Global menu

Our global pages


GDPR – is it relevant to the construction industry?

  • United Kingdom
  • Construction and engineering - Articles


The General Data Protection Regulation (GDPR) will come into effect on 25 May 2018 and will apply to all organisations that process ‘personal data’ within the EU. Whilst it is an EU bill it is important to note that the legislation will come into effect before the UK leaves the EU, so for a period of time will have direct effect in the UK. Additionally, legislation is currently drafted which will result in a version of the GDPR being incorporated into UK law. As such, irrespective of Brexit, GDPR, or its UK equivalent will continue to apply post the UK leaving the EU.

It is fair to say that the GDPR has been on the radar of many companies and law firms alike for some time now. However, in spite of the clamour for businesses to ensure that they are ‘GDPR compliant’ it begs the question; is GDPR actually relevant to the construction industry?

What are the implications for businesses?

The GDPR updates the current data protection legislation and will govern the way that businesses must deal with ‘personal data’. Personal data is defined in a broad sense and essentially translates as any information relating to an identified or identifiable natural person. The most common form of ‘personal data’ is likely to be an individual’s contact details i.e. their telephone number, email address or property address. However, in a work context, particularly a construction context, this could be information about employees, their salary, performance, qualifications, just a reference to their employee number is sufficient to constitute personal data.

Companies will need to ensure that they comply with the GDPR’s data protection requirements in respect of personal data. In short, those requirements provide that data must be:

  • processed lawfully, fairly and transparently
  • collected for specific, explicit and legitimate purposes
  • kept for no longer than as is necessary
  • accurate whereby companies must take reasonable steps to rectify data that is inaccurate
  • kept up to date where necessary; and
  • kept secure.

Most notably, the GDPR introduces much stricter penalties for non-compliance. The current maximum fine for non-compliance with current data protection legislation is £500,000, whereas the GDPR creates a maximum fine of €20,000,000 or 4% of a company’s global turnover (whichever is greater). 

What are the implications for the construction sector?

Surveys suggest that a number of construction businesses do not think that GDPR will affect them. However, the accuracy of that statement may depend on whether those businesses view GDPR in a general sense or whether they consider GDPR’s relevance to a specific construction project or specific construction contract.

In the general sense, all construction companies who employ employees or who perhaps operate any form of security/access control to their sites (especially if these use biometric access control measures) will still need to ensure that the obligations contained within GDPR are complied with. As a result, those companies may need to consider:

  • carrying out an audit of the personal data that they use or hold in their business, why they hold it, how long they hold it for, who they share that personal data with, where they store that personal data in order to better understand their exposure to the GDPR;
  • reviewing their existing processes to determine whether they are GDPR compliant
  • training teams on what they should be doing in light of GDPR and what they should be doing if they receive any requests from individuals in relation to their personal data, as well as any other requests for access to personal data; and
  • updating internal business policies if they are not GDPR compliant.

With less than two (2) months to go before the implementation of GDPR, the above actions should be taken as soon as possible.

What are the implications for a construction project?

Whilst GDPR will certainly be relevant to construction companies in a general sense, it is questionable whether the exchange of personal data is likely to occur from, say, an employer to a contractor or an employer to a consultant in a typical construction project.

Specific examples of an exchange of personal data in a construction project may include:

  • a local authority passing on personal details of a property occupant on to a property maintenance contractor that it engages
  • an employer providing a contractor with details of its suppliers in order for the contractor to procure materials; and
  • a housebuilder employer asking a contractor to rectify defects to a property that is already occupied; and/or
  • the request from the Home Office, or immigration enforcement officers regarding working/VISA status of the individuals working on the construction site.

The above examples are fact specific and potentially highlight that GDPR may not be relevant to all typical construction contracts. Notwithstanding this, it is important that parties to a construction contract always consider whether GDPR may apply in some way. In such circumstances, especially where a third party is engaged to process personal data on a client’s behalf, it will be necessary to ensure that the relevant construction contract contains robust provisions which ensure GDPR compliance. This will include ensuring that appropriate practices and protocols are in place and well known so that if there are requests for access to or transfers of personal data, that they are undertaken with the necessary consideration and having put in place appropriate protections (where necessary).

With the clock counting down to the 25 May 2018 it is important that construction companies are fully aware of their obligations in respect of GDPR and are fully ready to comply with such obligations when the legislation comes into effect. Eversheds-Sutherland has a GDPR Hub, were you can find more information about the GDPR, its key concepts, actions to take, as well as ways which we may be able to assist you. In addition to our GDPR Hub, the website of the UK regulator for data protection matters, the Information Commissioner, also has a lot of information on the GDPR which may also be of assistance.