GDPR – The Elephant in the Board Room

09 Apr 2018

GDPR is fast approaching and it is a heavy topic. A recent study in the UK has shown that 35% of leaders in the construction industry do not know what GDPR is while at the same time cyber crime is increasing in this sector.

One can only assume that the awareness of GDPR and its implications for the sector is the same here. In this article we aim to shed some light on what GPDR is and how organisations can prepare for this new legislation.

So what is GDPR?

The General Data Protection Regulation (GDPR) is designed to help safeguard data protection rights for individuals and introduces a single set of rules across the EU when it comes to how organisations handle data relating to individuals. GDPR is the most significant change to the European data protection regime in over 20 years.

When will it come into effect?

The General Data Protection Regulation (GDPR) will come into force on the 25th May 2018.

Who will be affected by the GDPR?

All organisations that process the data of EU citizens irrespective of size and location will need to be compliant with GDPR.  There appears to be a common misconception that small companies fall outside the scope of GDPR; this is definitely not the case! There are some exemptions under GDPR for SME’s but these need to be carefully examined.

What types of data fall under the GDPR? 

Personal data is defined very broadly and essentially means any information that can lead to the identification of an individual. Vast amounts of personal data is processed in the construction industry; examples include contact details, employee data, client data, CCTV imagery, health and safety data and data collated from site access cards and wearable technology.

What are the steps your organisation can take to prepare for GDPR?

  1. The fundamental first step is to carry out a data audit to understand the types of data that you hold, where it is stored, and who has access to it. Your organisation should also prepare a visual map of the flow of data into, within and out of your organisation to fully understand your data processes.
  2. Staff training is one of the most crucial parts of GDPR . Training needs will vary depending on roles however as most data breaches happen as a result of human error, ensuring staff have an understanding of the law and the fines and reputational damage their company could be subject to, is key.
  3. Update your data protection policies and procedures to ensure these are GDPR compliant.
  4. There are mandatory provisions under GDPR that must be in place with vendors that process data on your behalf; your organisation will therefore need to review these contracts with third party suppliers.

Some basic measures that you could start right now to keep data secure are to ensure laptops are encrypted, ensure your organisation operates a clean desk and clear screen policy and only allows employees to access information on your systems and manual files on a need to know basis.


What are the penalties for not complying with the GPDR?

The headline-grabbing story of GDPR so far is in relation to the vastly significant increase in fines for non-compliance, up to €20 million or 4% of annual global turnover, whichever is the higher.  The Regulator, The Office of the Data Protection Commissioner, will have a degree of discretion as to whether to impose a fine and the level of that fine. That discretion will ultimately come down to how complaint your organisation is.

Once the GDPR effective date of the 25th May hits; it is definitely not “tools down” so to speak. Your organisations preparation for this deadline should be seen as a once off project with the real goal to attain ongoing compliance. Build data protection into your systems and processes from the outset; the security of personal data can no longer be an afterthought. If you are ahead of the game you may find yourself at a competitive advantage over your peers when it comes to tendering for business.

There is still time to get your house in order so don’t panic and remember “When eating an elephant take one bite at a time”.


Lorraine Valentine, Regulatory Compliance & Information Security Specialist, CIF Pension Administration Services


Join the Construction Industry Federation