GDPR: There is still work to be done

data protection

From site security and supply chains to the growing use of BIM, construction companies are holding – and sharing – more information. Matt Brown of independent law firm Brabners examines the implications of the new EU General Data Protection Regulation for the industry

Unless you’ve been living under a rock, the EU’s new data regulation, GDPR, will have been on your agenda for some time now.

Even though the initial deadline for compliance has now passed, there is still a lot that businesses can do to improve their performance on data privacy. Most importantly, there is still time to do so.

With just over a couple of months gone since GDPR arrived, we’re yet to see the Information Commissioner’s Office (ICO) exercise its power to fine businesses up to 4% of global turnover. But that’s not to say it isn’t coming.

Construction is a core sector in the UK, with some of the largest and highest profile brands of any industry. High value projects, including major national infrastructure programmes, mean that standards in the sector are heavily scrutinised. It stands to reason that its performance on data protection will be no different now that GDPR is in force.

A big construction firm would certainly fit the bill if the ICO was looking to make a public example of a business that isn’t following the rules.

It’s vital that building and construction firms take stock of their current performance on data protection and identify if and where they are still exposed.

How are building and construction firms vulnerable to GDPR?

Building and construction firms could be forgiven for thinking GDPR isn’t as relevant to them as it is in sectors where a greater volume of customer and employee personal data is stored – retail or financial services, for example.

But even if the sheer volume of data used is lower than in some other sectors, there are still many areas where companies’ use of it will be of interest to the ICO.

Supply chain

A construction project normally involves a network of suppliers and third-party contractors that provide materials and deliver specialist services.

While this is a vital element of a project, it’s an area where GDPR should be considered. Records of contractor relationships may contain personal information that falls under the purview of the new regulation.

This information should be stored securely and processes need to be introduced to ensure that it is kept up to date and accurate – and that it is only retained for a limited period of time.

Site access and security

Construction sites are often very secure areas, with processes in place to restrict access, particularly for large-scale building projects.

Employees, contractors, and visitors (prospective buyers or investors, for example) could all have provided personal information that needs to be processed according to GDPR. This might range from names and addresses to fingerprints and retina scans, depending on the level of security sophistication. Fingerprints and retina scans would be “biometric data”, which is classed as a “special category” and requires greater levels of protection.

Building management

Finally, buildings and the processes that help manage them can result in lots of data being stored and processed. For instance, tenants’ records may contain information that qualifies as personally identifiable.

Legitimate interest and lawful basis

A business can’t function without data, and processes like those outlined above are vitally important. GDPR is not designed to stop businesses using data, but to think more carefully about how they use it and the justification for that use.

The regulation outlines several ways of claiming a lawful basis to use personal data. Getting consent from the owner has historically been the most common. But using this alone can leave a business vulnerable – it can be withdrawn and gives individuals access to new powers like the right to be forgotten.

A better approach would be, where possible, to identify a legitimate interest as the justification. Is data needed to provide a service or to be able to contact customers? Security procedures like site access could well fall into this category, although this would end once that access is no longer needed and legitimate interest cannot be used to justify the use of biometric data.

The important element is to identify these interests and be able to explain them if asked.

Getting to grips with GDPR compliance

The regulation represents a wholesale change in the way businesses must think about and manage the data they use. Very few are getting it 100% right at this stage.

To its credit, the ICO has recognised this and has been careful to play down the rhetoric on crippling fines, instead stating the expectation is to see businesses making progress.

With this in mind, the most important thing at this stage is to be on the road to compliance and to be able to demonstrate the steps taken to meet the requirements that GDPR sets out.

A data audit is the best place to start. Identify what data is collected, where it is stored and, most importantly, whether it is needed. Limiting access to data can also make keeping track of it much easier and reduce the likelihood of human error-related issues. Communication and education are also fundamental.

Holding training sessions and ensuring employees are aware of any changes to working practices should be top priorities.

A data breach will likely attract the attention of the ICO and human error is by far the most common cause of them. The more that can be done to raise awareness among employees of best practice and clamp down on bad habits, the better.

There is no doubt that progress has been made in the construction industry on GDPR compliance. But there is still time to improve, and ensure that the eye of the regulator focuses elsewhere.


data protection

Matt Brown 

Partner and Head of Commercial (Liverpool)


Tel: +44 (0)151 600 3000

Twitter: @BrabnersLLP

LinkedIn: Brabners


Please enter your comment!
Please enter your name here