A recent 2023 cybersecurity breaches survey undertaken by the Department for Science, Technology and Innovation found that construction is one of the sectors least likely to account for data protection or cybersecurity issues: only 21% of construction businesses have board members assigned to cybersecurity and only 26% have cybersecurity rules and controls in place.
Data protection is vital, especially given the amount of personal data processed within a construction project. The evolution of smart homes, shared facilities, smart meters, personalised access controls, CCTV and outsourced facilities management highlights the need for meticulous compliance.
What is personal data?
The UK GDPR applies to the processing of personal data. Personal data includes the name, biometric data, email, IP address, date of birth and personal address of employees, subcontractors, and any third parties holding records of or monitoring a construction project or end building.
What are the risks?
The UK regulator, the Information Commissioner’s Office (ICO), can audit businesses to ensure compliance, taking up management time and potentially leading to sizeable fines – the ICO has issued a £4.4m fine on a construction company for failure to protect its employees’ personal data.
The UK GDPR and the Smart Meters Act 2018 also contains rules that govern both processing of personal data and, for smart meters, the suppliers’ access to consumer data. It requires businesses to comply with the seven principles of the UK GDPR. Failure can result in fines of 4% of global turnover or £17.5m, as well as reputational damage and compensation claims brought by data subjects themselves.
Many standard form construction contracts and professional appointments lack express provisions for cybersecurity requirements or data protection. Consideration needs to be given to these too, and provisions may need to be added – including for the Freedom of Information Act where relevant.
What data protection requirements are construction companies subject to?
- Record of processing activities. Each business is required to hold and make available to the ICO a comprehensive record of data processing.
- Privacy notice. To comply with transparency requirements, each business in a construction group must ensure it has appropriate privacy notices for workers, contractors, employees, job applicants, third-party suppliers, and those monitored by CCTV.
- Data breach record. It is mandatory to keep a record of personal data breaches plus mitigating actions. This is in addition to any reporting obligations to the ICO or the data subjects.
- Data retention and minimisation. Personal data can only be held for a limited time, in line with the principle of storage limitation, and in some cases this duration is set by law. All retention criteria must be available in privacy notices, and the retention periods must be implemented. Alongside this, the principle of data minimisation requires that only a strictly necessary amount of data should be processed.
- Data processing agreement. When appointing data processors (such as outsourced payroll, IT providers, hosting and storage providers, helpdesks or CCTV), parties must enter into a data processing agreement documenting rights of audit and deletion, and that the processor will follow the controller’s instructions.
How can construction firms navigate these requirements?
There are several procedures firms can implement to improve data protection protocols. First, auditing all personal data used and reviewing processes in place can identify areas to improve. Cybersecurity risk assessments will further highlight vulnerabilities and areas for addressing. Rigorous record-keeping is also essential, alongside ensuring employees are well trained in data protection responsibilities. Lastly, companies should recognise and respond to data subjects’ rights, such as the rights to be forgotten, to object to processing, and to request a transfer.
Impact of AI
Against this backdrop of data protection considerations, particular attention should be given to the construction industry’s increasing use of AI. The use of AI can mean that more personal data is processed more frequently, adding new dimensions to cybersecurity obligations. Businesses must therefore implement robust AI and data protection policies, such as data privacy impact assessments, and update privacy notices to account for profiling.
Amid these concerns, it is important to remember the benefits that AI can bring in terms of efficiency, productivity and budget allocation, as well as safety on site such as through facial recognition.
Data protection obligations cannot be underestimated by construction professionals, who should act now to ensure policies are up to standard, or risk hefty fines and damaging cyber-attacks. Practical steps can be taken to improve data protection set-ups.
This article was first published in Building Magazine and can be accessed here.
Beverley Flynn
Georgie Barrow