The biggest change to data protection laws in recent memory, the EU’s General Data Protection Regulation (GDPR) is a framework that will apply to almost every industry in the UK, Europe and across the world. So, what do these new data protection laws mean for the manufacturing industry?
It has been well-documented that big data is revolutionising the way manufacturing companies get work done. Customer Relationship Management (CRM), Business Intelligence (BI) and Supply Chain Management (SCM) tools are creating more valuable insights, and the latest research from the European Political Strategy Centre believes that EU manufacturers could boost EU economic growth by an additional 1.9% by 2020 through even just a limited use of big data analytics. Considering data has done nothing but propel organisations in manufacturing forward recently, why should the GDPR pose any threat?
The fact of the matter is that the focus of the GDPR concerns personal data rather than Big Data, and how companies process it. In this post, we’ll explore some of the intricacies of the new EU data protection laws and what that means for businesses’ personal data management in the manufacturing industry.
More data, more problems
Data has indeed been kind to the manufacturing industry in recent years. Back in 2014, McKinsey, the management consultants, published analysis on how Big Data is improving manufacturing for pharmaceuticals, chemicals and mining organisations in particular. Managers in these sectors have made use of advanced analytics to deep dive into their process data to identify patterns and relationships in order to reduce costs. While the normal business of a manufacturer may not revolve around personal data, this means manufacturing organisations hold an abundance of operational and shop floor data that is tracked by advanced analytics. And many of these organisations don’t realise that this data can be subject to the GDPR data protection laws when it comes into effect on the 25th May 2018.
Any organisations processing the data of EU individuals will be subject to the GDPR. Where the data processing refers to the obtaining, disclosing, recording, holding, using, deleting or destroying of personal information—essentially, whatever you do with personal information held inside your company.
This makes the territorial reach of the GDPR considerably broader than the UK’s current Data Protection Act. Organisations are subject to the GDPR if they hold data about individuals that reside in the European Union, or if they handle data through the offering goods or services to a resident of the EU. Even monitoring the behaviour of an EU individual—through implementing website cookies on your site, for example—can make you liable to these data protection laws, meaning you need their consent to collect and use information about them.
For companies in manufacturing, who process personal data in the ordinary course of their business and may work across Europe and globally, you will need to ensure compliance by May 2018 to avoid the strict and severe fines for non-compliance (which can total €20m or 4% of your annual global turnover). Not sure you do hold any personally identifiable information about EU citizens? You almost certainly do if you:
- Ship to individuals
- Employ EU citizens (this will include EU immigrants in a UK factories post-Brexit)
- Are involved in any kind of web-based marketing
So while the increase in the use of data in the manufacturing industry has resulted in nothing but benefits over the past few years, organisations must now address this increase in data and the steps to take in order to ensure it is secured.
How will the GDPR apply to manufacturing companies?
So how will the incoming EU data protection laws apply to organisations in the manufacturing industry? Let’s take a look:
- Processing Data
Because of the wider reach in terms of processing data, organisations can be subject to the GDPR regardless of their base of operations. For global manufacturing businesses, this means any personal data—from contact details to bank account information or national insurance numbers—of customers, suppliers, sub-contractors and employees must all be secured.
- Obtaining consent
Under the EU’s new data protection laws, any procurement of personal information must be clearly defined, meaning a pre-checked box on a website form will no longer suffice. Any manufacturers that rely on consent to process data, even something as simple as holding employee contact details on a file of record, will need to consider how consent is obtained, and also give the individual the option to decline in an obvious way.
- The Right to be Forgotten
The “Right to erasure” is one of the latest rights an individual will be able to use against organisations under the GDPR. Any individual can request the deletion or removal of personal data, as well as request to see any and all data a company holds about them. Organisations with large workforce or customer base will, therefore, have to accommodate the time and resources it will take to access and provide this information upon request.
What can you do to prepare?
Privacy Impact Assessments (PIAs) and content audits should be the first measures you take to becoming GDPR-compliant. But manufacturing organisations come in many different shapes and sizes, so how do you know where to begin? Do you know how much effort and how long it might take to ensure your organisation is fully compliant with the new data protection laws?
At bluesource, we know that with less than a year to go before the GDPR comes into effect, the time for organisations to act is fast running out. We employ a range of compliance assessments specific to GDPR regulations so your company can identify their security situation and begin taking the first steps toward ensuring GDPR compliancy now and well into the future.