For the past two months, since the coming into force of the General Data Protection Regulation (GDPR), every practice down to part-time sole trader has had to not only comply with data protection law but be in a position to demonstrate compliance, which means showing that appropriate safeguards are in place for the handling of personal data.
Potential fines of up to €20m for a serious breach, or 4% of global turnover if the figure is larger, have been set at a level to be taken seriously by the largest corporations. For small practices that do not see themselves as data processors this might appear a bit out of proportion.
But any data from which an individual can be identified – name, address and phone number is more than enough – counts as personal data, and any processing or administration of this data in the widest sense falls within the remit of the GDPR.
Barrister Howard Lewis-Nunn, who presents the RIBA CPD module on GDPR, explains that the principles of data protection did not fundamentally change on 25 May 2018, what did was the need for even the smallest of businesses to be able to demonstrate how it addresses data management.
This means senior staff need to understand the principles of GDPR, and staff generally should be trained to recognise when they are handling personal data, how to use it appropriately and how to spot potential GDPR issues. Personal data also has to be secure and should not be kept longer than is necessary.
Taking a practice’s personnel records and payroll data as an example, only the people who need to be able to access the data should be able to do so.
The principles of GDPR range across fair and lawful use of data, transparency of data processing, the use of data being limited to purpose, minimisation of the amount of data held, accuracy, storage limitation and accountability. The Information Commissioner’s Office (ICO) sets this out and offers a 12-step plan for compliance as well as guidance specifically for small and micro businesses.
Outside of a situation where informed consent has been given for the use of personal data, the GDPR sets out six lawful grounds for managing data. Lewis-Nunn says the two most likely to cover the typical data handling activities of architects’ practices are ‘operating a contract’, and ‘legitimate interests’.
Individuals involved in a project will expect their personal data to be held by other project team members for the delivery of the project. Both the RIBA and ARB further require project information and records of communications to be stored – the RIBA recommends keeping data all relevant information to the end of the limitation period.
Keeping such data is therefore entirely legitimate, but a problem would arise if this data were to be used for some alternative purpose beyond the expectations of those whose data is held.
Architects should note that the GDPR now requires businesses that are beginning new projects or offering new services to have demonstrable data compliance systems in place at the outset, a requirement known as ‘Privacy by Design’.
The area that tends to perplex architects is the non-operational activity of marketing and client leads. The status of a business card freely handed over at an event is an example often raised at CPD presentations and can be used to illustrate some of the intentions behind the GDPR.
One of the principles running through the GDPR is the need for informed consent for the holding of personal data to be freely given, and for that consent to be withdrawn as easily as it is given.
‘If you receive a verbal offer to get in touch and a business card, you can rely on that person’s legitimate expectation that the information may be used to contact them,’ explains Lewis-Nunn. ‘But if that same information were to be placed in a database and used as part of a targeted programme of cold calling or mailing at any sort of scale, then it becomes data processing and the GDPR requirements will apply.’
Common sense must come in play, but under the new GDPR regime architects should bear in mind that whenever personal information is collected, the person concerned should be informed of how that information might be used.
So if the intention is to use data for a particular exercise that a person is unaware of, such as a regular mailing list, Lewis-Nunn suggests there is a case for seeking consent. People should be invited to opt in, not be left to opt out.
This means that every practice website should now have a privacy notice, informing visitors what information is being collected, and for what purposes it will be used.
‘No-one is ever going to be 100% compliant with GDPR, and it is meant to be an evolving process, but every business should be able to demonstrate that it is thinking about compliance when handling personal data,’ advises Lewis-Nunn.
Thanks to Howard Lewis-Nunn, Barrister, No15 Chambers.
Text by Neal Morris. This is a Professional Feature edited by the RIBA Practice team. Send us your feedback and ideas
RIBA Core Curriculum Topic: Legal, regulatory and statutory compliance.
As part of the flexible RIBA CPD programme, Professional Features count as microlearning. See further information on the updated RIBA CPD Core Curriculum and on fulfilling your CPD requirements as an RIBA Chartered Member.
Posted on 2 August 2018.
