Out-Law Analysis | 12 Oct 2017 | 10:42 am | 5 min. read
Companies in areas where data has long played a central role in business operations, such as technology or financial services, have developed a culture of handling data properly. Many of the organisations in those sectors have also been leaders of best practice on cybersecurity in recognition of the value of the information they hold. For infrastructure companies more used to handling materials than personal information, these are new challenges.
This is part of a series exploring the opportunities and challenges of infratech, the integration of technology into infrastructure. You can read more in our special report or request an exclusive Pinsent Masons research report.
They must get to grips with it, though, if they are going to take advantage of the convergence of physical infrastructure and digital technologies. This convergence is leading to the generation of vast quantities of data from and about infrastructure assets, and helping to inform how they can be used and maintained.
For example, motorways are increasingly being fitted with smart technology to help manage traffic flows. Airports are using connected sensors to understand footfall and optimise the way people move around. In addition, sensors in train tunnels can also help inform rail operators of when maintenance works are needed.
The 'infratech' era is spurring a growth in collaboration between infrastructure owners, operators and technology companies. One area in which there is often uncertainty, however, is in who owns the data captured by the infratech assets they work together on.
A new report by Pinsent Masons, the law firm behind Out-Law.com, highlighted a mix of views within the infrastructure and technology industries about who typically owns data in infratech projects and who should own that data. The survey found that 91% of respondents wish for an 'open access' approach to data among collaboration partners, but that in reality just 62% of projects operate such a model.
In other projects, the owners of infrastructure, infrastructure companies such as engineering or construction companies, operations and maintenance providers, technology companies, procurers and regulators all typically own the data generated, it said.
This complex picture was reflected in other results from the survey which showed that 38% of respondents from technology companies and 34% of respondents from infrastructure businesses identified agreeing data requirements or standards in infratech projects as a challenge.
What is clear, however, is that infrastructure companies must get a handle on capturing and analysing data to stay relevant in the developing market, and that they must do so in a way that meets the requirements of data protection law. This is because much of the data captured through infratech could be classed as personal data.
The Pinsent Masons report highlighted that a clear majority of executives in the infrastructure and technology sectors believe that data protection laws lag behind developments in infratech. In Europe, current data protection laws have been in place since 1995. However, from 25 May 2018 new, more stringent, requirements will begin to apply.
The General Data Protection Regulation (GDPR) sets out conditions for processing personal data, and provides for a number of rights for data subjects, including in relation to the accessing, rectification and erasure of personal data held about them. It will further introduce a raft of new obligations for businesses, including around the notification of data breaches, documentation of processing, and the conducting of data protection impact assessments. It also sets out rules on data security and restrictions around the transfer of personal data overseas, among other things.
Underpinning the new Regulation is a stiffening of the potential sanctions businesses could face for non-compliance. In the most serious cases, businesses could face fines of up to 4% of their annual global turnover, or €20 million, whichever is the highest. In contrast, businesses in the UK can currently be fined up to £500,000 by the Information Commissioner's Office (ICO) for a serious breach of the Data Protection Act.
There is a lot of work that organisations in all sectors must do to prepare themselves for the new Regulation.
For infrastructure companies, many may reflect on the efforts needed to move towards GDPR compliance as similar to the shift in culture, policies and practices that they have been obliged to deliver to meet the ever-expanding requirements of health and safety regulation.
Many of the principles of compliance between the two distinct regimes are similar: increased documentation; emphasis on staff training; security on-site; transparency over breaches.
There may be opportunities to make money from selling on data generated by infratech assets, as the information may be of value to a range of third parties, such as retailers or other advertisers. This potential was identified by 22% of respondents to the Pinsent Masons survey.
Data protection law does not act as a barrier to infrastructure companies who wish to exploit such opportunities, but they will need to consider how they can obtain consent from individuals to collect, use and share their personal data. It will be equally important that they develop protocols for keeping such data secure, particularly in light of cyber risks.
In some cases, infrastructure companies' cybersecurity obligations will extend beyond the realms of keeping personal data secure and fall within the scope of the EU's new Network and Information Security (NIS) Directive. National laws implementing the Directive must be in place by 9 May 2018.
The NIS Directive sets out measures designed to ensure critical IT systems in central sectors of the economy like banking, energy, health and transport are secure. It will apply to organisations who are designated as operators of such 'essential services', which could include infrastructure companies, or others that qualify as 'digital service providers'.
Operators will be required to develop a risk management strategy and policy, to raise staff awareness and training, to report incidents as soon as they happen and to have systems in place to ensure that they can restore systems and respond quickly after an incident. They will be required to implement security measures to prevent attacks or system failures, including measures to detect attacks and to develop security monitoring procedures.
UK proposals for implementation of the NIS Directive include GDPR-style penalties for non-compliance.
It is encouraging that many infrastructure companies have already begun to prepare for the GDPR era, and it is important that they also remain cognisant of the developing picture with how the NIS Directive is being implemented, not just in the UK but in other EU countries where they operate.
One of the major challenges they face is in acquiring people with the right skills to help them manage the risks of holding and using data and keeping systems secure.
According to the Pinsent Masons report, 62% of executives in the infrastructure and technology sectors said their business had struggled to recruit data science expertise. A further 57% said they had struggled to find people with security expertise.
Compliance with the GDPR and NIS Directive may involve a significant amount of work for a sector not used to operating with data and cyber issues at its core. However, infrastructure operators that can meet the challenges will not only find themselves at reduced risk from potential damaging fines and reputational damage, but with the type of data and systems handling operations that will open up their business to the opportunities that infratech presents.
Anne-Marie Friel is an expert in infrastructure project contracts at Pinsent Masons, the law firm behind Out-Law.com.