GDPR in construction: Are you prepared?
The GDPR (General Data Protection Regulation) is expected to come into force both in European Union and the United Kingdom on May 25, 2018. The law will apply to any company that collects personal data in relation to EU citizens. The UK is also supporting the new regulations regardless of Brexit.
It goes without saying that the law will have a great impact on the construction industry. It will change completely how everyone in the sector used to handle data until now. This means that you should get someone in your company to do all the necessary research and make sure that all the processes and policies in regards to data are complying with the new rules.
Cloud storage, data infrastructure, and tech policies are some of the main points you want to look out for. However, it appears that many companies haven’t still done much preparation in terms of applying GDPR.
In GenieBelt, we believe that the future of construction lies in data and for that reason, it’s extremely important for anyone in our industry to understand the legal aspects of managing it. After all, the future construction workers will be knowledge workers and data managers.
That’s why we did some research and we present to you everything you need to know regarding the advent of GDPR in construction.
GDPR 101: What General Data Protection Regulation is all about
In simple words, the new EU regulation about data protection is changing the way businesses gather and handle personal data. The new regulations will apply both to B2B (Business to Business) and B2C (Business to Consumer) companies and will cover a wide spectrum of data usage.
Personal data could be defined as every single piece of information that can lead to the identification of an individual. Either in a direct or indirect way. Briefly, personal data may include the following categories:
- Name and contact details
- Location data
- Personal identification number
- Website, apps and/or software identifiers
- Cookie strings
- IP address
The construction industry is using vast amounts of personal data which is normally part of a building project’s development. There’s a number of ways in which this type of data can be recorded. More analytically, this personal project data can be collected through construction site CCTV footage and access cards, wearable technology, and smart systems when we are referring to buildings that they have been completed. The use of construction software is, of course, another way in which personal data can be gathered.
Construction companies and organisations accumulate data related to their suppliers, workers, clients and every other party that they collaborate with. Some data is included in the sensitive data category (known also as special categories of data). For instance, sensitive data may include information regarding a person’s origin, trade union membership, natural characteristics or health condition. All this data might be extremely important when someone is working on site but it should be well protected by any type of breach or mishandling.
In simple words, the new EU regulation about data protection is changing the way businesses gather and handle personal data.
That exactly is the goal of the new GDPR that arrives tomorrow. A more secure and transparent management of collected data. Especially after the recent Wannacry cyber-attack, it becomes evident that construction has to try hard in order to keep its data safe and to empower the profile of the industry as a trustworthy data controller and processor.
Data controller vs Data processor
In order to establish a GDPR compliant data processing system, there are six vital principles that you need to take into consideration. These principles will eventually have to be implemented by the data controllers and processors.
A data controller is an individual or party that designates, either alone or in cooperation with others, the purpose of data processing. As far as the data processor is concerned, we are talking about a person or party who follows the guidelines determined by the controllers and who is responsible for processing the personal data on their behalf.
Check out also: Top 8 construction trends for 2018
Data processing covers a wide number of actions both for the controller and the processor. From data collection to data storage and alteration, controllers and processors with the advent of GDPR in construction have to follow a much more carefully defined context and avoid putting the available data under any type of danger or risk.
The six fundamental principles of GDPR
To achieve this, controllers and processors should put in action a detailed and carefully elaborated system of policies and processes which will help them to follow the new EU guidelines concerning the processing of personal data.
In a nutshell, these are the six main standards, you want to comply with:
- Transparency and lawfulness: A lawful, fair and transparent process of the personal data is required.
- Purpose: There has to be a specific and legitimate reason behind the collection and the processing of the data. To put it simply, you have to be able to explain clearly and in great detail why you are gathering the data and what you are going to do with it.
- Minimisation: You should only collect the minimum possible amount of data that you need in regards to your purpose. On top of that, you should only keep the data that it is absolutely necessary to keep.
- Accuracy: Under any circumstances, personal data should be precise and continuously updated. Data that is either unreliable or outdated should be reviewed or deleted.
- Storage: As soon as the data is no longer necessary for your purpose, it has to be deleted.
- Confidentiality and integrity: Data should be stored in a secured manner. Simple as that!
The four processing conditions you need to know
Thanks to the six principles mentioned above, data processing is becoming more transparent and accountable. Nevertheless, there are four crucial processing conditions, at least one of which should be satisfied in order for a controller to lawfully handle personal data:
- Consent: The data subject should provide unambiguous positive consent regarding the processing of his/her personal data for specific purpose(s).
- Performance of contract: The data in question should be processed in order to allow/facilitate the performance of a contract that the data subject is part of. Data processing can also be a way for the data subject to initiate a contract agreement.
- Legal requirement: The controller is obliged by the national or European law to process the personal data.
- Vital interests: In cases of emergency (eg. medical), the processing of personal data is allowed in order to protect interests of vital importance either for the data subject or another person in connection with the subject.
Consent in the center of attention
Consent is probably the most frequently used, and hence most noteworthy, processing condition. GDPR brings a completely new and much stricter context to the notion of consent.
Consent could be defined as an explicit, informed and voluntarily given a manifestation of the data subject’s intentions. The consent should be provided through an affirmative statement or action and it should not be omnibus. Simply put, the data subjects should be able to offer their consent for every data processing action separately. In the same sense, they should also be able to withdraw their consent in an easy and straightforward way.
All in all, here are the nine central points that need to be satisfied for a consent to be valid according to the GDPR requirements:
- Simple and understandable language: The consent form should be written in a simple and straight-forward way. Furthermore, it should be written in a language that the individual can understand. This means that companies who are collaborating with customers from other countries should translate their privacy policies into the local language.
- Opt-in: Data subjects should actively choose to give their consents. Implied consent or pre-ticked boxes are not sufficient.
- Distinct consents: Omnibus consents are not acceptable, as well. Data controllers should provide the option of separate consent based on the data processing action in question.
- Genuine decision: Refusing or withdrawing consent should be a choice clearly made by the data subject. A consent isn’t considered legitimate if this action can harm the interests of the data subjects.
- Balance of power: There should be a clear balance of power between the data controller and the data subject. Otherwise, the consent isn’t genuine. A good example is when the data controller and the data subject have an employer-employee relationship.
- Not a condition: Consent shouldn’t be an integral condition for moving forward with a contract.
- Ability to withdraw consent: Data subjects should be able to withdraw their consent at any moment. Withdrawal of consent should be easy and the subjects should be informed about their right to do so beforehand.
- Distinct sensitive data consent: An explicit consent must be given in cases where sensitive data should be processed or transferred to countries that don’t belong in the EU.
How to demonstrate compliance with GDPR in construction
Now that you know what exactly you should do in order for your construction company to comply with the new GDPR, it is essential to know how you can demonstrate this compliance. Below you can find the main points that will allow you to do that:
- Policies: Carefully elaborate and maintain the data protection policies of your company. Make sure that you share them with your employees and that you review and update them on a regular basis.
- Training: Invest in training, so your staff is well prepared and informed.
- Inspections: Systematic internal inspections can help you ensure that your data protection procedures and policies are following the GDPR guidelines.
- Assign a DPO (Data Protection Officer): It’s highly recommendable that you appoint an experienced Data Protection Officer who can help you with implementing the GDPR principles and who can function as the contact person for data-related issues.
- Pseudonymisation: It should not be able for controllers and processors to identify a subject based on the stored personal data without the use of a restricted key.
- Transparency: Clear and transparent processes is the key to success when we are talking about GDPR compliance.
- Put together a DPIA: DPIA stands for Data Protection Impact Assessment. Running a DPIA is the first thing you want to do before you start introducing new services and features.
Breaching GDPR is going to cost you
If you are still not convinced about the impact that GDPR will have on the way that you manage data in construction, you should take a closer look at the consequences in case of non-compliance with the new EU regulation. Ignoring GDPR is just not an option.
The repercussions of a data breach are expected to be very serious and costly for your company. More specifically, those who don’t comply with the new guidelines will have to pay fines that reach up to 4% of their global annual revenue or €20,000,000 (depending on which one is higher).
Read more here: Do you know construction’s dirty secret?
And that’s not all! The subjects who are affected by this breach can also raise claims for compensation. In this case, it’s worthy to mention that there is no maximum compensation limit. It’s clear, then, that you want to be extremely careful when it comes to data breaches.
More importantly, a GDPR breach can damage significantly your company’s reputation and financial state. This could lead many of your customers to change service provider and it could harm the long-term strategy of your firm.
GDPR is around the corner and it is expected to change the construction industry, as we know it. All companies have to make sure that the necessary changes are done before it’s too late. Making your construction firm GDPR compliant is a demanding and long procedure, but in the end, it can bring the building sector one step closer to a more transparent and accountable future.