The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is set to significantly change the data protection landscape. Whilst the business of a manufacturer may not revolve around personal data, this not necessary for the GDPR to apply. Manufacturers process personal data in the ordinary course of their business, making it imperative for such organisations to ensure compliance with the GDPR by 25 May 2018 in order to avoid the tough penalties for non-compliance.
The GDPR is a new regulation which is intended to strengthen and unify data protection law within the European Union (EU). The new regime was conceived with today’s technology in mind and is more stringent and far-reaching than its predecessor, the outdated European Data Protection Directive (95/46/EC). Following the UK’s decision to leave the EU, the UK government confirmed that UK will implement the GDPR on the basis that the UK will still be a member of the EU when it comes into effect.
The GDPR will apply to any organisation that holds or processes the personal data of EU citizens, regardless of their geographical location. “Personal data” is any data which may be used to identify a living individual (whether directly or indirectly) such as name, contact details, bank account information and National Insurance number. Manufacturers are likely to have access to a large amount of personal data concerning customers, suppliers, sub-contractors and employees.
The conditions for obtaining consent have become stricter under the GDPR. Manufacturers relying on consent to process data (for example, to hold employee contacts details on file) will therefore need to reconsider the way in which such consent is obtained. A request for consent to process data must be clearly distinguishable and use clear, plain language in an easily accessible form.
Unlike its predecessor which largely focussed on the behaviours of the data controllers, the GDPR imposes a number of direct compliance obligations on data processors. If a manufacturer is supplying its goods to others and employs more than 250 employees, it is likely to be subject to new obligations that the GDPR places on data processors (such as recording all processing activities and ensuring that there is transparency in respect of processing of personal data).
Under the GDPR, individuals have more powerful rights to enforce against organisations. The key new rights are the right to be forgotten, the right to object to the processing of personal data and the right to obtain personal data from the data controller. Dealing with the administrative aspects of these rights will require time and resources, particularly if a manufacturer has a large workforce and customer base.
As with all organisations who control or process personal data, manufacturers have until 25 May 2018 to put the necessary procedures and measures in place to ensure compliance with the GDPR. These measures include Privacy Impact Assessments, policy reviews, audits and potentially appointing a Data Protection Officer. A process should also be in place to continually evaluate the effectiveness of such measures.
Potential fines for infringement of the GDPR have been increased from a maximum of £50,000 to £20 million or 4% of annual turnover, whichever is greater. The severity of these penalties affirm that non-compliance with data protection law is not a low risk issue for manufacturers.