Keeping up with data laws in construction

July 27, 2020

195

Construction and building sites are often attractive targets for thieves but now, the industry also has to contend with cyber-crime and data breaches. Helen Davenport, Jocelyn Paulley and Michael O’Shea of Gowling WLG discuss how to avoid being an easy target

Many people may not consider construction to be a high-risk target for cyber attacks and data theft compared with other industries, which may cause companies to be laidback when it comes to security, ultimately making them easy pickings for cyber criminals.

Cybercrime has become increasingly sophisticated over the years and the threat is often difficult to predict. It is paramount that companies invest more in their security measures, not only for defending against breaches but for also spotting when they are happening.

The consequences of lack of good security and vigilance should not be underestimated. It could affect the business’s reputation if a breach is made public, cause financial losses and ruin profit margins, risk confidential or commercially sensitive information/assets being made public and also affect the lives of employees. Organisations that fail to comply with data privacy laws risk being fined by the data privacy regulator, the ICO, up to a maximum of €20m or 4% of global turnover, whichever is the greater.

Now, more than ever before, firms are relying on digital systems and infrastructure to allow organisations to continue to function. Over the course of the pandemic and lockdown, many employers and employees have had to abruptly get to terms with working from home. For some, that has been a new experience and for others, at least, a significant change in working pattern. For many employees, and employers, the right infrastructure and measures might not be in place or if they are, they may not have been properly tested. Further, when working from home, away from other colleagues and the workplace environment, and perhaps distracted by children or other family members, people may be less vigilant and, for example, may click on a link they would have thought twice about in the office.

Cyber criminals do not care and the National Cyber Security Centre has observed a surge in Covid-19 related scams and attacks. We have seen further examples of firms and suppliers suffering breaches (some of which were accidentally caused by staff), which illustrates the

need for organisations to have appropriate technical and organisational measures to ensure personal data is processed securely.

Organisations also have to remain vigilant and make sure employees do not let their guard down because they may be working remotely. To help mitigate against the risks, companies should review their cyber security procedures and consider if additional measures should be introduced. These steps should be a top priority for firms that deal with high levels of sensitive data, which construction firms may well often do.

As a consequence of the lockdown, many construction companies will have had to work with new suppliers to ensure that materials and demand is met – this can also open up cyber security risks. It is important to have the right approach to suppliers and partners who you share personal data and other business data with as it could be hacked through their systems. Changes in business partners can also make phishing and other cyberattacks harder to detect.

Data protection for employees returning to work

As well as managing the risk of a potential increase in cyber-attacks, construction firms have to contend with ensuring that they are complying with data protection laws when processing employee data. With the government gradually starting to ease lockdown restrictions and giving the green light for different types of businesses to return to work, employers will have obligations to ensure the health and safety of employees while at work, which may include collecting extra personal data, but they have to do this in a way that complies with data protection laws.

For some organisations, it may be appropriate to collect more personal data, such as information for track and trace, as one way to maintain the health of the workforce. This means that any internal Covid-19 risk assessments and plans must comply with the requirements under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

Organisations should think about implementing the following measures if new personal data, particularly health data, will be collected as part of creating a safe work environment when employees return:

Doing a data protection impact assessment.
Assessing and identifying the types of personal data that they need to process in order to ensure that employees can carry out their work while complying with social distancing, hygiene and minimal contact with others.
Ensuring that they have a lawful basis for processing data (ie in the interest of public health).
Having a clear process for documenting the measures used across the company and if processing special category data (ie health data) using that the company has an appropriate documentation policy, as required by the Data Protection Act 2018. Having a clear policy for notifying other staff, or any third parties, if one member of staff is taken ill.
Reassessing the methods used to store the data to ensure that it is secure and only permit authorised personnel to have access to health records.
Considering how long this data needs to be retained and ensuring that retention policies are updated.

The European Data Protection Board (EDPB) and the UK Information Commissioner’s Office (ICO) have both issued guidance focusing on processing of personal data in a Covid-19 context. The guidance stresses that while emergencies may legitimise action being taken at speed, it is still important that emergency measures are limited to the emergency period and that all measures respect the general principles of the GDPR. Once the need for collecting data relating to Covid-19 no longer exists, organisations should remember to stop collecting and destroy records where they are no longer needed.

Helen Davenport

Data privacy, construction,