By Catriona Lingwood, Chief Executive of Constructing Excellence in the North East
The General Data Protection Regulation (GDPR) will take effect on 25 May 2018 and reform our domestic law on how UK businesses collect and process personal data. The new regulation is set to change the industry, impacting everything from design models to supply chain databases. The date has been on our radar for months now, but are we prepared for the major changes that are coming?
The GDPR will make it simpler to withdraw (or refuse) consent for the use of personal data, allow people to ask for their personal data held by companies to be erased and update and strengthen data protection law. Personal data is defined as any information relating to an identified or identifiable natural person, including data about people in their work lives as well as their personal lives, so it would include their work contact details.
In the industry, we deal with a lot of personal data. Project data can include details of the individuals forming part of project teams. Individual worker personal data may be recorded on site access cards, CCTV footage or wearable technology. Organisations store data on employees, customers, suppliers and anyone they network with, this might include sensitive personal data relating to accidents or health issues. Currently, all this data can be stored, reviewed, used and even shared with other interested parties, but that’s all about to change!
According to the new GDPR, personal data must be:
• Processed lawfully, fairly and in a transparent manner
• Collected for specific, explicit and legitimate purposes (and not used for anything else)
• Adequate, relevant and limited to what is necessary
• Accurate – every reasonable step must be taken to rectify inaccurate data without delay
• Kept in a form that permits identification for no longer than is necessary
• Kept secure.
The potential penalties for breaching GDPR are fines of 4% of global turnover or €20,000,000 (whichever is the greater) and those who are affected may also be able to bring a claim for compensation (and there is no fixed upper limit on what their level of compensation may be) – so they’re certainly breaches you can’t afford to be making!
It should have always been, but data protection now needs to be at the heart of decision-making within organisations, and compliance with GDPR will need to be supported by evidence: policies, procedures, technical measures, training. You need to be able to provide an answer to how data is protected by your business. Going forward, it will impact tenders for public sector work, so it’s important you have the evidence required.
If you’re still unsure on the steps you need to be taking, CENE are holding an event with Muckle LLP on 14 March. Jill Dovey, Associate Solicitor for Muckle LLP will be providing a brief overview of the GDPR and the key new requirements, as well as discussing practical ways to approach GDPR compliance.
If you are unsure of your data rights and would like further information, please contact Amy Holmes on 0191 500 7880 or firstname.lastname@example.org to register your interest in this briefing.