Information security is the cornerstone of digital construction, whether you’re an SME working on a local project or a Tier One contractor building highly sensitive infrastructure.
GDPR: Protecting data and people
Security isn’t just about physically regulating the people coming and going from a building. It includes protecting their personal data too. The General Data Protection Regulation (GDPR) or UK GDPR is a law that sets strict rules on how organisations worldwide must handle personal data. This includes information such as names, email addresses and online activity, as well as the right to access, correct and delete other information pertaining to each person.
To ensure these standards are maintained, there are several certifications in place to protect data, including ISO 27001 and the UK Cyber Essentials scheme. That said, maintaining compliance with these standards is an ongoing task, meaning data managers and security leads should always be reviewing their processes.
With the construction industry becoming an increasingly digital workplace, this is only becoming more important. For example, when using a Common Data Environment (CDE), like Trimble Viewpoint for Projects, there can often be significant amounts of sensitive data contained within the system that need protecting. With the introduction of regulations such as Part L of the Building Regulations, the Building Safety Act and Awaab’s Law, this is only set to increase, with higher volumes of data needing to be recorded and retained.
As there are often multiple parties and stakeholders working on any single project, it’s essential that the whole supply chain is compliant with data security, with the chain only as strong as its weakest link.
Security considerations
To remain compliant and properly protect data, all organisations must first ask themselves what their security requirements are. Are you working on highly sensitive projects that need increased security processes? Have you just acquired a new piece of technology that might change the way you work?
ISO 19650 sets out some key points to help guide these considerations:
Develop a security strategy
Appoint a security manager
Create a security management plan
Create an incident management plan
As part of this, your CDE will be key, being where a large portion of your project data will be stored. Depending on the sensitivity of the project, the security consideration could be as simple as adding Two-Factor Authentication, ranging up to providing detailed audit trails of who has accessed what information, where and when.
Implementing new security processes
Speaking about their experience, Colin Henderson, Technical Director at Atkins Realis, said: “When we were working on the National Underground Asset Register (NUAR), secure data sharing was a priority. Due to the accumulation of data we were receiving into our common data model, it changed the classification of what we were working with and changed our approach from a security perspective.
“With this in mind, we looked at the information we needed our system to collate and boiled it down into three simple questions. Firstly, who needs access? With the introduction of passwords, multi-factor authentication, One-Time Passcodes (OTP) and passkeys, we were able to regulate this. Next up was what access people needed and to where. This could be controlled with role-based access control, permission models, spatial limits or spatial extents. Finally, what is the level of detail that people need to see? This was more applicable to those using the front-end of the system, limiting access depending on their clearance level.”
Discussing how they’ve had to evolve to counter new cyber threats, Dan Blackman, Group IT and Security Director at McLaren Construction, said: “We’ve been introducing several processes business-wide to ensure that we are the best people to advise on safety and security. This includes baselines on new product and data tool purchases, providing a clear set of guidance and rules to adhere to.
“We’ve also been looking more carefully at who we partner with, delving into the systems that support single sign-up and have API capabilities. We’re also implementing similar vetting processes to our customers, ensuring our partners have key certifications like ISO 27001 and Cyber Essentials.” — Dan Blackman, Group IT and Security Director, McLaren Construction
In the case of digital security, education is a big part of the puzzle, with the right policies, processes and guidance needed to ensure that team members can easily digest information regarding data safety. By keeping processes simple and easy to understand, companies can make them easier to follow, in turn improving adherence and security.
Learn more about Viewpoint for Projects and explore the full compliance webinar series with Building Magazine.
