GDPR in Construction: What You Need to Know

If your business stores or processes any kind of personal data of EU citizens (names, contact details, addresses and so on), you’ll need to comply. Almost every construction company will process client, supplier, and employee data, so you’ll almost certainly be affected.

The General Data Protection Regulation (GDPR) comes into force on May 25th 2018 and will affect almost every small business in the UK, the remainder of the EU and many others around the world - yet about half of UK businesses aren’t even aware of the legislation. If you want to avoid the hefty fines that’ll be levied on businesses that aren’t compliant, you need to start your GDPR prep now.

What is the GDPR?

GDPR is a set of new data protection regulations that aim to strengthen and simplify personal data protection rules across the EU.

What about Brexit? Will these rules still apply?

Yes, when the UK leaves the EU, UK companies will need to abide by the same rules, although the government may make adjustments to them at a later date. If you hold the data of any EU citizens, you will also need to stay compliant.

How do I know if the GDPR affects my business?

If your business stores or processes any kind of personal data of EU citizens (names, contact details, addresses, IP addresses, cookies and so on), you’ll need to comply. Almost every construction company will process client, supplier, and employee data, so you’ll almost certainly be affected.

What are the differences between GDPR and existing data protection regulations?

There are many similarities between the GDPR and the Data Protection Act, but, generally speaking the new rules strengthen individual rights over their own data.

There are seven key pillars of the GDPR:

1. Consent. Whenever you ask for consent to collect personal data, the language used must be clear and easy to understand. Consent must be a positive action - no pre-ticked boxes. It must also be as easy to withdraw consent as it is to give it.

2. Right to be forgotten. Individuals will be able to contact organisations that hold their data and request that it be deleted, or amended if it the data you hold is inaccurate. There are some circumstances where this right doesn’t apply. Check out ICO’s full guide to the exceptions.

3. Right to access. Individuals have the right to ask businesses if their personal data is being processed. In addition, they have the right to ask for a copy of all personal data a business holds on them. These subject access requests will be familiar to many businesses, but you must now fulfill them free of charge, unless the request is unfounded, excessive, or repetitive.

4. Data portability. Individuals now have the right to obtain and reuse their personal data across different services, for example, an online supermarket should make it possible to export a list of favourite products to a price comparison site. Data should be provided in a commonly used form, such as a CSV file.

Privacy by design. Data protection should form the foundation of system and project design.

6. Data breach notifications. A data breach can be anything from accidentally emailing data to the wrong person, to unauthorised third party access of data. Personal data breaches that hold a risk to an individual’s ‘rights and freedoms’ must be reported to the relevant body (normally ICO) within 72 hours. In addition, if it’s likely that the breach results in a high risk to the rights and freedoms of an individual, you must notify them as soon as possible.

7. Data protection officers (DPOs). If you carry out large scale processing of ‘special categories of data’, or systematic monitoring of individuals, you must assign a data protection officer at your business.

What are the first steps we need to take?

Most construction companies will want to start off by carrying out a data audit. This essentially involves mapping where personal data enters your business, how it is stored and processed, and when it’s retained or deleted.

Getting all this info down on paper will help you understand current data vulnerabilities and where you need to adjust your approach to comply with GDPR.

Next, you need to adjust the wording of your privacy policy and anywhere you ask for consent to collect data. We can’t advise on precise language here - you’ll need to seek legal advice from an expert. Research the various lawful bases for processing to find out which is most appropriate for your business.

Another important step is to boost data protection awareness amongst your staff. Train employees on the importance of data protection and the new GDPR requirements so that data protection is a high priority.

Once you have the foundations in place, it’s wise to start deciding how you’ll fulfill subject access requests, and the rights to data portability, amendment and erasure. At the very least, decide who’ll be responsible for processing these requests, and put this information on paper.

What if we don’t comply?

The maximum fines associated with non-compliance are higher than those under the data protection act - a huge  €20 million or 4% or annual global turnover, whichever is higher. In most cases, however, the authorities will issue warnings, demand that you fix your data protection vulnerabilities, or halt data transfers before issuing fines.

Are all these extra rules really necessary?

Most people reading this article will be EU citizens - and the GDPR will benefit you. Every company you share your information with (including social networks, banks, and retailers) will need to increase their data protection efforts, whilst giving you, the individual, more rights over your data.

As the role of data in our society becomes even more prominent, so does cyber security. A consistent approach across all EU member states and further afield (where the data of EU citizens is processed) can only benefit us.


GDPR certainly appears intimidating for small businesses, but in reality, if you’re already compliant with the Data Protection Act, you’re most of the way there with GDPR. By staying complaint with the GDPR, and taking a thorough, transparent approach to data processing, you’ll not only avoid fines, but put clients’ and suppliers’ minds at ease.

There’s a lot to take in - but we’ve only covered the basics! We recommend reading the information on the ICO website to get more details.

The information in this article is for information purposes only. It is not intended to constitute legal or other professional advice, and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances.