Andrew Wood of Taylor Wessing’s construction team explains why no one can afford to ignore the new data protection regulation rules that come into force today
In an industry such as construction, the core of firms’ business is not concerned with processing customer data. However, the new General Data Protection Regulation (GDPR) gives individuals the right to sue anyone who holds their data and fails to deal with it properly – and almost all companies hold such personal information.
In the construction industry, the obvious example is information about a company’s own employees but it will inevitably go further. Any construction project may involve a raft of personnel (both employees and subcontractors) carrying site access cards bearing some personal data. CCTV will capture footage of individuals on site. Smart technologies that log personal data in increasingly sophisticated, and often unexpected, ways are being deployed. Failure to comply with GDPR can lead to serious consequences.
Key features of GDPR
GDPR represents a major shift in UK data protection law. Its 99 articles increase data protection rights for individuals, increase obligations on data controllers (who determine how and why personal data is processed) and, for the first time, impose obligations directly on data processors (the entities actually obtaining, recording, adapting or holding it on the controller’s behalf).
The regulation is concerned with the use of individuals’ personal data, being any data unique to an individual that can be used to directly or indirectly identify them. This includes obvious information that businesses routinely collate (such as names, photos, addresses, emails, social media posts, dates of birth) but also less obvious data (such as tracking cookies or IP addresses). GDPR extends to pseudonymised data (where it’s possible to identify someone by a pseudonym). There is also a special category of sensitive personal data attracting even greater protections, such as trade union membership, religious beliefs or sexual orientation.
Personal data needs to be processed lawfully and for explicit and legitimate reasons. The conditions for acquiring consent for processing personal data are strengthened by GDPR. This does not always mean consent is required, but GDPR does demand transparency on how data is used. Consent is likely to be an issue for firms dealing with sensitive personal data or where personal data is used in marketing, where it is most likely that the individual must “opt in”.
Where a company breaches GDPR, there is a tiered approach to fines, with the most serious infringements (such as obtaining inadequate consent) attracting a potential maximum fine of 4% of annual global turnover or €20m (£17.5m), whichever is the greater. Less serious breaches (such as failing to make data breach notifications) can attract fines reaching 2%. The previous maximum penalty was £500,000.
GDPR is a regulation under EU law, which means it now bites in the UK and UK businesses should be complying. With an eye on the future after Brexit, the UK is in the process of implementing its own new Data Protection Bill. While there are small concessions to protect the media and scientific researchers, among others, this proposed law largely covers the same provisions as GDPR.
Companies now need to actively demonstrate compliance with GDPR. Steps that should be taken include:
- Ensuring all relevant personnel are engaged. This extends to anyone collecting customer data, human resources, IT and those involved in governance and risk. Employers should give thought to who may act as a processor or controller, which may include subcontractors. Outsourced data storage will still require compliance.
- Building an inventory of all data the company may collect on a person (either deliberately or by accident). Companies need to establish where this comes from and who it gets shared with.
- Reviewing data protection and privacy policies, and implementing necessary changes in light of GDPR. This includes being prepared for the exercise of new rights (which means making personal information available free of charge within one month) and complying with new obligations to the extent they apply to the organisation. For companies with more than 250 employees, this means setting out a rationale for why they have a legitimate interest in holding that data.
- Being prepared for data breaches. GDPR requires data breaches posing a risk of destruction, loss, alteration, unauthorised disclosure of, or access to data to be notified to the individuals involved without undue delay, and to the Information Commissioner’s Office within 72 hours. Companies should consider whether their notification policy is robust enough, whether they have procedures in place to detect breaches, and how often they stress-test their breach plan. It is also important to consider whether the company needs to hire or designate a formal data protection officer. This will apply to organisations that carry out large-scale systemic monitoring or processing of sensitive personal data.
The GDPR rules now in force impose strict obligations on how personal data must be handled, affecting companies more widely than some may realise. Those that have not already considered how GDPR affects them must do so.
Andrew Wood is an associate at Taylor Wessing