GDPR is a relevant IT security legal issue that needs to be addressed by all companies dealing within the EU, the construction industry included. You must be GDPR compliant for your clients and your company's safety - from hackers and extremely heavy fines up to €20 million if you are caught not doing so. Here is a 6 macro steps guide to make your construction company GDPR Compliant.
Since 2018, a lot has been said about the General Data Protection Regulation (GDPR), that went into effect on May 25th of that same year for doing business with the European Union. GDPR is not merely a trendy buzz word but a relevant IT security legal issue that needs to be addressed by all companies dealing within the EU, the construction industry included.You must be GDPR compliant for your clients and your company's safety - from hackers, hacktivism and extremely heavy fines [up to €20 million or 4% of the business’s total annual worldwide turnover - whichever is greater] if you are caught not doing so.
IT security is a complex subject, as no matter how much budget you have you will never guarantee or ensure 100% security, as this would be a unicorn [yes, it does not exist!]. In the market, specialists say the question is not if you will be attacked by hackers, but when will you be. The old EU Data Protection Directive law from 1995 was out of date to address the vulnerabilities brought by the large use of open internet and new technologies available today. Until 2018, most companies were either unaware of the risks or taking all the risks and not caring enough in their protection and, most importantly, in their clients. Many information leaks and [lack of] security scandals proving this scenario were key reasons leading to the new regulation. Here is where and why the GDPR entered.
The European Union established a minimum level of data protection and people rights to their information. Any company or any sort of institution doing business - with or without money - in the EU or with one of its residents anywhere in the world has to follow this regulation. This is not optional and it is not restricted to the European soil.
Be Aware of and Follow The Official Regulation by EU
https://ec.europa.eu/info/law/law-topic/data-protection/eu-data-protection-rules_en This is the one step your team and company should not avoid. Read the whole regulation from the most trusted source who created it to ensure you do not miss one point that may be crucial for your company. The risk is too high to be ignored or overseen - not being compliant may put you out of the market. Even, for huge enterprises, the fine is heavy and may also come with sanctions like “a temporary or definitive ban on processing”. In other words, the business stops for some time or forever as most companies cannot operate without data processing.
Do Not Outsource the Responsibilities
Most construction companies do not have an IT team with security experts and even if you do, they will need help as this is not your core business. You can outsource the services that will support your business to achieve compliance, but your company still answers for the responsibility. Therefore, designate one person or team to respond to this matter internally and support their needs.
Have Trustful Partners to Support Your Business
The responsibility is yours and the work is too big for your internal team - you need help. All third party software used by the company that handles user/client data must have security by design and be GDPR compliant. Be well informed and choose carefully. For the partners you already have, review your current contracts in search of this information. This is a legal matter and it needs to be taken seriously and as formal as it is. A second point is how these companies will support your other business needs. Do they offer you options for the deployment or the only option is to follow their process? What kind of support do they provide you? What is the service level agreement (SLA)?
Review All Your Internal Processes
Get your GDPR champion or team to review the company processes to make sure there are no flaws. For this, depending on their background experience and knowledge, they might need the support of a consultancy or expert service. This is an identification step, inside your IT department and outside it to find where you need to apply the changes. This is also relevant to define how to prioritise the actions according to the vulnerability level, from the most sensitive points to the least. If this step is skipped, you take the risk of having a myope perspective and leave vulnerabilities around that can threaten your business continuity. This is a common mistake to finish the process faster than it is actionable.
Establish New Internal Changes by Priority
Chances are many parts of your process were not in compliance and now it is time to apply the changes. Be strategic about this step and make a mix of fast and most urgent changes based on how sensible they are. Do not follow the easy path of leaving all the harder points to the end because you may be prolonging the explosion of riskier vulnerabilities you have there.
Extra TIP: Adopt Cloud-based Software and Services GDPR Compliant
The best software and services today provide you compliance to GDPR to the extent of their services. Most of them are supported by Google Cloud or AWS services themselves, the biggest players in the market and, therefore, the safest ones too. They are strong enough and have great teams of experts in the subject to make sure they are applying the best practices and keep on improving their services. If new vulnerabilities are found they will address it.
Another smart point about adopting cloud software is that it provides you with the best uptime. Availability is one of the security pillars and with cloud-based services and software you can access your data any time anywhere you are.
Learn more about Archdesk on GDPR compliance.