GDPR Is Here: What Contractors Should Know

The new General Data Protection Regulation (GDPR) went into effect May 25, 2018 and it has already had a serious impact on the way personal data is handled in the United Kingdom and the European Union. More specifically, the law applies to companies who collect, store and process personal data of European Union citizens. The United Kingdom also supports the new regulation regardless of the outcome of the Brexit negotiations.

GDPR concerns every type of industry collaborating with European citizens in one way or another, with construction being no exception. Contractors will have to change the way they work with personal data. Companies in the United States or countries outside the European Union should be careful to avoid breaching GDPR. For instance, a U.S. commercial contractor collaborating with a European client, or one that is markets itself in the European market, needs to carefully follow the new regulations.

In addition, the principles of GDPR are closely connected with those of the Privacy Data Act, so it makes sense for U.S. contractors to follow the guidelines of the new EU regulations. After all, it is likely the law may expand to most parts of the world.

Contractors should adjust to the new regulations and ensure that all policies and processes in regard to data are GDPR compliant. Tech policies, data infrastructure and cloud storage are some of the main areas to focus on. Nevertheless, there is still a lot of confusion around this issue in the sector.

It is extremely important to consider both the present and the future of construction. It’s no secret that data is expected to be the basis on which the future of the industry will be founded. Here is what contractors need to know about GDPR in construction.

What is GDPR?

Simply put, the new data regulation drastically modifies the way that business handle personal data of EU citizens. The regulation concerns both B2C (Business to Consumer) and B2B (Business to Business) companies. Consent lies in the center of attention in any case.

Personal data could be defined as those bits of information that could lead to either the direct or indirect identification of a physical person. In a nutshell, the following could be regarded as personal data:

• name;
• contact information;
• location data;
• personal identification number;
• IP address;
• physical address;
• cookie strings; and
• website, software identifiers and/or apps.

The building sector uses large amounts of data during the development of a project. There are many ways this type of data can be collected. Construction site CCTV footage, access cards, smart systems and wearable technologies can function as data collectors. Building software is an additional way to gather personal data. Construction companies collect lots of personal data that typically belong to workers, suppliers, clients and other parties they collaborate with.

Data controllers and data processors are fundamental components of the entire process. Data controllers define in detail the actual purpose behind data processing. Data processors are responsible for following the guidelines set by the data controller(s).

The main principles of GDPR

In order for both data controllers and processors to do their job without breaching the new regulations, there are six crucial principles to follow:

1. Lawfulness and transparency. A fair, transparent and lawful process of the personal data should be in place.
2. Purpose. There should be a legitimate and very specific reason before companies are entitled to gather and process personal data. Always explain in detail why the information is needed.
3. Minimization. Collect and use the least personal information possible. In the same sense, always delete the data that is not needed.
4. Accuracy. Make sure that the stored data is accurate and continuously updated.
5. Storage. Delete the data as soon it is longer needed.
6. Confidentiality and integrity. Try to protect the data that is collected.

Four vital processing conditions

In addition to the six principles described above, don’t overlook the newly set processing conditions. Minimum one of those should be satisfied in order for the data management process to be fully GDPR compliant. The four processing conditions are:

1. Consent. Get a clear positive consent before gathering or processing the personal data in question.
2. Performance of contract. The collected data is being processed as part of an effort to validate or facilitate the completion of a contract the data subject is participating in. The initiation of contractual agreements is also part of this category.
3. Legal requirement. The European or national law is dictating the processing of an individual’s personal data.
4. Vital interests. The processing of the data is a matter of emergency (for instance a medical situation) or vital importance in general.

Consent is the number one priority and is an integral part of the personal data collection and processing according to GDPR. It is no exaggeration to claim that GDPR brings a much stricter (yet safer) era for personal data.

These are nine vital points that should be satisfied in order for a consent to be considered valid:

1. Understandable and clear language. The way the consent form is phrased is of great importance. It has to be written in a straightforward and easy to understand way. Moreover, it should be written in a language that data subject can understand.
2. Separation. The request for concern should be placed separately from other types of content. For example, the classic ‘one for all’ box in websites is no longer an option.
3. Opt-in. The individuals should actively offer their consent. Pre-ticked boxes and passive consent are no longer acceptable.
4. Distinct consents. The option for separate consent should be provided. Omnibus consents aren’t GDPR compliant.
5. Genuine decision. A consent can’t be acceptable if it can act against the interests of the data subject. The individual should always be in position to withdraw or deny his/her consent.
6. Balance of power. A balance of power between the data subject and the data controller is a prerequisite.
7. Not a condition. Consent shouldn’t be seen as a fundamental condition for proceeding with the development/performance of a contract.
8. Ability to withdraw consent. Always provide the individuals with the option of withdrawing their consent at any point.
9. Distinct sensitive data consent. An additional explicit consent should be give if personal data of EU citizens are being transferred outside of the European Union.

How to Show GDPR compliance

It is important also to show that the company is complying with the newly GDPR regulation. This is how to achieve it:

1. Policies. Be careful with the data protection policies of the business. Update and review them on a continuous basis.
2. Training. Consider the training of employees as a priority.
3. Inspections. Regular internal inspections are an excellent idea for empowering personal data protection processes.
4. Assign a Data Protection Officer (DPO). Appointing a competent DPO can be the key to success when it comes to GDPR. This person can help implement and preserve the GDPR principles.
5. Pseudonymization. Personal data should be disconnected from their owners in the eyes of data processors and controllers. Using a restricted key is required.
6. Transparency. Keep data processing strategies transparent and clear.
7. Put together a Data Protection Impact Assessment. Running a DPIA should be a priority before moving forward with new features and services.

The cost of breaching GDPR

The consequences of ignoring GDPR can be extremely serious. Companies that don’t follow the new GDPR guidelines will have to pay a substantial fine or four percent of their global annual revenue (depending which is higher).

There is always the danger for additional fines by the individuals whose data were breached. In that case, there is no limit to the extent of the fine, which means that the financial and legal repercussions for the business can be even more severe.

Lastly, it can be a critical hit to a business’ reputation, which in the long run can be even more important than the fiscal damage. No one wants to work with a company that doesn’t respect its data.

The new EU personal data regulation is here to stay and it has already changed the scenery in every industry related to data. Despite the challenges it brings, as long as a good strategy is in place, there is no threat. To the contrary, it can be an excellent opportunity for contractors to step up their game and learn to use data only for the better.