Features - Business

What GDPR means for construction companies

What you should do now to comply with the new GDPR legislation? Here Helen Davenport, Director and Sarah Rock, senior associate at Gowling WLG, give advice to construction companies.


The General Data Protection Regulation (GDPR) will apply to all organisations processing personal data within the EU and to other organisations offering goods and services to individuals in the EU. ‘Personal data’ covers data relating to a living individual, even if that individual could only be identified from that data together with other information in your possession – so the GDPR has a wide scope. The date on which the GDPR will come into effect – 25 May 2018 – is fast approaching so the new legislation should be firmly on your organisation’s radar by now.

What it will mean for businesses

Businesses will need to ensure they comply with the data protection principles set out in the GDPR. These provide that data must be:

  • processed lawfully, fairly and transparently
  • collected for specific, explicit and legitimate purposes (and not used for anything else)
  • adequate, relevant and limited to what is necessary
  • accurate and kept up to date where necessary
  • retained for no longer than necessary; and
  • kept secure.

Extra safeguards apply to the processing of special category personal data (such as data revealing racial or ethnic origin or trade union membership) and data relating to criminal convictions and offences.

Many of the key concepts under the GDPR are much the same as those in the current Data Protection Act (DPA), so organisations complying with the current law will have a good starting point. However, there are new obligations and also some enhancements. The GDPR also emphasises the documentation that data controllers (the person or party that determines the purposes and means of the processing of personal data) must keep to demonstrate their compliance with the principles (called accountability).

Among the other new obligations receiving the most attention are the introduction of a duty on all organisations to report certain types of data breach to the relevant supervisory authority (in the UK the ICO). Organisations will also have to report certain data breaches to the individuals affected too. Recent high-profile data breaches involving the likes of Uber, Equifax and UniCredit demonstrate that cyber attacks and data breaches are a real and immediate threat for all organisations.

Crucially, the GDPR introduces tough penalties for non-compliance – much higher than the current maximum fines of £500,000 that the ICO can issue under the DPA. Depending on the breach, fines of up to four per cent of global annual turnover for the previous financial year or €20m, whichever is higher, can be imposed. Any individuals affected by a breach can also bring a claim for compensation – and while the sum that any individual is entitled to may well be relatively small, a data breach where thousands (and conceivably millions) of individuals are potentially affected could, cumulatively, have very serious consequences.

How it will affect the construction industry specifically

Recent research suggests that at least some construction businesses believe that the GDPR will not affect them. However, all employers should be reviewing their processes for handling employee data in light of the GDPR. Most construction companies these days do not directly employ many workers, but will have some and are also likely to deal with personal data about individuals even where that labour has been procured by third parties. Exchange of data between the various parties involved in a construction project is common. Personal data may also be collected through site access cards and CCTV. In addition, construction businesses will hold personal data about customers and suppliers.

Buildings are also becoming smarter. The implementation of digital processes in the design, construction and operation of built assets will facilitate and entail more data collection, for example through smart management. As this becomes more commonplace the GDPR will have even greater impact and compliance should be factored in when designing buildings digitally (for example through use of technologies such as BIM) and passing these models on for management of the asset.

What businesses need to action prior to the deadline

The GDPR will come into effect prior to the UK ceasing to be a member of the EU. New legislation (the Data Protection Bill) is also being progressed and that will adopt the provisions of the GDPR into UK law, so its requirements will continue to apply post-Brexit. Therefore, they cannot be ignored.

As a starting point, businesses should carry out an audit of the personal data they collect and use across their organisations, and review existing processes for compliance with the GDPR, ensuring records are kept. Other steps to take include reviewing and updating privacy notices so they are GDPR compliant, raising awareness of data protection including through training and making sure the right processes are in place to detect, investigate and report a data breach. The GDPR also makes privacy by design (an approach to projects that promotes data protection compliance from the outset) an express legal requirement.

With the deadline for the GDPR fast approaching, organisations who do not already have plans in place to comply should take action urgently.

If you would like to read more articles like this then please click here.