Why construction should worry about its data protection

The looming General Data Protection Regulation is set to have far‑reaching implications for firms in the industry, impacting on everything from design models to supply chain databases. Assad Maqbool and Jack Eustice explain

Data is a core asset to any construction industry provider. Everything from digital design models right through to supply chain databases need to be secured in order to protect the commercial value of these assets. In particular, personal data such as personal records attract regulatory obligations, so must be managed and protected to the required standard.  

Recent high-profile attacks such as the WannaCry ransomware attacks in 2017 and data breaches which affected all of Yahoo’s three billion customers show how devastatingly vulnerable a company’s data can be.

No surprises, then, that 20 years after the Data Protection Act 1998, a new piece of legislation is being introduced. On 25 May the General Data Protection Regulation (GDPR) will come into force. It is an EU regulation, but it will have direct effect in the UK from that date and is likely to be enacted by way of a Data Protection Act 2018. Post-Brexit, GDPR is here to stay. 

So how will this affect construction? First, the potential penalties are significant. Breaches attract fines of up to 4% of annual worldwide turnover or €20m, whichever is the highest. GDPR represents a very significant commercial risk and should be treated accordingly. 

Supporting evidence

The law is updated on the principle of “privacy by design”. Data protection should be at the heart of decision-making within organisations, and compliance with GDPR will need to be supported by evidence: policies, procedures, technical measures, training. 

If questioned on how data is protected by your business, would you be able to provide a solid response? This will likely be of immediate impact to any firms tendering for public sector work: public sector organisations will be under immediate scrutiny and are likely to require evidence of policies and safeguards from their suppliers as a part of any tender responses.

From a people perspective, construction companies will be required to be transparent with individuals as to how their data is to be used. Any interaction with individuals, including employees and business contacts, will need to be considered. Firms need to consider how they engage with people, and whether they have sufficient notices and terms and conditions to cover this.

Companies must be able to respond quickly to subject access requests (SARs). These are requests by individuals who want to see a copy of information held about them. SARs require a response within 30 days. This may mean that you need to organise information storage in such a way that the response time can be achieved.

Some firms may find themselves acting as data processors (the person who actually deals with data) rather than data controllers (the person who determines what the data is used for). 

Previously, data processors were not automatically caught by the rules; now they are. Companies need to think about what personal data – particularly sensitive data – they handle, and whether they handle it in a secure way. 

Regarding supply chain management, firms need to ensure there are provisions in their supply chain contracts requiring suppliers to adhere to a basic standard of data protection. They need to be sure their supply chain is compliant with GDPR standards and that they can demonstrate this to clients.

Futureproof your business

Fines for breach, coupled with reputational damage from being found not to have sufficiently protected personal data, should not be underestimated.  However, the regulation has been drafted to apply to everyone and is not intended to be unduly burdensome; it may just be slight tweaks to processes, standard contracts, and terms and conditions that are required. 

Security is only going to become more important as the proliferation of data grows: GDPR should give sufficient reason for an investment to be made now by companies in order to futureproof their businesses. 

Assad Maqbool is a partner and Jack Eustice is a solicitor at Trowers & Hamlins

Image: Dashark/

Story for BIM+? Get in touch via email: [email protected]


  1. It doesn’t help that many major contracts have CIOs that have no clue how construction businesses operate. My last employer’s CIO was implementing policies for how to manage data on windows computers, windows-based file, servers and paper records but he had no idea that construction businesses have silo projects that sometimes use document management systems like Asite/Viewpoint/Sharepoint for which he had not even considered. These tools contain lots of site data like scanned right to work permits and evidence which people just lavishly store. But it’s crazy that many CIOs don’t understand the wider business and businesses don’t make this a key requirement.

Comments are closed.

Latest articles in Analysis