Philip Allott, Managing Director at Allott and Associates Ltd, explores why food and drink businesses need to pay as much attention to data protection as food safety.
Performing efficiently in an industry already full to the brim with compliance certifications ranging through BRC accreditation, hygiene standards, HR requirements and other regulations is difficult enough, you may think, without the introduction of the Europe-wide General Data Protection Regulation last May. But how many firms can honestly say they have fully got their data compliance under control and are confident that in practice everything is ‘ticking the right boxes’?
Most food businesses have comprehensive and prescriptive rules relating to food safety. They are confident in what they need to do and have built up trust with their customers. They often manage to gain a competitive advantage through nurturing positive relationships despite it not being a simple task in a crowded marketplace. But have they taken positive steps to care for their personal data in such a diligent fashion?
Worryingly, many UK firms confess to not yet being fully GDPR compliant despite the fact that a personal data breach, as well as attracting negative attention and a big fine, could well destroy the trust a business has carefully built up with its customers, suppliers and employees. In essence, a data breach could hit any food business with a potentially catastrophic impact not dissimilar to a product recall.
In a survey by the International Association of Privacy Professionals (IAPP), less than half of respondents said they are fully compliant with GDPR. A surprising one in five participants said in the survey that they believe full compliance with GDPR is impossible[1].
To start the compliance journey, it is essential to have a clear understanding that GDPR is data protection relating to personal data in the digital age.
So, what is ‘personal data’?
Personal data includes any information relating to an identifiable natural person (data subject) including names, addresses, phone numbers, email addresses, passport numbers, payroll detail or other factors specific to physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The Brexit curve ball
With the UK facing some challenging decisions over the weeks and months ahead, it is important to recognise the fact that the Government has said it is committed to continuing with GDPR post Brexit, albeit possibly under a different name. It is interesting to consider the importance the Government places on data protection when it has also stated it will not be signing up to Euroatom and Europol.[2 ]
There is some way to go before UK food businesses get a clear view of what exactly Brexit is likely to mean, but what we do know is that GDPR is here to stay. For any company with a head office based in an EU member state other than the UK, they need to plan ahead.
The European Commission has said that in the event of a ‘Hard Brexit’ sensitive personal data such as HR records can only be exchanged with EU members by signing standard contract clauses. In the event of a withdrawal agreement being reached, the UK will have a further two years to resolve data protection matters.
Getting your GDPR ducks all in a row
GDPR requires all organisations to review how they collect, hold and process personal information and how they communicate with individuals. Internal processes need scrutinising and probably thereafter new measures will have to be implemented so that firms can demonstrate they are compliant with the law. This places a greater burden on those controlling, processing and managing personal data to make sure their systems are updated to the latest compliance standards.
Some of the key changes include:
- Consent– a requirement for ‘clear affirmative action’ - pre-ticked boxes and bundled consents are no longer lawful
- Transparency– organisations need to provide individuals with clearer information as to how their data will be processed, stored and shared
- Lawful processing– stricter rules on processing data for new purposes
- Data subject’s rights– the individual has greater rights over their data e.g. rights of erasure, protection against profiling and a right to data portability
- Privacy by design and default– good practice recommendations, such as making sure your privacy policy is clear and accessible, must be imbedded into day to day operations
- Accountability– accurate data records must be maintained and firms must demonstrate compliance to regulators on an ongoing basis
- Breach notifications– all data privacy breaches must now be reported within 72 hours to the Information Commissioner’s Office (ICO) and the affected individuals
- Fines– the ICO has the power to issue fines for up to £20m or 4% of worldwide turnover
Data subject’s rights
It is important to know that under GDPR data subjects have new rights which should be integrated into data processing procedures to ensure those processing personal data act fairly and lawfully at all times. For the purposes of apportioning responsibility, those managing data are called controllers and those handling data on behalf of the controller are called processors. Under GDPR they are jointly and severally liable and have enhanced GDPR responsibilities not only to protect data but, in the event of a leak, to communicate it within 72 hours to the ICO as well as to the individuals affected.
GDPR principles
GDPR is wrapped around a number of key data processing principles whereby all personal data must be processed lawfully, fairly and in a transparent manner. It should be collected for specified, explicit and legitimate purposes. It must be adequate, relevant and limited to what is necessary.
In the food industry, data is as vital as the products being produced and typically the industry holds large amounts of personal information on its workforce and customers. Whether communicating with individuals through email marketing lists, or dealing with employees (including foreign workers), much of the data obtained will fall into the category of personal data and must be processed according to GDPR.
Organisations in the food industry will hold HR records with many also undertaking marketing activities where data is shared constantly. It is vital that a privacy notice is provided (sometimes called a privacy policy or statement) outlining how the data they obtain is going to be used. There should also be a way for the data subject to positively opt-in to receive information – no longer can businesses rely on pre-ticked boxes. Campaigns which collect email addresses, or IP addresses from websites must also adhere to strict rules, and tracking people via cookies must be explained in the policy.
It is useful to be aware also that where firms want to share data outside the EEA, e.g. with an American head office, the data must be treated and managed in an appropriate way. Any American company receiving personal data must have signed the EU-US Privacy Shield or a standard contract clause. GDPR restricts the transfer of personal data to countries outside the EEA, or international organisations. These restrictions apply to all transfers, no matter the size of transfer or how often you carry them out.
Compliance ‘in the bag’?
Whether your food business thinks it has GDPR compliance ‘all wrapped-up’ (much like its products) or the merest hint of the acronym sets the business owners and data controllers into a spin, we can give you a few pointers to help you ascertain where you are on your compliance journey.
Tips for an action plan include:
- Identify if you are a data controller or processor and the team which will be in charge of compliance
- Produce a data map – what personal information you hold, where, why, how and with whom you process or share it
- Review the legal basis for your data processing activities
- Check that your data collection methods and privacy notices meet the new requirements
- Audit your systems to ensure they can cope with the new data subject’s rights in relation to erasure, portability and access requests
- Review your third-party suppliers and CRM system
- Make sure your staff have been fully trained in GDPR compliance
Given that not being GDPR compliant is not an option, it would be wise to audit this aspect of your business as rigorously as you would carry out health and safety and food hygiene checks. The consequences of non-compliance in the event of a reported data breach could be crippling for your business.
A last thought
Did you know that…
your chances of being struck by lightning are 1 / 960,000?
your chances of marrying a millionaire are 1/220?
And your chances of experiencing a data breach are 1 / 4?
Philip Allott is Managing Director of Allott and Associates Ltd, a GDPR practitioner, law graduate and data protection officer for a number of companies.
Tel: +44 (0) 1423 867264
Email: philip@allottandassociates.co.uk
Notes
- IAPP-EY Annual Governance Report 2018
- Euroatom - The European Atomic Energy Community (EAEC or Euratom) is an international organisation established by the Euratom Treaty on 25 March 1957 with the original purpose of creating a specialist market for nuclear power in Europe, by developing nuclear energy and distributing it to its member states while selling the surplus to non-member states
Europol - The European Union Agency for Law Enforcement Cooperation, better known under the name Europol, formerly the European Police Office and Europol Drugs Unit, is the law enforcement agency of the European Union (EU) formed in 1998 to handle criminal intelligence and combat serious international organised crime and terrorism through cooperation between competent authorities of EU member states.
