GDPR Compliance and Cloud-security in a Construction Company

Be Aware of and Follow The Official Regulation by EU
https://ec.europa.eu/info/law/law-topic/data-protection/eu-data-protection-rules_en This is the one step your team and company should not avoid. Read the whole regulation from the most trusted source who created it to ensure you do not miss one point that may be crucial for your company. The risk is too high to be ignored or overseen - not being compliant may put you out of the market. Even, for huge enterprises, the fine is heavy and may also come with sanctions like “a temporary or definitive ban on processing”. In other words, the business stops for some time or forever as most companies cannot operate without data processing.

Do Not Outsource the Responsibilities
Most construction companies do not have an IT team with security experts and even if you do, they will need help as this is not your core business. You can outsource the services that will support your business to achieve compliance, but your company still answers for the responsibility. Therefore, designate one person or team to respond to this matter internally and support their needs.

Have Trustful Partners to Support Your Business
The responsibility is yours and the work is too big for your internal team - you need help. All third party software used by the company that handles user/client data must have security by design and be GDPR compliant. Be well informed and choose carefully. For the partners you already have, review your current contracts in search of this information. This is a legal matter and it needs to be taken seriously and as formal as it is. A second point is how these companies will support your other business needs. Do they offer you options for the deployment or the only option is to follow their process? What kind of support do they provide you? What is the service level agreement (SLA)?

Review All Your Internal Processes
Get your GDPR champion or team to review the company processes to make sure there are no flaws. For this, depending on their background experience and knowledge, they might need the support of a consultancy or expert service. This is an identification step, inside your IT department and outside it to find where you need to apply the changes. This is also relevant to define how to prioritise the actions according to the vulnerability level, from the most sensitive points to the least. If this step is skipped, you take the risk of having a myope perspective and leave vulnerabilities around that can threaten your business continuity. This is a common mistake to finish the process faster than it is actionable.

Establish New Internal Changes by Priority
Chances are many parts of your process were not in compliance and now it is time to apply the changes. Be strategic about this step and make a mix of fast and most urgent changes based on how sensible they are. Do not follow the easy path of leaving all the harder points to the end because you may be prolonging the explosion of riskier vulnerabilities you have there.

Extra TIP: Adopt Cloud-based Software and Services GDPR Compliant
The best software and services today provide you compliance to GDPR to the extent of their services. Most of them are supported by Google Cloud or AWS services themselves, the biggest players in the market and, therefore, the safest ones too. They are strong enough and have great teams of experts in the subject to make sure they are applying the best practices and keep on improving their services. If new vulnerabilities are found they will address it.
Another smart point about adopting cloud software is that it provides you with the best uptime. Availability is one of the security pillars and with cloud-based services and software you can access your data any time anywhere you are.