The Importance of Information Security and GDPR Compliance within the Construction Industry

A core asset for all construction companies is their data. It is no longer sufficient to just consider the protection of offices, building sites and machinery. As the construction industry continues to rapidly progress and adopt advancing technology, the digitisation of highly sensitive data puts companies at an increasingly higher risk of cyber-attacks. Building information models, documents, designs, drawings, supply chain databases and personal data are being processed, stored, and shared. This data must be secure to protect their commercial value and be compliant with GDPR. The Government conducted a Cyber Security Breaches Survey in 2020 which revealed 46%, nearly half, of all businesses in the UK have been subject to a cyber security attack. The loss of data or money can have serious repercussions for a business, but it can also incur substantial costs. Of those who experienced a cyber-attack, 39% reported they were negatively impacted by the breach, and it caused wider business disruption. So, what is the current legislation regarding GDPR compliance and how can construction companies’ future proof their business to protect information security?

GDPR Compliance Post-Brexit

General Data Protection Regulation (GDPR) is a framework of data protection rules that determine how people access their personal data and controls how organisations use personal and confidential data. On 25th May 2018, EU GDPR was incorporated into UK law in symbiosis with the Data Protection Act 2018. It applies to all individuals and organisations within the European Union including any countries who conduct business within the EU. The legislation protects all aspects of personal data that are associated with identity. The UK left the EU on 1st January 2021 and introduced UK-GDPR, a replica of the EU version with the continued support of the Data Protection Act 2018. A provision was agreed within the Trade and Cooperation Agreement as part of the Brexit deal, that allowed the UK and the EU to continue with an unrestricted flow of data for an interim 6-month period. Within this provision the UK became a third country under EU GDPR, and as a result the transfer of personal data from the EU to the UK is permitted only if the level of data protection in the UK is deemed as equivalent to that of the EU. The European Commission must confirm the level of data protection with an adequacy decision which will grant the UK adequacy status under the GDPR if approved, securing a free flow of data for the future.

However, an official decision on adequacy status is yet to be received as we approach the end of the transition period. On 19th February, the European Commission released its draft adequacy decision which was largely positive indicating the UK should be awarded adequacy status for a fixed four-year period until a further review is required. In April, the European Data Protection Board (EDPB) announced it was in favour of the draft decision but recommended a few improvements in relation to national security and immigration. But in May, with a very narrow majority, MEPs in the European Parliament rejected the decision. A final decision by the Commission on the adequacy status is expected in the coming months but until then, from 1st July 2021 construction companies are strongly advised to secure data transfers from the EU to the UK with other safeguards such as standard contractual clauses, until the draft adequacy decisions are approved. If the decisions are approved, this would be positive news and offer certainty to both UK and EEA businesses with transboundary data exchange.

Why Construction Companies Need to be GDPR Compliant

Penalties for non-compliance to UK-GDPR regulations are severe. Breaches can see fines imposed of up to 4% of annual worldwide turnover or €20m, whichever is the greatest value. GDPR represents a very significant commercial risk and should be treated as a serious responsibility. There can be no excuses when it comes to understanding the legislation and compliance will be evaluated based on evidence of how your policies, procedures, technical measures, and training take GDPR into consideration. Any organisation tendering for a public sector contract must be able to demonstrate GDPR compliance, as public sector bodies fall under scrutiny to provide evidence of policies and safeguards from their supply chain as part of any tender process or framework.

Construction companies have an obligation to be open and honest with their employees and suppliers about how their personal data is used and stored. Companies must be able to respond in a timely manner to subject access requests (SARs). These are requests by individuals who want to see a copy of information held about them. SARs require a response within 30 days which could mean that information needs to be stored and organised in such a way that the information can be accessed quickly, and the response deadline can be met. Supply chain management is crucial and construction companies need to ensure there are provisions and terms within their contracts that ensure suppliers adhere to the standard requirements of data protection so that evidence can be produced to demonstrate GDPR compliance. Failure to evidence GDPR compliance can be extremely costly, resulting in fines, loss of reputation and loss of business.

Information Security in the Construction Industry

Highly sensitive and confidential data is increasingly being stored on software systems to provide agile communication networks and auditable records. Whilst these advancements improve organisation and efficiency of business operations, they expose construction companies to a higher threat of data breaches and cyber security attacks which can cause disruption, loss of revenue, affect productivity and damage credibility. According to Government statics from a survey conducted by Specops Software, construction businesses spent an average £3,750 on cyber security in 2018-19, a staggering 188% increase on the previous year’s spend. The construction industry is realising the importance of protecting their valuable data.

Cyber Essentials is a government-backed and industry-supported scheme that helps businesses protect themselves against the growing threat of cyber-attacks and provides a clear framework of the basic controls organisations should have in place to protect themselves. The Government’s National Cyber Security Centre (NCSC) offers a certification for completing the scheme and claims to reduce your cyber risk by up to 98.5%. It covers important information security controls such as firewalls, secure configurations, control user access, anti-malware, and phishing. It is a great way to demonstrate your commitment to cybersecurity to employees, contracting partners and clients. Internationally recognised credentials are attainable which include ISO/IEC 27001 and SOC 2.

Supply chain management is key and in the same way GDPR compliance is expected to be demonstrable throughout your supply chain, as to is cyber and information security. Average losses resulting from cyber breaches spiked at 61% in 2019, rising from £176,000 to £283,722, compared with the previous year and attacks are predicted to increase year on year. It is essential for the construction industry to protect their core assets and control and manage data responsibly and compliantly to future proof their business.