General Data Protection Regulation (GDPR): Get Secure or Get Sanctioned!

data-protection-construction-industrySeemingly every week we learn damaging details about a previously unreported or underreported data breach.

Just last month, the personal data of nearly 150 million customers across the US, UK, and Canada, hosted by the consumer credit reporting giant Equifax, was stolen in one of the largest, most notorious private sector data breaches yet. In a previous post addressing security and cybercrime, a 2017 UK government survey revealed that nearly seven of ten large businesses have suffered a cyber breach or attack, leading to hundreds of billions of dollars in losses.

So, how can we take steps to protect our data moving forward?

What’s GDPR?

Residents in the UK and Ireland have lived for years with lower levels of governments around data protection, but, that’s about to change. Data compliance is becoming a big deal. On May 25, 2018, the General Data Protection Regulation (GDPR)—a regulation approved by the European Parliament, the Council of the European Union, and the European Union – will apply to all European Union residents. The GDPR is intended to strengthen and unify data protection for people residing in the EU. The UK government has also committed to increasing data security standards post Brexit, aiming to protect residents’ personal data and prevent data infringement.

Data analysts/nerds say the GDPR impacts every organization that collects or retains personal identifiable data from any European individual. They say ignoring or professing ignorance about the GDPR will get you nowhere. This applies to people who live outside of the EU, too. Any company dealing with data owned by EU businesses, residents, or citizens must comply with the GDPR.

GDPR Regulators: Compliance or Consequences

GDPR regulators will pay particular close attention to UK companies who have a history of not taking data privacy seriously. The GDPR includes harsh penalties and compliance requirements that impact smaller to medium-sized businesses and third-party contractors, including cloud service providers (CSPs) such as Aconex. Because CSPs weren’t around when data protection laws were originally created, their liability is typically managed by agreements between the service provider and the client, addressing issues such as availability and uptime.

Attorneys at Fieldfisher, a well-known UK law firm specializing in intellectual property and security, say the new legislation  comes with a long list of responsibilities. “The GDPR requires CSP processors to develop and implement a number of internal procedures and practices to protect personal data,” a Fieldfisher representative said.

The six GDPR procedures and practices include:

  • Fairness and transparency: Alert individuals that their data will be processed.
  • Purpose limitation: Any processed data must match its original description.
  • Data minimization: Only the most relevant data pertaining to an individual may be processed.
  • Storage limitation: Data no longer required should be removed.
  • Accuracy: Data must be kept up-to-date.
  • Integrity and confidentiality: Protection against unlawful processing or accidental data loss.

Companies must only engage with GDPR-compliant CSPs

Because so much of the GDPR focuses on fines and data breach notifications, it’s easy to overlook a crucial step all companies must take to ward off sanctions; the requirement to engage only with CSPs who are GDPR-compliant. You may possibly fail an audit if you’re using non-compliant CSPs and not following the GDPR guidelines.

If all this sounds like too much stick and not enough carrot, now add the fact that Brexit isn’t coming to anyone’s rescue. GDPR takes effect in May of 2018, whereas Brexit is expected to occur no sooner than 2019.

Meeting GDPR provisions: A time-sensitive must on your to-do list

It’s about time we take data security more seriously. The GDPR promises to significantly enhance the safeguards around our private information; a regulation of critical importance in a world that’s moved everything online. If you cringe every time you hear about a new data breach and wonder if you’ve been impacted, you know that luck and half-measures are no longer enough. A partner at Fieldfisher law firm said, “The GDPR may be the most significant development in data protection that Europe, possibly the world, has seen over the past twenty years.” We must believe that’s a good thing.

Of course, this means creating one more all-caps entry in your master to-do list, but the results will be worth it. That’s the same security-minded attitude I see reflected here at Aconex. Aconex customers can rest assured that Aconex and the products we create meet all of the GDPR’s provisions that will go into effect on May 25, 2018.

If you want to know more about GDPR, as well as the responsibilities and capabilities of Aconex, the #1 platform for digital project delivery, feel free to contact us.

Further Reading: The Essential Guide: GDPR and Cloud Service Providers

Steve Cooper

Steve Cooper

General Manager UK & Ireland at Aconex
Steve Cooper is General Manager UK & Ireland at Aconex, the world's leading collaborative construction and engineering management software.
Steve Cooper