GDPR has become a bit of a buzzword in recent months. Everyone seems to be talking about it and at the same time no one seems to be talking about it. If you’re in business, you either know everything you can about it or have never heard of it. There are still businesses that have no idea what GDPR is or what the impact of it will be on their operations. In this blog, we want to look at how GDPR will affect the manufacturing industry and how businesses can prepare for it. Before we get started, we want to point out that we are not legal experts and anything you read in this blog should not be considered legal advice.
There is a possibility if you are reading this blog that while you might have heard of GDPR you still don’t know what it means. GDPR stands for the General Data Protection Regulation and is the EU’s replacement for the Data Protection Directive of 1995 and the UK’s Data Protection Act of 1998. The whole point of the GDPR is that it harmonises data protection laws across Europe. A lot has happened in the past twenty years and technology has developed enormously. The changes in the way that businesses operate and manage data has meant that change has been needed for a long time.
How will GDPR impact your business?
The big change that everyone is talking about when it comes to GDPR is the introduction of penalties if you are not compliant with the legislation. While there were fines in place before GDPR, you can now expect to have to pay up to 4% of your annual global turnover or €20 million (whichever is greater) if you breach the new legislation. If you experience a data breach you are also expected to inform the relevant authority within 72 hours, otherwise you can expect further fines of up to 2% of your annual global turnover or €10 million.
What changes will affect your manufacturing business?
While the fines and penalties for not being compliant with the new legislation are a major concern for many organisations, the actual changes that businesses need to be compliant with are also a concern. If you’re not compliant with these then the penalties will be at your door. The major changes come with how data can be used and managed.
For manufacturing businesses, one of the first things to consider is that it’s not just businesses in the EU that are liable. The legislation is to protect EU data subjects and therefore even if you are a company operating in the USA you still need to be GDPR compliant. Any personal data you hold for an EU data subject including contact details, account information and national insurance numbers needs to be considered. It’s important to remember that this doesn’t just include your customers, it includes your employees, suppliers and contractors as well. It is applicable to any personal data that you hold.
GDPR is all about how you process data and one of the big things that it introduces is the need to have a record for that data. You need to be able to prove when things like consent were given, why the data is relevant for you to hold and why you are holding it for a certain period. You will need to be able to prove that the data is relevant to you and you have a reason why you hold it. As a manufacturing business, there are very few reasons why you would need to process someone’s middle name or date of birth. If there is a reason for you to hold that data, such as they are your employee, then you will need to record why you hold that piece of information. If you still have a customer’s data from ten years ago and it’s been ten years since you dealt with them you will need to give a legitimate reason why you still hold that information.
There are several principles stipulated by the Information Commissioner’s Office (ICO) on how data should be processed. The ICO states that personal data should be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
Rights of Individuals
Under GDPR, you are also bound to comply with the new rights that have been created for individuals. In compliance with GDPR, individuals have the right to be informed, have access to, rectify, erase and restrict processing of their data. They also have the right to data portability and to object to its use. GDPR also tackles the issue of automated decision making and states that individuals have the right not to be subject to a decision when it is based on automated processing or when it will have a significant or legal effect on them.
As a manufacturing business, you need to consider both your employees’ data and any customers or suppliers. If a customer asks you to erase information you have been holding you will need to comply and document that this request was fulfilled. You will need to think about the processes you have in place to cope with the rights that are now available to individuals. Once it becomes more well known that individuals can request and change this information you may find yourself with extra administration.
One of the most important things that your manufacturing business needs to consider when it comes to GDPR is your IT security. The legislation stipulates that you are responsible for the data you hold and therefore you are responsible for ensuring that it is protected. The final principle stated by the ICO is that all data must be processed in a manner that will ensure its security. While perfect security is impossible to achieve, it is unacceptable to fail to try. If it is not documented that you have taken adequate steps to protect the data you hold and you experience a data breach or a cyber security attack you will be liable for the new penalties.
GDPR is a very complicated matter that all businesses are currently trying to understand. You can find more information on the ICO’s website which has lots of resources for you to get started with. If you would like to know more about protecting your data then please do get in contact with ACUTEC today on 01675 469020 or email firstname.lastname@example.org.