How will the GDPR impact the construction industry?

On 25 May 2018, the General Data Protection Regulation (GDPR) comes into effect in the EU and across the United Kingdom. Unfortunately, 70 per cent of construction firms are unaware of the new data protection rules being introduced by the GDPR, according to a YouGov survey[1].

Technology in the construction sector

The construction industry is one of the most collaboration-intensive and tech-dependent industries, as it requires a near-constant exchange of high volumes of data with external project partners, including architects, engineers and planning consultants. A critical component to the industry’s ability to collaborate is its use of supply chains. Even if one small subcontractor is the victim of a cyber-attack, it could derail a huge project through lost time or stolen building plans.[1]

According to UK government statistics, in 2015, 15% of construction business premises were affected by online crime. That means 1 in 6 constructions firms[2]. A study from The Home Office shows there were 77,000 incidents of online crime against construction companies, in which 71% were computer viruses and 10% to hackers[3].

It isn’t just hackers you need to be protecting yourself against either, multiple sets of employees, consultants and contractors, could all provide an element of risk when it comes to a data breach. It is a legal requirement for construction companies to ensure that all data is held securely and is used in the correct way. GDPR is coming. Bringing penalties of up to 4% of total revenues, or €20m, if higher, for those who don’t comply.

Building a safer cyber environment

As 25 per cent of construction firms have admitted that the maximum fine of €20 million for non-compliance with the GDPR would force them out of business[4] it is important to take steps now to reduce the impact:

  • Consider getting the ISO 27001 certification, which proves you are following the necessary security policies and procedures[5].
  • Make sure your finance team are well trained and kept on high alert for phishing scams.
  • If you have multiple connected users, make sure you install a privileged account security solution on each device. It will help to reduce your chances of sensitive data being accessed. It also makes it easier to control should a device be mislaid or stolen.
  • Install software that provides real-time protection and automatically receives the most up-to-date malware definitions[6].
  • ‘Establish Incident Response Plans. Prepare a plan for responding to an incident.’[7]
  • ‘Establish Lines of Communication. In responding to a cyber-attack and its aftermath, communication is key.’[8]
  • Review your insurance policies to check whether you are covered for a cyber related incident.

JIB283.11.17