Data Security in the Construction Industry.
With increasing importance of data and information security within the construction industry, it is essential to adapt a security-minded behaviour and understand the risks when it comes to managing and sharing data and information. Cyber security in construction should be taken every bit as seriously as physical security. Cyber security is a threat to every type of business, including small businesses and construction firms and can be compromised by individuals due to carelessness, lack of knowledge or deliberate refusal to comply with set regulations.
What is personal data?
Personal data is any information that can be used to identify a living person, including names, delivery details, IP addresses, or HR data such as payroll details.
Adopting a Security-Minded Approach
- Understanding and following appropriate security measures in any business situation.
- Awareness of how behaviour and actions, including use of social media, can impact on personnel security and that of others.
- Appropriate use of social media professionally and socially.
- Identify potential threats and security vulnerabilities that exist at each stage of the construction process, taking measures to mitigate unacceptable risks.
- Appreciate how exploitation of vulnerability may result in harm to people, a built asset, services or data and information.
- Identify and oversee the implementation of security policies and processes appropriate to the construction phase.
- Watch out and report any suspicious behaviour at company premises or on construction sites.
- Do not publish information that allows the projects you are working on to be identified.
- Do not post photos taken on site on social media (especially if your device has geotagging is turned on).
- Consider what information you posting on network; avoid putting details of systems that you work with, especially ones relating to safety and/or security.
Using Technology at Work
- Do not use work devices for sending/ receiving personal emails.
- Avoid using personal devices for work and do not transfer files from personal device to a work one.
- Report phishing emails (Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication) and do not open links and attachments you believe may not be genuine.
- Make sure your devices are locked when leaving them unattended, especially when they hold or have access to sensitive information.
Sharing Data and Information Outside Company
A construction project can involve collaboration between different, as well as owners and clients, which means plans, blueprints and other sensitive information such as financial information and employee records may have to be shared outside the company.
For example, Building Information Modelling (BIM) involves collaborations between multiple parties, and when it is integrated with a Common Data Environment (CDE single source of information for the project, used to collect, manage and disseminate documentation), the graphical model and non-graphical data for the whole project team, it contains a lot of sensitive information and data. Security, naturally, should be a top priority.
Data storage and protection must also comply with relevant regulations such as the General Data Protection Regulation (GDPR) if working within or dealing with the EU.
The GDPR is an EU Regulation that became effective in all EU member states on 25 May 2018. It has been implemented and supplemented in the UK by the Data Protection Act 2018 and replaced and repealed the Data Protection Directive (95/46/EC)(Data Protection Directive) which was implemented in the UK by the Data Protection Act 1998(DPA1998).
GDPR was introduced to respond to new technology developments that have affected ways we collect and hold information, communicate and share the information by placing guidelines for the protection and fair and lawful processing of personal data.
GDPR after Brexit-
During the transition period there will be no immediate change to the UK’s data protection standards. EU data protection laws, including the General Data Protection Regulation (GDPR), will continue to apply during the transition period alongside the Data Protection Act 2018.