The General Data Protection Regulation (GDPR), the EU’s new legislation that will replace UK Data Law (regardless of Brexit), comes into force in May 2018, meaning that unprepared businesses across all sectors have just eight more months to appoint someone in-house to ensure that all data infrastructure, cloud storage, tech policies and procedures are ready to meet the new regulations.
All UK companies need to comply, but a recent survey worryingly showed that only 7% of thousands of medium-sized UK businesses fully understand what the GDPR is. 40% in London alone had not even heard about it, and two thirds admitted they had been subject to an information breach in the past – something that could incur a large fine from next May onwards.
The construction industry may feel it is somewhat removed from data-heavy, consumer-facing other sectors, but the security threat is just as real and the impact could be just as damaging due to construction’s unique proximity to, and collaboration with, other businesses and sectors.
On typical construction projects, sensitive data is frequently exchanged with multiple immediate third-party project partners, such as architects, civil, mechanical and structural engineers, planning consultants and project managers. All of this communication will need to come under scrutiny, but some constructors will need to think beyond just the local partners. Involvement in critical and sensitive infrastructure projects, for example, could make the construction sector a preferred target for security breaches. All essential services and infrastructure builds will need to be resilient against not just the threat of cyber attack, but also against physical threats such as power failures and environmental hazards, in order to keep data centres, electricity and energy providers, and digital infrastructure secure.
Furthermore, this involvement with key players in infrastructure of any nature could make those in the construction sector a target of cyber attack not just for their own data, but also as a gateway into the securer sectors of their clients. Construction firms with property and facilities management clients too will no doubt be grilled on data protection processes and security measures to reassure and protect the clients’ own data.
As well as putting in place processes, storage, data transfer and compliance before May 2018, it’s worth remembering too that internal training will be paramount. It’s not just the disgruntled employee with access to sensitive information that maliciously carries out an internal security breach. Human error, or something as simple as poor password management can often be harder to detect, but just as damaging, both in terms of the breach and the incoming GDPR fine. The fines are high – up to 4% of worldwide turnover or 20 million euros, whichever is the highest.