Prioritise Physical or Digital Assets?

Martin Perks
Sep 12
17 min read

Updated: Sep 14

Navigating Data, Systems, and the New Era of Transparency in UK Construction

Why GDPR is Now Part of a Bigger Picture

In a collaborative office setting, professionals focus on balancing personal data protection with corporate transparency, highlighting secure technology solutions.

In the fast-paced world of UK infrastructure and construction, the General Data Protection Regulation (UK GDPR) can often feel like another piece of bureaucratic red tape—a distraction from the critical, tangible risks of delivering complex projects on time and on budget. A site manager is, quite understandably, often more concerned with a physical break-in than a digital one. Yet, the latter could cost the company millions, dismantle its reputation, and lead to regulatory action that halts work far more effectively than any physical barrier.

This isn't a theoretical risk. In 2022, the Information Commissioner’s Office (ICO) fined the construction giant Interserve £4.4 million. The penalty wasn't for a minor slip-up; it was for a catastrophic failure to secure its systems against a simple phishing email. This single point of failure allowed attackers to access the personal data of up to 113,000 current and former employees, including highly sensitive 'special category' data like ethnic origin, religion, and health information (Burges Salmon, 2022).

The Interserve case is a stark wake-up call for the entire sector. It perfectly illustrates a common and dangerous point of confusion: the failure was in the systems (outdated software, inadequate staff training, poor incident response), but the devastating consequence was a breach of personal data (Burges Salmon, 2022). For years, the challenge has been framed as balancing these two elements. However, the legislative landscape is shifting dramatically. The introduction of the Procurement Act 2023 and the Economic Crime and Corporate Transparency Act (ECCTA) has ushered in a new, mandatory era of transparency (Achilles, 2025; Companies House, 2025).

This article is for every organisation in the UK infrastructure supply chain, from client bodies and Tier 1 contractors to the specialist SME suppliers who form the backbone of our industry. Its purpose is to demystify the crucial distinction between your responsibilities for the personal data you handle and the systems you use to manage it, all while navigating a new, complex balancing act. You are now required not only to protect personal data but to be more transparent than ever before about your commercial operations and corporate governance. Understanding how to be transparent while remaining compliant is no longer optional; it is a fundamental part of modern project risk management.

What Counts as 'Personal Data' on a Modern Construction Project?

The first step is to get to grips with what the law actually protects. The UK GDPR defines personal data as "any information relating to an identified or identifiable natural person" (Information Commissioner's Office, online 2025). In plain English, if a piece of information is about a living person you can name, or could reasonably figure out who they are from the information you have, it's personal data (NI Business Info, 2025). This applies whether the data is held digitally or in a structured physical format, like a well-organised filing cabinet of employee records (Information Commissioner's Office, online 2025).

The construction industry's traditional focus on tangible assets like plant, materials, and buildings can create a cognitive blind spot for the intangible but highly valuable (and high-risk) asset of personal data. Managers are naturally more comfortable assessing the security of a physical site than the security of a database. However, a modern construction project generates a vast and varied amount of personal data throughout its lifecycle.

A Project Lifecycle View of Personal Data

Thinking about data in the context of a project's timeline helps to reveal its scope:

Tender & Pre-Construction: Before a spade even hits the ground, personal data is being exchanged. This includes the names, corporate email addresses, and phone numbers of the client's team, the CVs of proposed project staff, and the detailed financial and directorial information collected from suppliers and subcontractors during pre-qualification (Integrity Software, online 2025; Womble Bond Dickinson, online 2025).
On-Site Operations: This is where the volume and sensitivity of personal data collection explodes.
Employee & Operative Data: Standard details like names, addresses, bank details for payroll, National Insurance numbers, and emergency contacts are fundamental (Integrity Software, online 2025; NI Business Info, 2025). This information is often shared across a complex web of main contractors, payroll providers, and labour agencies.
Site Access & Security: Modern sites use sophisticated systems that process personal data. This can include biometric data like fingerprints for turnstiles, names and photos on ID cards, and vehicle registration numbers logged at the gate (Womble Bond Dickinson, online 2025; NI Business Info, 2025; Skillcast, 2025).
Health & Safety Data (Special Category): This is among the most sensitive data processed. It includes accident reports detailing specific injuries, occupational health referrals, drug and alcohol test results, and any information on disabilities or health conditions declared for workplace adjustments (Information Commissioner's Office, online 2025; Womble Bond Dickinson, online 2025; Health and Safety Executive, online 2025). This 'special category' data is given extra protection under UK GDPR because of the significant risk of discrimination if it were compromised (NI Business Info, 2025; Black Pear Advisory, online 2025; GDPR-info.eu, online 2025).
Surveillance Data: Footage from CCTV or drone flyovers that captures identifiable individuals is personal data (Womble Bond Dickinson, online 2025; Walker Morris, 2025; Skillcast, 2025). Even if a person's face is not clear, they may be identifiable from their uniform, vehicle, or the context of their actions (Information Commissioner's Office, online 2025).
Telematics & Location Data: GPS tracking data from company vans, plant machinery, or handheld devices is personal data when it can be linked to a specific driver or operator, revealing their movements and work patterns (Compare Your Business Costs, 2025; Masternaut, online 2025; GRS Fleet Telematics, 2025).
Project Management & Handover: Throughout the project, personal data is embedded in management processes. This includes training records and competency certificates for individuals, and the contact details and roles of professionals recorded within Building Information Modelling (BIM) data or a Common Data Environment (CDE) (The NBS, online 2025; Scottish Futures Trust, online 2025).

It is crucial to understand that data does not need a name directly attached to it to be considered personal data. A unique site access card number, for instance, is personal data if it can be cross-referenced with another list to identify the holder (Information Commissioner's Office, online 2025; Womble Bond Dickinson, online 2025). This principle of "identifiability" significantly broadens the scope of what needs to be protected.

Identifying Your 'Systems' - From Filing Cabinets to the Cloud

If personal data is the 'what', then systems are the 'how'. UK GDPR defines 'processing' in extremely broad terms as "any operation or set of operations which is performed on personal data" (GDPR-info.eu, online 2025). This covers the entire lifecycle of data, from the moment you collect an email address, to storing it on a server, sharing it with a subcontractor, and finally, securely destroying it years later (European Commission, online 2025; Information Commissioner's Office, online 2025). The 'systems' are simply the tools—both digital and physical—used for this processing.

The construction industry's ongoing digital transformation is leading to the adoption of increasingly powerful and interconnected systems. While these are implemented to boost efficiency, safety, and collaboration, they are also, by their very nature, large-scale data processing engines (UKRI, 2025). This means that as a company adopts more of this "efficiency-improving" technology, it simultaneously and often unknowingly becomes a larger-scale data controller, expanding its GDPR obligations. A company's digital strategy and its data protection strategy are two sides of the same coin.

The Construction Tech Ecosystem

The systems used in the sector can be grouped into several key categories:

Core Business & Finance Systems:
Enterprise Resource Planning (ERP): Specialist construction ERPs like Access COINS are designed to be a single source of truth, centralising finance, project management, commercial, and HR data, all of which contains personal information (The Access Group, online 2025).
HR & Payroll Software: Dedicated systems for managing employee contracts, pay, sickness records, and other sensitive employment-related data (The Access Group, online 2025).
Project Delivery & Information Management Systems:
Project Management Platforms: Cloud-based tools such as Procore or ConWize are now commonplace. They connect teams and manage workflows, but in doing so, they process personal data about every individual with an account and every person mentioned in project communications (The Access Group, online 2025; Slashdot, online 2025).
Building Information Modelling (BIM) and Common Data Environments (CDEs): While BIM is focused on creating a digital twin of a physical asset, the model's data and the CDE it resides in inevitably contain personal data (Scottish Futures Trust, online 2025). This includes the names of architects, engineers, and managers who have created, reviewed, or approved elements of the design, creating a detailed audit trail of individual professional activity (The NBS, online 2025; Infrastructure and Projects Authority, 2023).
On-Site & Field Technology:
CCTV Networks: The entire infrastructure of cameras, digital video recorders (DVRs), and monitoring software constitutes a processing system (ClearView Communications, online 2025; GOV.UK, online 2025).
Site Access Control Systems: The software and databases that link turnstiles, smart cards, or biometric readers to individual identities (Womble Bond Dickinson, online 2025; Skillcast, 2025).
Drones (Unmanned Aerial Systems - UAS): The drone itself, its control software, and the systems used to store and analyse its footage are all part of a processing system that can capture personal data, often inadvertently (Walker Morris, 2025; Pinsent Masons, 2014).
Standard IT Infrastructure:
This category covers the everyday tools of business: email servers (like Microsoft 365), shared network drives, and cloud storage platforms (such as Dropbox or OneDrive).
It also includes physical, structured filing systems, such as HR record cabinets organised alphabetically by employee name, which are explicitly covered by UK GDPR (Information Commissioner's Office, online 2025).

The Three Sides of the Compliance Coin: Privacy, Security, and Transparency

Understanding the distinction between data and systems is the key to unlocking a practical understanding of UK GDPR compliance. But with the arrival of the Procurement Act 2023 and ECCTA, a third, equally important consideration has been added to the mix: transparency. Organisations must now balance three distinct “Hats” of obligation.

Hat #1: Responsibilities for the DATA (The 'What' - UK GDPR)

This is about what you do with personal information and why. The rules for the data itself are governed by the seven core Data Protection Principles found in Article 5 of the UK GDPR. These are the fundamental 'rules of the game' for handling personal information (White & Case, online 2025; CLARIN ERIC, online 2025; Data Protection Commission, online 2025).

Purpose Limitation: You must be clear, specific, and legitimate about why you are collecting personal data from the outset (White & Case, online 2025; Information Commissioner's Office, online 2025; GDPR-info.eu, online 2025). For example, you collect a subcontractor’s bank details for the sole purpose of paying their invoices. Using that same data to send them marketing materials for a sister company would likely be an incompatible purpose and a breach of this principle (Information Commissioner's Office, online 2025).
Data Minimisation: You must only collect and process the personal data that is adequate, relevant, and absolutely necessary for your stated purpose (White & Case, online 2025; Information Commissioner's Office, online 2025; National Cyber Security Centre, online 2025). A site induction form needs an emergency contact name and number, but it does not need to know their marital status or number of children. Collecting more data than necessary increases your risk and is a breach of this principle (TrustArc, online 2025).
Storage Limitation: You must not keep personal data in an identifiable form for longer than is necessary (NI Business Info, 2025; White & Case, online 2025; Information Commissioner's Office, online 2025). Data from site access cards for a completed project should be securely deleted after a defined and justifiable retention period, not kept indefinitely "just in case" (Information Commissioner's Office, online 2025).

Hat #2: Responsibilities for the SYSTEMS (The 'How' - UK GDPR)

This is about how you protect the containers where the data lives. The rules for systems are primarily governed by Article 32 of the UK GDPR, 'Security of Processing'. This is about implementing "appropriate technical and organisational measures" to prevent the data from being accidentally or unlawfully destroyed, lost, altered, or accessed by unauthorised people (Information Commissioner's Office, online 2025).

Appropriate Technical and Organisational Measures: This is not a one-size-fits-all requirement; it is based on the level of risk.
Technical measures include using encryption on laptops that leave the site, implementing strong passwords and multi-factor authentication for cloud platforms like your CDE, maintaining secure and regularly tested data backups, and using firewalls to protect your network (Information Commissioner's Office, online 2025).
Organisational Measures include providing regular staff training on data security and how to spot phishing emails (the critical failure at Interserve), having clear and accessible data protection policies, enforcing access controls so that only the HR team can view full employee files, and ensuring the physical security of server rooms and filing cabinets (National Cyber Security Centre, online 2025; The Law Society, 2019).
Data Protection by Design and Default (Article 25, UK GDPR): This principle is essentially the construction concept of "designing out risk" applied to data protection (Information Commissioner's Office, 2023; University of Greater Manchester, 2019; NHS Counter Fraud Authority, online 2025). It means that when you procure a new system—be it an ERP platform or a site access tool—you must consider and assess its privacy and security features from the very beginning, not as an afterthought (GDPR-info.eu, online 2025; University of Roehampton, online 2025). Systems should be configured with the most privacy-friendly settings as the default (Information Commissioner's Office, 2023).

Hat #3: The New Transparency Mandate (The 'Who' and 'Why' - PA 2023 & ECCTA)

This new legislative layer forces organisations to be more open about their commercial activities and corporate structures. While promoting accountability, it creates a direct tension with the privacy-focused principles of UK GDPR.

The Procurement Act 2023: This Act embeds transparency throughout the entire lifecycle of public contracts (Achilles, 2025). For construction firms working on public infrastructure, this means a raft of new publication requirements, including publishing notices for contract awards, modifications, and terminations (Squire Patton Boggs, online 2025; Blake Morgan, online 2025). Crucially, for any public contract valued over £5 million, the contracting authority must now publish a copy of the contract itself (Squire Patton Boggs, online 2025; BCLP Law, online 2025; DLA Piper, 2025). This creates an immediate conflict: a detailed construction contract will inevitably contain personal data, such as the names and roles of key project personnel. The Act allows for redaction based on commercial sensitivity or national security, but is silent on personal data, leaving companies to navigate the challenge of how to be transparent without breaching UK GDPR (Redactable, 2025).
The Economic Crime and Corporate Transparency Act (ECCTA): This Act aims to clean up the Companies House register and prevent the use of UK companies for illicit purposes (GOV.UK, 2024). Its primary tool is mandatory identity verification for all new and existing company directors and Persons with Significant Control (PSCs) (Mourant, 2025; Morgan Lewis, 2025). This means individuals must provide personal details and identity documents (like passports or driving licences) to be verified (Wolters Kluwer, online 2025; GBG, online 2025). While the goal is corporate transparency—knowing who truly owns and runs a company—it requires the collection and processing of more sensitive personal data than ever before, placing a greater onus on both Companies House and businesses to protect it in line with UK GDPR.

The following table summarises this new, complex landscape:

Focus Area	Protecting the DATA (The 'What')	Securing the SYSTEMS (The 'How')	The New Transparency Mandate (The 'Who' and 'Why')
Governing Rule	The Data Protection Principles (Art. 5 UK GDPR) (White & Case, online 2025; CLARIN ERIC, online 2025; Data Protection Commission, online 2025)	The Security of Processing Principle (Art. 32 UK GDPR) (Information Commissioner's Office, online 2025)	Procurement Act 2023 & Economic Crime and Corporate Transparency Act (Beale & Co, 2025; legislation.gov.uk, 2023)
Key Question	Why are we processing this data and is it necessary, fair, and for a limited time?	How are we keeping the data safe from unauthorised access, cyber-attack, or loss?	What must we now make public about our contracts, performance, and company leadership, and how do we do it lawfully?
Core Concepts	Lawfulness, Fairness, Transparency, Purpose Limitation, Data Minimisation, Accuracy, Storage Limitation, Accountability. (White & Case, online 2025; CLARIN ERIC, online 2025; Data Protection Commission, online 2025)	Integrity, Confidentiality, Resilience, Encryption, Access Control, Backups, Staff Training, Physical Security. (Information Commissioner's Office, online 2025)	Public contract publication, KPI reporting, Debarment lists (PA 2023). Director/PSC identity verification, register accuracy (ECCTA). (Achilles, 2025; Companies House, 2025)
Construction Example	Data: Collecting a project manager's name and professional details only for project delivery and communication.	System: Ensuring the CDE is password-protected, data is encrypted, and access is limited to the project team.	Transparency: Publishing the £10m project contract, which includes the project manager's name. This requires redacting their personal contact details while still complying with the PA 2023's publication mandate. Verifying the identity of the company's directors with Companies House under ECCTA.

A Practical Checklist for the Site and the Office in the Age of Transparency

Translating these legal principles into action can seem daunting. The following checklist provides a simple, non-exhaustive starting point for any organisation in the supply chain to self-assess its position and identify potential blind spots.

Know Your Data: Have you conducted a data audit to understand what personal data you hold, where it is, and why you need it? (Integrity Software, online 2025; National Cyber Security Centre, online 2025; The Law Society, 2019) Crucially, have you identified what personal data might be captured in documents subject to publication under the Procurement Act 2023?
Assess Your Systems: Are your software platforms, from your accounting package to your CDE, secure and regularly updated with the latest security patches? (Burges Salmon, 2022; Information Commissioner's Office, online 2025) Who has access to what information, and is that access restricted on a strict "need-to-know" basis? (Information Commissioner's Office, online 2025)
Vet Your Supply Chain: The construction industry’s multi-layered supply chain is its greatest operational strength but also its biggest data security vulnerability. You must ask: have you vetted the security practices of your third-party software providers and, crucially, your subcontractors? (National Cyber Security Centre, online 2025; The Law Society, 2019) Are you aware of their director/PSC verification status under ECCTA?
Empower Your People: Is data protection and cyber security training a mandatory part of your induction process and annual refresher programme? (Integrity Software, online 2025; National Cyber Security Centre, online 2025) Do your staff know how to spot a phishing email and who to report it to immediately? This is arguably the single most important organisational measure you can take (Burges Salmon, 2022).
Review Your Paperwork: Do your contracts with subcontractors include robust data protection clauses? (National Cyber Security Centre, online 2025) Have you developed a Redaction Policy? You need a clear, justifiable policy for redacting personal data from contracts that must be published under the PA 2023, balancing transparency with GDPR compliance (Redactable, 2025).
Plan for the Worst: Do you have a documented Data Breach Response Plan? Knowing who is responsible for what, and what steps to take in the first 72 hours, is critical to managing an incident effectively and meeting your legal reporting obligations (Integrity Software, online 2025; The Law Society, 2019).
Corporate Housekeeping: Are all your director and PSC details up-to-date and ready for identity verification under ECCTA? Ensure your filings with Companies House are accurate to comply with their new integrity objectives (legislation.gov.uk, 2023).

Conclusion: Building a Foundation of Trust Through Compliant Transparency

Getting data protection right in the modern construction industry now requires mastering three distinct but interconnected disciplines. First, the principled management of the data itself, ensuring every piece of personal information is processed lawfully. Second, the robust security of the systems that process it, protecting those digital and physical containers from compromise. And third, navigating the new legal mandate for transparency, publishing what is required while diligently protecting what must remain private.

This new environment demands a more sophisticated approach to governance than ever before. Being transparent is no longer a choice, but it must be done in a way that is compliant with data protection law. Navigating these dual responsibilities, especially across a complex supply chain, can be a challenge. For specific, tailored advice on implementing a robust data protection framework within the construction sector, firms like Black Pear Advisory (www.blackpearadvisory.com) offer specialist guidance and compliance solutions.

Ultimately, embedding these practices should not be viewed as a burden. It is a hallmark of a modern, professional, and trustworthy business. In an industry where reputation and partnerships are everything, demonstrating that you can be both transparent and secure is a powerful way to build lasting trust with your clients, your supply chain, and your entire workforce.

References

Achilles (2025) The Procurement Act 2023: Compliance and Opportunities. Available at: https://www.achilles.com/industry-insights/the-procurement-act2023-compliance-and-opportunuties/ (Accessed: 10 September 2025).

Act Now Training (2022) £4.4 Million GDPR Fine for Construction Company. Available at: https://actnowtraining.blog/2022/10/25/4-4-million-gdpr-fine-for-construction-company/ (Accessed: 10 September 2025).

Beale & Co (2025) The Procurement Act 2023: A Guide for the Construction Industry. Available at: https://beale-law.com/wp-content/uploads/2025/02/2995-Beale-Co-Procurement-Report_v7.pdf (Accessed: 10 September 2025).

Blake Morgan (online 2025) Procurement Act: New notice requirements guidance. Available at: https://www.blakemorgan.co.uk/procurement-act-new-notice-requirements-guidance/ (Accessed: 10 September 2025).

BCLP Law (online 2025) Part 4 of the Procurement Act 2023: Implied Terms, Contract Performance and Transparency. Available at: https://www.bclplaw.com/en-US/events-insights-news/part-4-procurement-act-2023-implied-terms-contract-performance-and-transparency.html (Accessed: 10 September 2025).

Burges Salmon (2022) ICO fines Interserve Group Ltd £4.4 million for failure to protect employee personal data. Available at: https://www.burges-salmon.com/articles/102i00u/ico-fines-interserve-group-ltd-4-4-million-for-failure-to-protect-employee-perso/ (Accessed: 10 September 2025).

CLARIN ERIC (online 2025) Principles of Data Processing. Available at: https://www.clarin.eu/content/principles-data-processing (Accessed: 10 September 2025).

ClearView Communications (online 2025) Commercial CCTV Legal Requirements and Laws Explained. Available at: https://clearview-communications.com/insights/commercial-cctv-legal-requirements-explained/ (Accessed: 10 September 2025).

Companies House (2025) Changes to UK company law. Available at: https://companieshouse.blog.gov.uk/category/legislative-reform/ (Accessed: 10 September 2025).

Compare Your Business Costs (2025) How GDPR Affects UK Law For Vehicle Tracking Devices. Available at: https://compareyourbusinesscosts.co.uk/gdpr (Accessed: 10 September 2025).

Data Protection Commission (online 2025) Principles of Data Protection. Available at: http://www.dataprotection.ie/en/individuals/data-protection-basics/principles-data-protection (Accessed: 10 September 2025).

DLA Piper (2025) Transparency requirements in the Procurement Act 2023. Available at: https://www.dlapiper.com/insights/publications/2025/02/transparency-requirements-in-the-procurement-act-2023 (Accessed: 10 September 2025).

European Commission (online 2025) Data protection explained. Available at: https://commission.europa.eu/law/law-topic/data-protection/data-protection-explained_en (Accessed: 10 September 2025).

GBG (online 2025) Director ID Verification & ECCTA: Five secure steps. Available at: https://www.gbg.com/en/blog/director-id-verification-eccta-five-secure-steps/ (Accessed: 10 September 2025).

GDPR.eu (2024) What is GDPR, the EU's new data protection law?. Available at: https://gdpr.eu/what-is-gdpr/ (Accessed: 10 September 2025).

GDPR-info.eu (online 2025) Art. 4 GDPR – Definitions. Available at: https://gdpr-info.eu/art-4-gdpr/ (Accessed: 10 September 2025).

GDPR-info.eu (online 2025) Art. 9 GDPR – Processing of special categories of personal data. Available at: https://gdpr-info.eu/art-9-gdpr/ (Accessed: 10 September 2025).

GDPR-info.eu (online 2025) Privacy by Design. Available at: https://gdpr-info.eu/issues/privacy-by-design/ (Accessed: 10 September 2025).

GOV.UK (2024) Changes to UK company law. Available at: https://changestoukcompanylaw.campaign.gov.uk/ (Accessed: 10 September 2025).

GOV.UK (online 2025) CCTV installation at your commercial property. Available at: https://www.gov.uk/can-i-use-cctv-at-my-commercial-premises (Accessed: 10 September 2025).

GRS Fleet Telematics (2025) GDPR and Fleet Telematics: What Businesses Must Know. Available at: https://grs-fleet-telematics.ghost.io/gdpr-and-fleet-telematics-what-businesses-must-know/ (Accessed: 10 September 2025).

Health and Safety Executive (online 2025) Privacy notice. Available at: https://www.hse.gov.uk/help/privacy.htm (Accessed: 10 September 2025).

Information Commissioner's Office (2023) Data protection by design and default. Available at: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/data-protection-by-design-and-default/ (Accessed: 10 September 2025).

Information Commissioner's Office (online 2025) Data protection and workers' health information. Available at: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/employment/information-about-workers-health/data-protection-and-workers-health-information/ (Accessed: 10 September 2025).

Information Commissioner's Office (online 2025) DPIA tools for online retail. Available at: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/dpia-tools/online-retail/step-2-describe-the-processing/ (Accessed: 10 September 2025).

Information Commissioner's Office (online 2025) Purpose limitation, data minimisation and storage limitation. Available at: https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guidance-for-the-use-of-personal-data-in-political-campaigning-1/purpose-limitation-data-minimisation-and-storage-limitation/ (Accessed: 10 September 2025).

Information Commissioner's Office (online 2025) A guide to data security. Available at: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/security/a-guide-to-data-security/ (Accessed: 10 September 2025).

Information Commissioner's Office (online 2025) Unmanned Aerial Systems (UAS) / Drones. Available at: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/cctv-and-video-surveillance/guidance-on-video-surveillance-including-cctv/additional-considerations-for-technologies-other-than-cctv/unmanned-aerial-systems-uas-drones/ (Accessed: 10 September 2025).

Information Commissioner's Office (online 2025) What is personal data?. Available at: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/personal-information-what-is-it/what-is-personal-data/what-is-personal-data/ (Accessed: 10 September 2025).

Infrastructure and Projects Authority (2023) Data and digitalisation: powering the UK's major government projects. Available at: https://ipa.blog.gov.uk/2023/12/06/data-and-digitalisation-powering-the-uks-major-government-projects/ (Accessed: 10 September 2025).

Integrity Software (online 2025) GDPR in Construction: What You Need to Know. Available at: https://www.integrity-software.net/resources-guides/gdpr-in-construction-what-you-need-to-know (Accessed: 10 September 2025).

legislation.gov.uk (2023) Economic Crime and Corporate Transparency Act 2023. Available at: https://www.legislation.gov.uk/ukpga/2023/56 (Accessed: 10 September 2025).

Masternaut (online 2025) Demystifying GDPR for fleet managers. Available at: https://www.masternaut.com/blog/demystifying-gdpr-for-fleet-managers (Accessed: 10 September 2025).

Morgan Lewis (2025) UK Economic Crime and Corporate Transparency Act: Additional Changes to Roll Out in 2025. Available at: https://www.morganlewis.com/pubs/2025/02/uk-economic-crime-and-corporate-transparency-act-additional-changes-to-roll-out-in-2025 (Accessed: 10 September 2025).

Mourant (2025) Economic Crime and Corporate Transparency Act - changes to Companies House. Available at: https://www.mourant.com/news-and-views/updates/updates-2025/economic-crime-and-corporate-transparency-act---changes-to-companies-house.aspx (Accessed: 10 September 2025).

National Cyber Security Centre (online 2025) Supply Chain Cyber Security Guidance. Available at: https://mitratech.com/resource-hub/rc-use-case/ncsc-supply-chain-cyber-security-guidance-compliance/ (Accessed: 10 September 2025).

NHS Counter Fraud Authority (online 2025) Data Protection by Design and Default Guidance. Available at: https://cfa.nhs.uk/resources/downloads/documents/corporate-publications/corporate-governance/NHSCFA%20-%20Data%20Protection%20by%20Design%20and%20Default%20Policy.pdf (Accessed: 10 September 2025).

NI Business Info (2025) What is considered personal data under the UK GDPR?. Available at: https://www.nibusinessinfo.co.uk/content/what-considered-personal-data-under-uk-gdpr (Accessed: 10 September 2025).

Pinsent Masons (2014) Filming using drones must comply with data protection laws, says ICO. Available at: https://www.pinsentmasons.com/out-law/news/filming-using-drones-must-comply-with-data-protection-laws-says-ico (Accessed: 10 September 2025).

Redactable (2025) UK Procurement Act 2023: Transparency & redaction rules. Available at: https://www.redactable.com/blog/uk-procurement-act-2023-transparency-and-redaction-rules (Accessed: 10 September 2025).

Scottish Futures Trust (online 2025) Common Data Environment (CDE) Implementation Research. Available at: https://www.scottishfuturestrust.org.uk/publications/documents/cde-implementation-research (Accessed: 10 September 2025).

Skillcast (2025) GDPR Compliance for Construction Companies. Available at: https://www.skillcast.com/blog/gdpr-compliance-construction (Accessed: 10 September 2025).

Slashdot (online 2025) Construction Data Analytics Software in United Kingdom. Available at: https://slashdot.org/software/construction-data-analytics/in-uk/ (Accessed: 10 September 2025).

Squire Patton Boggs (online 2025) New Transparency Requirements Under the Procurement Act 2023. Available at: https://www.squirepattonboggs.com/-/media/files/services/practices/antitrust--competition/uk-public-procurement/procurement-act-2023/new-transparency-requirements.pdf (Accessed: 10 September 2025).

The Access Group (online 2025) Construction Management Software. Available at: https://www.theaccessgroup.com/en-gb/construction/ (Accessed: 10 September 2025).

The Law Society (2019) GDPR for solicitors. Available at: https://www.lawsociety.org.uk/topics/gdpr/gdpr-for-solicitors (Accessed: 10 September 2025).

The Law Society (2024) GDPR. Available at: https://www.lawsociety.org.uk/topics/gdpr (Accessed: 10 September 2025).

The NBS (online 2025) Building Information Modelling: What information is in the model?. Available at: https://www.thenbs.com/knowledge/building-information-modelling-what-information-is-in-the-model (Accessed: 10 September 2025).

TrustArc (online 2025) Compliance Brief: Data Minimization under GDPR, CCPA and other Privacy Laws. Available at: https://trustarc.com/resource/data-minimization-gdpr-ccpa-privacy-laws/ (Accessed: 10 September 2025).

UKRI (2025) Digital Research Infrastructure Programme. Available at: https://www.ukri.org/what-we-do/creating-world-class-research-and-innovation-infrastructure/digital-research-infrastructure/ (Accessed: 10 September 2025).

University of Greater Manchester (2019) DATA PRIVACY BY DESIGN AND DEFAULT GUIDANCE. Available at: https://greatermanchester.ac.uk/assets/Uploads/Data-Privacy-by-Design-and-Default-Guidance-June-2019.pdf (Accessed: 10 September 2025).

University of Roehampton (online 2025) Data protection by design and default. Available at: https://www.roehampton.ac.uk/globalassets/documents/research/ethics/guide-to-the-general-data-protection-regulation-gdpr-1-0.pdf (Accessed: 10 September 2025).

Walker Morris (2025) Drone laws, GDPR and practical advice. Available at: https://www.walkermorris.co.uk/comment-opinion/drone-laws-and-practical-advice/ (Accessed: 10 September 2025).

White & Case (online 2025) Chapter 6: Data Protection Principles – Unlocking the EU General Data Protection Regulation. Available at: https://www.whitecase.com/insight-our-thinking/chapter-6-data-protection-principles-unlocking-eu-general-data-protection (Accessed: 10 September 2025).

Wolters Kluwer (online 2025) What is the ECCTA, and what do the ID Verification rules mean for accountants?. Available at: https://www.wolterskluwer.com/en-gb/expert-insights/what-is-the-eccta-and-what-do-the-id-verification-rules-mean-for-accountants (Accessed: 10 September 2025).

Womble Bond Dickinson (online 2025) GDPR is coming - is the construction industry ready?. Available at: https://www.womblebonddickinson.com/uk/insights/articles-and-briefings/gdpr-coming-construction-industry-ready (Accessed: 10 September 2025).