18 October 2017

Getting ready for GDPR

What does the EU General Data Protection Regulation (GDPR) mean for property and construction companies and what do they need to do to comply?

On the 25 May 2018, the EU General Data Protection Regulation (GDPR) comes into force and brings with it a significant change to the UK’s data protection laws. Additionally, the ICO (Information Commissioner’s Office) will be empowered to impose fines of up to 4% of global revenue or 20 million euros for breaches to the new guidelines. As a result, those in the property and construction sector need to work quickly to confirm that they understand, and can comply with, the new law.

What does this mean for property and construction companies?

Currently, property and construction companies gather, process and share a wide range of personal data, including the names and contact details of clients, suppliers and staff.

Recent breaches of data protection have resulted in significant fines for the organisation at fault, such as the Glasgow-based property renovation company that was fined £80,000 in March 2017 for unsolicited marketing calls.

What do you need to do to comply?

Compliance with GDPR requires you to be able to understand and record what personal data you gather, why you gather it, how you handle it, where you hold it and how you share it. Processes should be put in place to ensure that permission is obtained when necessary to gather data and that the data subjects are aware their information is being gathered and what it will be used for. The data obtained should also be proportionate, kept up to date and accurate, and only held for as long as it is required. For many organisations, this will mean developing a raft of new processes and policies in order to ensure compliance.

In addition, GDPR introduces new rights for data subjects, such as the right to be forgotten and the right to move data held on them to another provider (data portability). It also introduces important changes to how and why consent to obtain data can be gathered and how this consent can be used.

GDPR also makes certain activities mandatory, for example:

  • Appointing a Data Protection Officer;
  • Providing new and existing staff with suitable training and awareness, as well as additional sources of guidance and support when required;
  • Conducting Data Protection Impact Assessments (DPIA) to design data privacy into any new systems and processes. This is of particular importance if new technology is being deployed, where there is processing on a large scale of the special categories of data, or if profiling operations are being performed which are likely to have an impact on individuals;
  • Notifying the ICO within 72 hours of a data breach.

With some new elements and significant enhancements being introduced by GDPR, it is essential you start planning for this now. At Scott-Moncrieff, we are working with a range of organisations to help them attain GDPR compliance. If you’d like to find out more about this, please contact our business technology and consulting partner, Fraser Nicol.

Bookmark and Share