Will the new GDPR affect construction companies and contracts?

On 25 May 2018, the EU General Data Protection Regulation (GDPR) will come into force and the risks of non-compliance are substantially increased from previous data protection legislation with the possibility of a company being fined 4% of its global annual turnover. The GDPR will apply to all organisations within the EU processing personal data, that is data relating to a living individual. Although this is EU legislation, after Brexit the GDPR will be incorporated into UK law so the requirements will continue to apply.

Under the GDPR, businesses must ensure that personal data is:

• processed lawfully, fairly and transparently
• collected for specific, explicit and legitimate purposes (and not used for anything else)
• adequate, relevant and limited to what is necessary
• accurate and kept up to date where necessary
• retained for no longer than necessary, and
• kept secure.

Data controllers, that is the person or party that determines the purposes and means of the processing of personal data, must keep certain documents to demonstrate their compliance with the requirements.

Construction companies will need to ensure that they deal with the personal data relating to their employees and workers in the correct way and any such data about their suppliers and clients, including keeping documents for accountability purposes.

Minimal personal data that is used in a building contract or professional appointment relating to individuals, for example someone who is receiving contractual notices or who is acting as a potential adjudicator, would most likely meet the lawful bases under the GDPR for data processing of “legitimate interests” and/or “consent”. At least one lawful basis must apply whenever personal data is processed. “Legitimate interests" means the processing is of a clear benefit to the organisation or others, there is a limited privacy impact on the individual and the individual should reasonably expect their data to be used in that way (although a public authority cannot rely on this basis for official tasks). Furthermore this type of data in a building contract or appointment is usually given with express or implied consent. Implied consent might apply where the data in a contract relating to a named adjudicator is publicly available in marketing materials. This level of personal data, which would be common to any type of commercial contract, would usually not merit additional GDPR compliance wording in the contract.

Construction contracts or professional appointments where the works or services themselves require a party to use personal data relating to employees, sub-contractors or third parties may lead to more uncertainty in GDPR compliance. Personal data on individuals collected to operate security requirements on site or to maintain worksheets are examples of this type of data processing . It is advisable to include specific wording in the contract to ensure compliance with GDPR requirements where personal data may be used by the parties to this greater extent.