Skip to content
Search

Construction cost management

Construction cost management

This factsheet addresses the particular issues facing the construction cost management business.

Purpose of this factsheet

The GDPR (General Data Protection Regulation) came into effect on 25 May 2018. It changes, updates and extends the scope of data protection law across the whole of the EU. There are many helpful guides as to the general requirements, including those provided by country regulators.

These factsheets have been developed by DLA Piper in collaboration with RICS to give professionals more insight into the specific ways in which GDPR will impact their business.

This factsheet addresses the particular issues facing the building surveying business. We have a range of other factsheets tailored to the business needs of other professionals, which you can access here.

Key features of GDPR

The main areas for firms and individual professionals to address can be summarised as follows:

  • Transparency
  • Accountability
  • Processes and controls
  • Enforcement and fines
  • Data subject rights
  • Ongoing nature of obligations

Transparency

You must be clear with your clients, marketing prospects, sub-contractors and employees about:

  • What data you're going to collect and use
  • Why you need this data - the purposes for which you need to process the data
  • How you're going to process the data and in which countries will data be processed
  • Whether you need to transfer the data to third parties

You must have clear, updated notices for all the relevant groups of people whose data you use. These notices must be easily found and always available and you must notify people appropriately of the existence of these notices (e.g. on your website, with your terms and conditions, at a sensible stage in any online purchasing process, and embedded in your HR recruitment processes).

Accountability

  • Demonstrate that you have a clear view of the data flows across your entire business.
  • Identify the lawful basis for processing data in each case. For example:
  1. to fulfil contractual obligations
  2. to satisfy a legal requirement
  3. legitimate interests
  4. consent
  • If you are relying on consent, demonstrate it was freely given and is capable of being withdrawn.
  • For individual RICS professionals within firms, you will be able to rely on the firm processes and governance, provided you have reasonably satisfied yourself that it is being conducted in a diligent and compliant way.

Processes and controls

  • Governance Framework: you need to manage your compliance. This will include setting policies, running training and the potential appointment of a Data Protection Officer (DPOs): For example, if a significant proportion of your work is for local government, or other authorities, you should consider voluntarily appointing a DPO.
  • Privacy by design: you should incorporate a stage into your decision-making process to assess whether there will be any significant data aspects to new projects, systems or processes and, if so, evaluate what that impact will be.

Enforcement and fines

  • Regulators have a mandate to enforce compliance with the GDPR and greater enforcement rights. For example, regulators may impose a large fine of up to the greater of €20 million or 4% of annual global turnover in the event of particularly harmful breaches.

Data subject rights

  • You need to have processes in place to change or update data on request.
  • Individuals may request a copy of the data you hold on them at any time. You should ensure you have systems in place which can identify, retrieve and securely deliver responses to any requests.

Ongoing nature of obligations

  • Compliance with the GDPR is best achieved when it is adopted by the executives of your organisation and disseminated downwards.  Depending on the focus of your business, your surveyors and marketing executives will all need training to enable them to take responsibility for data security and management and to adopt good practice in how they carry out their roles.

Related Construction Management events

Case Study: Construction cost management

Scenario:

Company E have been in business in the UK for 20 years. As a result of a merger with another firm, they are streamlining their systems and processes and introducing BIM modelling and management through the lifecycle of the CCM process. This involves using a third party SI to ensure all the third party systems operate and interface effectively in order for the data to flow through the end-to-end process.

Issues:

  • The processes, data and outputs of the modelling and management tools are likely to be financial rather than personal data.
  • There will be significant personal data in relation to the construction stage if details of sub-contractor staff with their wages and other information is captured in the process.

GDPR points to note:

  • This is an overview of some key considerations: it is not an exhaustive list of the steps to take in order to ensure GDPR compliance.
  • It is assumed in each case that there is a comprehensive governance structure in place, and, for example, considerations of data retention and minimisation are embedded in the policies, systems and processes adopted by the organisation.
  • Employee data issues also need to be considered and addressed in every case: this is a significant area for most businesses.
  • Review of data processing activities: Company E should identify all the categories of personal data currently being processed for which it is the data controller and should also identify the purpose of the processing and the systems and locations in which it is held. This could include, for example, details of clients for whom it provides the construction cost management services, both for fulfilling contracts and marketing activities, information about the company's own employees and, potentially, personal data about contractor or subcontractor staff (if the data is sufficiently granular). 
  • Record of data processing activities: Company E must create or update appropriate and compliant records of all the data processing activity identified in the first step.
  • Lawfulness of processing: In order to continue processing this data, company E must identify the relevant legal ground in each case. For example, in relation to its clients, it may have a legitimate interest in processing contact details of the representatives from those clients. In relation to construction personnel, if it is necessary for the individuals to be identifiable, then the company might review whether they have a legitimate interest in processing this data.
  • Transparency: Company E should review and, where appropriate, update all documentation relating to its processing activities. This will include fair processing notices on its website and associated with its terms of business, contract terms with its clients, suppliers and employees and its own policies.
  • Data Protection Impact Assessment: In relation to the transition to the new BIM modelling, this constitutes 'new technology' and, as such, will require company E to assess the impact of the proposed operations on the protection of personal data (a Data Protection Impact Assessment: DPIA).  This will be done in conjunction with the SI managing the process and will also likely result in special requirements being included both in the specification for the eventual system, and the contract with the SI.
  • It's worth noting that, having completed the first step, even in relation to processes where there is no personal data being captured and processed, company E will nevertheless want to protect the confidentiality and security of this business information.
  • As a data processor, Company E must keep the data secure and follow the instructions of the relevant contractor as to how to process this information. They may also choose to anonymise or pseudonomise the information (e.g. by allocating an identifier rather than any personal data to the individuals).

DLA Piper