastname@example.org