Manufacturing, big data and smart tech operations
Laws protecting personal information apply in well over 100 countries worldwide and in all global regions but are particularly prevalent across the European Union (EU). Currently, this is governed by the EU’s personal data protection directive (95/46/EC), as implemented and supplemented in each country by local laws, such as the UK’s Data Protection Act 1998 (DPA).
Many industrial products are designed to improve efficiency, reliability, speed and ease of use, using innovation and technology to be user friendly. This includes the development and supply of not just cutting edge products but advanced sensor and communications technology to capture data, analyse it and provide valuable insights not only into the performance of the product but about its use and details of where it is operated. This added value data service can be facilitated by the provision of mobile apps made available to the customer base. For large international companies which have high numbers of customers and staff this can present a lot of data to deal with and a substantial data compliance challenge.
How personal is the data collected, if at all?
These smart products can collect a huge amount of detailed information for analysis and economic opportunity. The technology can also facilitate collection of data about product owners and operators, the way in which the product is used, and locations the product is used in. This makes it possible for companies to build a picture of a pattern of activities over time, allowing future activities to be predicted by sophisticated data analytics and artificial intelligence. The commercial potential of the data harvested and its monetisation are immense but this opportunity carries with it responsibilities and risks.
The data collected will be a complex mix of technical details, some of which may be confidential and/or proprietary, personal data (the use of which is increasingly highly regulated in many countries, especially across the EU and European Economic Area (EEA)), and other data. It will be vital to identify where these boundaries lie, who owns relevant data (especially exclusively) and to understand where data can be freely exploited – or subject to compliance with which rules.
It is easy to understand why many businesses operating in this area may feel that the “personal” element required for personal data is missing from what they do in relation to their products and customers, making the DPA and similar laws largely irrelevant to them and their activities. Unfortunately, the regulators, courts and individuals are increasingly indicating that the issue is not as clear cut and straightforward as many would hope. In reaction to the ever expanding use of technology and gathering of data, individuals (and so the authorities) have become increasingly concerned about the ability of businesses to identify individuals, to single them out - as individuals, or as a known unit (for example a vehicle), to understand what they have done, where they go and more.
So why does it matter?
Data which is “personal data” cannot be “owned” by businesses, since the rights to those details belong to the individual subject of that data. This right extends beyond individual end users of products eg drivers of vehicles, to non-corporate customers and suppliers with whom you work such as partners and sole traders, and even the individual business contacts at your corporate customers and suppliers.
Use (or “processing”) of such personal data is restricted and requires compliance with data protection legislation. Not all business uses will provide the essential lawful basis required for such use. Processing these personal details, including sharing them with intra group and sending them to, or allowing remote access to them from outside the EEA must also comply with other data protection principles, restrictions and conditions. The same rules that apply to social media platforms and household name retailers targeting consumers, apply to manufacturers.
The EEA authorities are keen to balance the opportunities and benefits which new technology brings with appropriate controls on potential abuses and unwarranted privacy intrusion. This has been evidenced in the direction of travel of guidance and decisions from data regulators, which have been expanding the data they feel should be viewed as “personal” and so which players are caught by the relevant legislation. As a result, a great deal of product related data will now be viewed as personal.
This need by regulators and courts to try to keep pace with technological advances and resultant privacy concerns has culminated in replacement data protection laws set to take effect across the EEA in May 2018. This General Data Protection Regulation, referred to as GDPR, will become directly effective across the entire region without the need for local implementation. This applies to the UK, notwithstanding Brexit, as a minimum whilst it remains an EU member state and probably also following any EU departure.
• apply to businesses outside EEA territory, imposing direct compliance obligations on them where their activities target sales at, or monitor the behaviour of individuals in the EEA;
• increase transparency requirements and the accountability of businesses, to individuals affected and to regulators;
• compel businesses to embed privacy by design and default into everything they do, making privacy compliance the first thought, rather than an afterthought;
• move control from businesses to individuals, granting them powerful new individual rights, such as data portability and rights to object; and
• require businesses to self-regulate, keeping detailed records of their data use and how that is GDPR compliant.
Data regulators believe that businesses will take note and meet these new requirements, encouraged by their adoption of a similar approach as applies to EU anti-trust compliance, with regulatory fines of up to 4% annual worldwide turnover being possible – and which may be calculated at a group level as opposed to turnover of the individual company in breach.
Your products are also smart devices and even where data being collected by them is not “personal”, it may still be captured by the EU’s e-communications and privacy directive (2002/58/EC). This deals with communications content and surrounding metadata, such as location data, as well as technologies being used to track device use. Here, too, the EU Commission is proposing more change for user protection, with a proposed EU wide replacement e-privacy regulation, aligning the rules with GDPR, also planned for May 2018. The new rules will “guarantee the confidentiality and integrity of user’s devices … as smart devices should only be accessed if the user has given their permission.”
Traditionally, diversified industrial products have not been designed to be compliant with data protection laws but this must now change, as EU regulators have the powers to stop businesses collecting data, to prevent them using non-compliant databases, to halt trans-Atlantic and other data flows to outside the EEA, and to prevent unlawful marketing and communications, all or any of which could have serious implications for M&A activities, stock exchange valuation, investment decisions, revenue streams and business operations.
You will need to reassess your data safeguarding and privacy and security compliance against this new landscape to get comfortable that you are properly recognising and dealing with personal data, and non-personal data subject to privacy requirements. Product, system and app development may need to be overhauled to embed privacy by design and default and customer and user interactions may need a refresh to meet new information provision obligations and to obtain essential consents which can be relied upon.
Data protection and privacy compliance is complex and challenging and set to become more so. If you publicly purport to be compliant with applicable data privacy and security laws, you will be judged to a higher standard in the event of any incident or complaint in this area. It is therefore important to ensure privacy documentation, systems and processes behind the scenes match any public commitment in order to minimise potential risk to the business, your reputation and finances.
We are working with many clients on these challenges currently, helping them to develop their GDPR governance and compliance programmes, with data audits and mapping, as well as implementation.