At Finalcad, we acknowledge that we live in an era where data privacy and cybersecurity are a crucial matter. In this article, you will learn what GDPR means for the construction industry, and how Finalcad has been committed to data protection for its clients.
Recently, we have witnessed some of the hurricane’s consequences with events such as the Cambridge Analytica x Facebook scandal when the consulting firm used millions of individuals’ personal data collected via Facebook for the US elections.Although working in the digital space undoubtedly brings an endless list of new and exciting opportunities, it also comes with lots of challenges, a major one being data protection. As a digital company collecting its clients’ data to be able to provide services, multiple questions arise:
What data to collect from our clients?
What usage can be done with it?
How to ensure it always stays safe?
These are all questions our team considered from the beginning and is continuously analyzing and aligning with new industry standards and product evolutions. As early as 2015, we published a data usage charter to address those questions.
What is the GDRP?
For years, personal data was regulated by EU’s Data Protection Directive 95/46. However, the web space has evolved quite significantly since the mid-nineties, which is one of the main reasons why a new regulation was voted in 2016 and will be effective this year to replace the outdated one. On May 25, the new General Data Protection Regulation (also known as GDPR 2016/679) will be taking effect all across Europe. Its purpose is to better protect European residents, harmonize European rules, and extend them beyond the EU.
As a consequence, all European organizations, but also extra-European companies with activities in the EU must now adjust their business practices to comply with this new standardization. If they don’t they will face very severe fines (up to €20M or 4% of their consolidated worldwide turnover). This is good news for all web users and customers - it means more transparency and control over how their personal information is treated and used, but what does it mean for businesses?
Expert interview
Since 2011, we have worked closely with renowned lawyer Mr. Étienne Drouard from K&L Gates1 to benefit his Intellectual Property and Data Security expertise in order to provide the best standards to our clients. More recently, we had the opportunity to discuss with him about the new GDPR and what it involves for businesses like Finalcad.
Finalcad: The GDPR will be effective this year on May 25. What does it mean for organizations like ours that collect data from their clients?
Etienne Drouard: It means contractual relationships between service providers such as Finalcad and their clients are more strictly governed by the GDPR (in Article 28). It compels the provider to ensure both security and confidentiality of the personal data given by the clients. The two parties of the contract must collaborate to ensure individuals can exercise their rights. They must also collaborate in case there is any security breach, whether it is on the provider's side or the client's side. The client as well as the service provider both have up to 72 hours from the moment they discover a breach to document it and diagnose it. If it represents an important threat to individuals’ rights and freedom, the breach must be reported to the local regulator. In France, this regulator is known as the CNIL, but typically any breach should be reported to the local regulator where a client is based.
FC: What are some major changes compared to past regulations?
E.D.: Regarding the relationship between clients and service providers, there is nothing new on the principle. Contracts were already mandatory, and providers had to ensure data security and confidentiality but there is still one major change with GDPR. Prior to it, service providers couldn’t be held responsible for not respecting the regulation: they had to respect the terms of their contrat with their clients. If the provider committed any negligence with data usage according to the law, the client was held responsible towards any other person involved (including people whose data was collected). The GDPR balances relationships, meaning that the client and the service provider may now have a joint responsibility in case of any security breach due to the provider operating freely, without following the client's instructions. Therefore, the GDPR is rather to the client’s advantage compared to the past regulation from 1995. That being said, Finalcad was already committed to ensuring data security and confidentiality, and accepted its responsibilities, so this doesn't change their relationship with their clients.
FC: Which benefits can users expect from such changes?
E.D.: I don’t know if this is a benefit, but the fear of sanctions. Due to GDPR’s very large scope, organizations will become more and more vigilant when it comes to data protection. Since there is a higher level of risk, there is more consideration regarding this matter.
FC: In a recent article, you mentioned that the Facebook scandal is a great test to see how Europe is going to sanction them. Do you think everyone should be concerned by such sanctions?
E.D.: I believe right now there is a general feeling of panic that is completely irrational. There are some companies willing to get rid of their current files because they are scared of not being compliant in the future. Some others are sending out messages to their whole database asking individuals to confirm that they wish to receive further communication, otherwise as of May 25, 2018 they will no longer get in touch with them. That means these companies will lose between 60 and 85% of their database simply because they believe GDPR is retroactive. The data collected prior to May 25, 2018 did not require individuals’ consent. What is important is to comply to the GDPR moving forward.
FC: Since we work in B2B, we collect very few personal information, the data is mostly private organizational data. What is the role of GDPR with that type of information?
E.D.: The GDPR does not change or add anything regarding that matter. Finalcad has always taken data protection engagements and included a confidentiality clause, more broadly connected with professional secrecy. Furthermore, Finalcad reserves the right to learn more about how their apps are used, but only does so in the form of statistics, improvements, users’ journey, algorithms and performance scorecards. They cannot do it in a way that would reveal any organizational data to another organization. Therefore, there is no risk of competition and it does not violate clients’ confidentiality.
FC: Digital technology in the construction industry is still quite new. What advice would you give to organisations working in that field regarding the way they handle data?
E.D.: My main advice would be to educate others regarding this topic, as we are in a field where people confuse property ownership and information ownership. The difference between the two is that it’s not helpful to own information if we can’t use it in a way that brings value. Some may think that purchasing a software usage license means purchasing an organization, but in fact, they pay for an access to a solution that existed prior to their contract, and will continue existing after it. Clients do not become owners of the service provider nor the databases, they benefit some services, and the service provider guarantees confidentiality of their data. With Finalcad, this benefit relies on the fact that we can finally understand and analyze thousands of construction fields, observations, defects, and behaviors. With these analyses, their digital tool for construction may present and predict factors of restraint as well as elements of productivity.
Étienne Drouard
IT/IP/Privacy Partner - K&L Gates LLP
Finalcad and the GDPR compliance
Even though security has always been a serious matter, since the announcement of EU’s GDPR in 2016 we started implementing changes as we want to fully align our business practices with it. Ultimately, we wish to offer our clients piece of mind when it comes to data privacy.
The GDPR is composed of six core principles that we all addressed internally for optimal compliance:
- Lawfulness, Fairness & Transparency: making sure data collection is in accordance with the law, and that clients are fully aware of which data an organization is collecting and why.
- Purpose Limitation: clients data must only be collected for a specific purpose, which should be clearly stated.
- Data Minimization: only relevant data should be collected by the organization. Less data means less consequences in case of any data breach. According to the GDPR, any data breach that may represent a risk for individuals’ rights will now have to be reported.
- Accuracy: in order to be protected, the data must be accurate. Any inaccurate data should be rectified or deleted, and individuals can request any change or deletion of their data.
- Storage Limitation: organizations should remove any data that is no longer necessary, which means that once an individual is no longer a client, their data should be deleted.
- Integrity & Confidentiality: all organizations must have a security system in place that is appropriate to the level of risk.
As required by the GDPR, we newly appointed Marc Bourel as our DPO (Data Protection Officer). Marc has an exhaustive background in IT Services as well as Corporate and Auditing Accountability. Most notably, he has worked on SOX Control for HSBC Life Insurance and on the implementation of ISO 9001 and ISAE 3402 for La Parisienne Assurances / Protegys Group and Zags.
He started working with us last June as a consultant and has now officially joined the Finalcad team as our Chief Information Officer. He, along with his team, works assiduously on our product compliance with industry standards. He is a key player in our organization, and has already managed a multitude of changes and reinforcements in our internal processes.
Marc Bourel
Chief Information Officer & Data Protection Officer - Finalcad
Going further with ISAE 3402 compliance
These efforts to assure best-in-class services and product quality are part of a broader initiative we recently undertook in order to obtain assurance standard ISAE 3402. Indeed, we want to strengthen that relationship of trust with our clients, and elevate our organization to reinforce its leader position as a digital service provider for the field on the global construction market. The International Standard for Assurance Engagements (ISAE) is a report issued by the International Auditing and Assurance Standards Board. It is intended to provide clients and their financial auditors the assurance of quality controls implementation within an organization they chose as a third-party service provider. To acquire such a standard, an organization has to go through a series of thorough auditing processes in order to prove that they’ve implemented appropriate controls (Type I) and that these controls are proven to be efficient (Type II).
ISAE 3402 will be a way for us to implement an efficient internal control which will benefit both our clients and our organization. It’s an assurance standard helping us ensure we’re meeting our clients’ needs and expectations while scaling our organization. Eventually it will also become cost-saving due to our processes’ standardization and help us improve our work continuously and more smoothly.
Ultimately, these organizational developments will collectively help us change the way we build!
1. K&L Gates LLP is a business and corporate law firm. The company was founded in 1946 and is based in Pittsburgh, Pennsylvania with additional offices across Unites States, South America, Asia, Europe, Middle East, and Australia (Bloomberg, 2018).