The 25th May 2019 marks the first year anniversary of the introduction of the General Data Protection Regulation (‘GDPR’) and the Data Protection Act 2018 (‘DPA’) and cybercrime and security still remains one of the greatest challenges for the construction industry. As well as dealing with the advances in technology that are creating many more ways for cybercriminals to find loopholes in our security systems, the construction industry must now contend with data protection compliance following the introduction of new data protection legislation in the UK.
While the use of drones, artificial intelligence and mobile technology are used to boost business operations, construction companies cannot forget that data remains a key part of the running of a construction business and more and more data will be collected through these new advances in technology. With new data protection legislation in force, construction businesses will now have to contend with reputational fallout from delays caused by cyber-attacks but also with the Information Commissioner’s ability to name and shame those businesses that have failed to demonstrate overall compliance with the relevant data protection principals.
In 2018 the Department for Culture, Media and Sport conducted its Cyber Security Breaches Survey, the results of which indicated that while the proportion of businesses saying cyber security is a low priority has fallen since 2016, the construction industry ranked as one of the sectors where senior managers are most likely to see cyber security as a low priority. As the use of new technology becomes increasingly common, the more of an impact the GDPR and DPA 2018 will have on the construction industry and its need to comply.
Crucially the GDPR and the DPA 2018 introduced tougher penalties for non-compliance, depending on the breach, fines of up to 4% of worldwide turnover or 20 million euros, whichever is higher, can be imposed by the Information Commissioner’s Office. With cyber security low on the construction industry’s agenda, businesses will need to ensure they adopt a compliance culture as security is only going to grow in importance as proliferation of data grows. Reputational fallout and the risk of being landed with a substantial fine should give sufficient reason for construction businesses to handle data safely. In November 2018, the Information Commissioner issued 14 monetary penalties to the businesses in the construction and manufacturing industries for not paying their data protection fee.
So what steps can organisations in the construction industry take to mitigate the risks associated with cyber-attacks?
- Ensure existing security and privacy policies are up to date to reflect the GDPR and the DPA 2018
- Review and update the process for handling employee and third party data
- Be transparent about how data is collected through the use of CCTV and site access cards
- Put in place the right processes that deal with data breaches and reporting those breaches
- Train staff who handle large volumes of personal data so that they are familiar with their responsibilities under the GDPR.
Prettys are pleased to be hosting two data protection updates on the 27th and 28th June at Suffolk Food Hall in Ipswich and Essex County Cricket Club in Chelmsford (respectively). Topics being covered include where we are a year on from the GDPR, practical tips on how to deal with subject access requests, and 5 Essex Court will be exploring data breaches and how to mitigate the issues that can arise as a result. For more information on how to register for either event, please visit our website: https://www.prettys.co.uk/data-protection-update-