It should already be in your diary. 25 May 2018. The day that GDPR takes effect.
But while this date has been on everyone's radar for many months now, many industries and businesses are still not fully prepared for the major changes to the collection and use of personal data that this new EU legislation will bring about next year.
In the construction industry, we deal with a lot of personal data about individuals.
Project data can include details of the individuals forming part of project teams. Individual worker personal data may be recorded on site access cards, on security CCTV footage, on wearable technology. Individuals' personal data can also be recorded by smart systems in completed buildings. Organisations store data about employees, customers, suppliers and the people they network with, all with as a matter of course. This might in some circumstances include sensitive personal data for example relating to accidents or health issues which need to be noted while an individual is on site.
All of this data can be stored, reviewed, used and even shared with other interested parties (like insurers or funders).
But with the introduction of GDPR, the way in which all of this personal data is treated will change in May next year. You may think that, because this is EU legislation, we don't need to worry about it for too long with Brexit on the horizon. However, that's not the case; there is a new Data Protection Bill working its way through Parliament which will adopt the GDPR into UK law once we leave the EU.
In addition to this, the Wannacry NHS cyber-attack earlier this year and other data breaches that regularly hit the headlines all highlight the importance of keeping data secure to avoid the reputational damage that comes with a data breach.
So, what is GDPR about?
The EU General Data Protection Regulation (commonly referred to as GDPR) updates the current legislation that governs the way we deal with data protection matters.
"Personal data" is defined very broadly and essentially means any information relating to an identified or identifiable natural person.
This includes personal data about people in their work lives as well as their personal lives, so would include their work contact details (like their email addresses) and personnel files for example.
The GDPR also identifies "special categories of personal data" such as personal data relating to an individual's health, religion or trade union membership, ethnicity, gender or biometric data which can be used to identify someone.
Even if data does not look like data that can identify an individual, if two or more pieces of data (eg site access cards and CCTV footage or a pseudonymised list of employees) (ie where most of the identifying fields with a data record are replaced by an artificial identifier) can be put together to identify that individual, then it will be classed as personal data.
Restrictions on use of personal data
It is not possible to set out everything the GDPR covers here, but the following are the data protection principles set out in the GDPR. Personal data must be:
- processed lawfully, fairly and in a transparent manner
- collected for specific, explicit and legitimate purposes (and not used for anything else)
- adequate, relevant and limited to what is necessary
- accurate – every reasonable step must be taken to rectify inaccurate data without delay
- kept in a form that permits identification for no longer than is necessary, and
- kept secure.
The GDPR requires organisations to be able to demonstrate compliance and this means they should have data protection and data security policies in place. GDPR also requires organisations to keep records of their data processing activity.
GDPR identifies data "controllers" (the person or party that determines the purposes and means of the processing of personal data) and data "processors" (the person or party that processes personal data on behalf of the controller), and places obligations on both. So even if a business or person outsources the storage or analysis or use of personal data, it would still need to comply with its obligations under the GDPR as a "controller". Under GDPR it is also possible to be both a "controller " and a "processor".
GDPR obligations are not to be taken lightly, and the consequences of breach are far higher than the current maximum fines of £500,000 that the ICO can currently issue.
Depending on the breach, fines of 4% of global turnover or €20,000,000 (whichever is the greater) could be levied under GDPR.
Individuals who are affected by the breach may also be able to bring a claim for compensation (and there is no fixed upper limit on what their level of compensation may be).
And, reputationally, no one wants to be in the spotlight for a breach of this new legislation.
Some key things you should be thinking about (if you have not done so already)
What you should be doing to prepare for GDPR will depend on your business, what personal data you handle, and what you do with it.
However, things to think about include:
- Carrying out an audit of the personal data you collect and use across your organisation. What personal data do you hold? How do you use it? Who is it shared with? Where is it accessed from or transferred to?
- Training your teams about GDPR and their data protection obligations, what it entails, what the risks are, and what they should be doing (including what to do if they receive a request from an individual regarding their personal data)
- Updating your internal business policies relating to data protection and data security
- Being transparent about the personal data that is collected and your reasons for processing it (including updating privacy notices so that they are GDPR compliant)
- Making sure data is secure including from cyber criminals (including keeping IT systems up to date, staying on top of software updates/patches, and investing more time and resource into implementing and maintaining security measures). You will also need to make sure you know what to do if there is a data breach to meet the strict notification requirements in the GDPR
- Checking contracts with suppliers are robust also include the provisions required by GDPR where you engage a third party to process personal data on your behalf, and
- Consider whether you transfer any personal data outside the EU (for example to a third party provider) as the GDPR includes restrictions on this too and you may need to have additional documentation in place.
Time is running out for businesses in the construction industry to get their house in order - and if they have not already done so, they should be assessing the impact GDPR will have on their organisations and the steps they need to take to comply as soon as possible.