Are you ready for the GDPR?
Complying with data protection regulation is an essential part of running any successful business. With the General Data Protection Regulation (GDPR) coming into force on 25 May 2018, replacing the Data Protection Act 1998, architects need to understand the implications for their own business and take measures to be compliant to avoid potential fines which can be crippling under the new regime.
This article will give a general overview and some architecture/construction industry specific guidance to help you stay compliant with the GDPR.
Before reading this article you may wish to see the previous RIBA Professional Feature on the GDPR as an introduction. Other key sources of guidance include:
- The Information Commissioner’s Office (ICO) which proposes ‘12 Steps to Take Now’ and includes an ‘Implementation Checklists’ for each key issue.
- The Data Protection Network
Data Protection Principles
Article 5 of the GDPR requires that personal data (defined as data from which a living individual can be identified, including email address) shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The ICO has produced a Guide to Data Protection that explains these principles in more detail.
As an architect you are very likely to be processing personal data as part of your project work. Examples of such personal data may include:
- Email addresses
- Geolocation data
- Data that relates to an individual person (separate from others in their group) is likely to be personal data.
Examples of ways in which you might process data when working on a project:
- In emails and letters
- In the project brief
- On drawings (physical and PDF/other digital media)
- In models on common data environments/clouds
- In visualisations
- In strategy documents
The GDPR requires you to have a lawful ground to process personal data. For project purposes this will generally fall under the lawful ground known as ‘legitimate interest’, because the individual(s) commissioning the project would naturally expect you to process their data in order to deliver the project. Using that same data for an unrelated purpose, such as sharing it with a marketing agency, would not be 'legitimate interest'.
Personal data processed pursuant to a contract (appointment) is also likely to be lawful processing. The RIBA Professional Services Contracts (to be launched in May 2018) are compliant with data protection regulations. Where there has been a contractual relationship between the parties, it is permissible to make further contact with the individual for new leads, provided an opportunity to be removed from any marketing list is offered at the same time.
Under any other circumstance, your practice should seek consent from individuals whose personal data they collect and administer in any way. Consent must be 'informed', so it is important to explain exactly what it will be processed for at the outset. Consent can be revoked at any time (for instance using an 'unsubscribe' function) so it is important to refresh the consent for processing an individual’s personal data, on a regular basis.
The RIBA recommends that all drawings, models, information, data and correspondence should be retained from initial contact with your client through to the end of the limitation period (6 or 12 years post contract/practical completion) and any limitation extension. This is to be able to respond to any legal claim or similar. However, under the GDPR personal data may need to be erased earlier than this, if there ceases to be any ‘legitimate interest’ to process the data. This is the principle of 'data minimisation' under the GDPR.
As required under the ARB Code of Conduct (ARB 2017), ‘You should ensure that adequate security is in place to safeguard both paper and electronic records for your clients, taking full account of data protection legislation, and that clients’ confidential information is safeguarded.’ The GDPR requires data processors to ensure they implement secure systems to protect personal data, and requires that any external parties which process personal data for your practice also take reasonable precautions to safeguard personal data.
The GDPR includes a requirement for organisations to begin new projects or offer new services with data protection built in at the outset rather than bolted on as an afterthought; this requirement is also known as Data Privacy by Design. To ensure you can demonstrate that your practice meets this requirement, prior to starting work, you may wish to undertake a data protection impact assessment to determine what data you need to process throughout the project, why it needs to be processed and how you will be processing it. This will help identify all the individuals you may need consent from if they do not fall under ‘legitimate interest’.
The most important data your practice will need to process outside of a project will be for marketing and human resources purposes.
When engaging in direct marketing, consent must be 'freely given, specific, informed and unambiguous' i.e. a positive opt-in, and consent cannot be inferred from inactivity. You must also enable an unsubscribe option from future marketing.
Read the ICO guidance on Preventing direct marketing.
There is lots of guidance available online for employers to consider regarding securing the personal data of employees. Again, the ICO has detailed guidance on Employment.
RIBA Chartered Practices have access to the RIBA Employment Law and Business Advice Online Library provided by Croner-i, which includes an Employers’ Dos and Don’ts Checklist for Data Protection.
Finally, the GDPR’s main principals are very similar to those under the Data Protection Act (1998) and if you are following best practice guidance already then updating and documenting internal data processes will be relatively straightforward.
While every effort has been made to check the accuracy and quality of the information given in this article, the RIBA accepts no responsibility for the subsequent use of this information, for any errors or omissions that it may contain, or for any misunderstandings arising from it. This guidance is not legal advice and where in doubt, members are urged to take legal advice accordingly.
This is a Professional Feature edited by the RIBA Practice team. Send us your feedback and ideas.
RIBA Core Curriculum Topic: Legal, regulatory and statutory compliance.
As part of the flexible RIBA CPD programme, Professional Features count as microlearning. See further information on the updated RIBA CPD Core Curriculum and on fulfilling your CPD requirements as an RIBA Chartered Member.
Posted on 12 April 2018.