The Future of Data and Privacy in Construction's Digital Age

As the construction industry wades further into a digitized future, it is imperative that companies exercise caution in regards to data.

Adobe Stock 363043424
metamorworks at

This article was adapted from its original version, "Data and Privacy in Construction's Digital Age: What Does the Future Hold?” on the AEM website with exclusive permission from the author.

The value of data has proven its importance in our increasingly digital world.

While the construction industry hasn't been digitalized as quickly as others, momentum is being gained. Using data, like the information provided by off-highway telematics systems, can increase efficiency and provide other benefits.

However, as noted by Tom Valbak Aardestrup, vice president of business development and strategic programs at AEM member company Trackunit, during AEM’s most recent Product Safety & Compliance Seminar, data must be collected and used with the utmost responsibility, particularly when it comes to personal data.

“There’s an enormous amount of data that is being collected and created, and the world is just connecting even more,” says Valbak Aardestrup. “There are new, cheap open source systems and sensors available that collect data, make it available, and it yields amazing insights that we can use to become more efficient. We can work smarter. We can be better in the way we plan, design, conduct our business, [and] monitor and learn from our projects operations.”

Embracing the Use of Data

The ways that companies utilize data is crucial for success, and Valbak Aardestrup warns those who do not embrace the use of data may find their businesses obsolete.

“The world is changing by connecting digitally, but it definitely also brings in some challenging situations,” he says.

According to Valbak Aardestrup, it is predicted that by 2025, we will have 175 zettabytes (ZB) of data being generated by systems supported by the Internet of Things (IoT). Of that vast amount of data, it is estimated that 90% of it will be less than two years old. In order to gain insights from that much data, machine learning and artificial intelligence will be required, putting greater emphasis on cybersecurity.

“It also needs to, of course, be something that can be utilized in a format that is sharable and standardized,” says Valbak Aardestrup. “And then again, of course, it needs to be in a safe and secure environment.”

As a result, companies doing business in the European Union (EU), like Denmark-based Trackunit, must comply with the EU’s General Data Protection Regulation (GDPR). It's almost important to note that the GDPR affects those in the United States as well. The Regulation has extra-territorial scope, which means that websites outside of the EU(like in the U.S.) that process data of people inside the EU are obligated to comply with the GDPR.

“When talking about GDPR and all these other items, there is no question that the shared access to standardized data is a precondition for us to harvest the data. That, of course, needs to be regulated when that becomes the case,” Valbak Aardestrup says.

The GDPR was created for the protection of individual people living in Europe. It applies to all enterprises and governmental bodies, so OEMs selling or offering products within the EU must comply with the regulation.

“It ensures that companies only gather information that they need. It’s definitely a trust issue, and the aim is for me, as an individual person in the European Union, to control who has access to see and use my data,” Valbak Aardestrup explains.

The GDPR also provides an individual with the power to have personal data removed, and it ensures data is not exported out of the EU without the individual knowing. What’s more, the GDPR ensures companies using data have a legitimate interest to do so.

As was mentioned, the U.S. does have data privacy laws, though there isn’t one federal-level privacy law like the GDPR. There are, rather, several vertically-focused federal privacy laws, as well as a new generation of consumer-oriented privacy laws. According to Varonis, a cybersecurity company, the U.S. has implemented these strategies state-by-state, with the Californian Consumer Privacy Act (CCPA) coming the closest to addressing consumer data privacy. The CCPA has been in effect since Jan. 1, and is expected to become a standard within the U.S. in the near future. However, Varonis points out that the two differ in that the GDPR grants consumers a right to correct or rectify incorrect personal data while the CCPA doesn’t.

With no clear direction or insight from Washington, other states have taken a cue from California and have drafted their own privacy laws. 

It's important to acknowledge, too, that few updates to the GDPR’s text have been made. However, Valbak Aardestrup notes that self-certifying through a privacy shield is no longer allowed, and the GDPR is more stringent than the CCPA.

“If you’re active in the EU, I would suggest that you, first, focus on being compliant with GDPR and then, second, if need be, be compliant with CCPA,” he says. “I would presume if you are an American company dealing in Europe, you’re most likely also doing deals in California.

“The GDPR is still stricter than what we see with the CCPA. So at least the suggestion is it will be easier to go for GDPR and still be compliant with CCPA, than the other way around.”

Data Compliance

Valbak Aardestrup notes the importance of understanding what the GDPR is and how the construction industry in Europe has had to navigate this “blanketed regulation” designed to protect consumers. The regulation created a number of challenges, especially within the industry. For example, heavy equipment rentals are a primary segment for tracking, which makes it vital to comply with GDPR as data must be kept secure to remain compliant.

The digitalization of the construction industry provides increased efficiency, better documentation, automation of jobsites, improved maintenance practices, less downtime, and safer working environments. Understanding what is considered personal data, and how it can be used properly, is critical.

Examples of personal data within the construction industry can include CCTV monitoring of premises and jobsites, databases of email addresses, the GPS location of equipment when an operator is logged-in, weight sensors on a driver’s seat, and more. Further, any bio-metric information – like fingerprints – is considered sensitive information and regarded higher with additional protections.

While compliance is required, there are proper ways to utilize personal data, provided a company has a legitimate interest for using the data. “It has to be fair and transparent,” Valbak Aardestrup says. For example, if someone wanted to find out how a machine is being operated, only the data coming through for that specific time can be used to solve that challenge. “You have to ensure consent is actively submitted,” he adds, noting this can be included contractually in an employment letter.

To avoid challenges, Valbak Aardestrup recommends that data-handling becomes an integrated part of a company’s culture so that data is secure and used within the confines of the GDPR. Protecting an individual’s data must begin when a company is starting to design and develop new solutions that will be introduced to the market.

“It’s challenging if you have one regulation that is meant for a consumer, or meant for one specific industry, is then blanketed across a lot of other industries. That will create some complexities,” Valbak Aardestrup says. “There’s also an ever-growing challenge of security. Now, C-levels across the globe are seeing that data security and cybersecurity is one of their top concerns."

Next Steps

As the construction industry wades further into a digitized future, it is imperative that companies exercise caution in regards to data.

The data controller – often the machine or fleet owner when it comes to construction or rental – needs to confirm it has consent from system users and make any legitimate interests clear. They should be prepared to note who is watching the data, why the data is being collected, and how long the data will be kept under their control. The data controller also must be able to delete data if the subject chooses to have their information removed.

Data processers, like OEMs or business owners, must ensure the legal framework is in order, so data can be transferred within the context of the regulation.

Without self-certification, the data processor must secure standard contractual clauses between all entities. This may amount to several contracts being signed in order to guarantee a data processing agreement is in place. An alternative is creating binding corporate bylaws, but that must go through a full EU approval process in Brussels.

If partnering with a data sub-processor, make sure they understand all regulations and can comply with them. For example, sub-processors should have standard contractual clauses in place if they are also exporting data from the EU to the U.S., and they should have built-in data protection as well.

Valbak Aardestrup also recommends a company document compliance processes and keep records; update and maintain processes and records; and ensure processing partners are compliant. Individual companies can begin implementing best practices regarding data regulations by adding data sharing clauses into employer contracts and employment offer letters.

“If this has not been done already within your company, start putting into your offer letters clauses that actually say you should be aware that you might be tracked, we might be using your personal information for these purposes, and by signing that contract later, the data subject actually gives their consent,” he said.

As the EU continues to navigate the GDPR and the U.S. develops its own regulations like the CCPA, Valbak Aardestrup urges industry stakeholders to work with lawmakers to pass regulations that take into consideration the logic, best practices, and general work processes of the construction industry. He said leveraging associations like the AEM could help avoid mistakes made by the EU and avoid blanket legislation from hindering the industry’s digital growth.

“The challenge comes when something meant for consumer protection is thrown across all industries,” Valbak Aardestrup says. Avoiding this can help members of the industry embrace digitalization and its related benefits, and usher in the future of the industry with fewer hurdles.