General Data Protection Regulation (GDPR), which comes into force on May 25, will have far-reaching consequences for all companies of all sizes. Compliance e-learning experts Skillcast.com explain how businesses in the baking industry need to adapt the way they operate and manage risk to ensure they abide by the new law.
By Vivek Dodd, director, Skillcast
GDPR is the biggest change to global privacy law in over two decades. During this time, the Internet has upended all assumptions about the collection, storage and use of personal data. Large companies can piece together bits of information from various clicks, flicks and downloads that we make as we look for information and conduct business. Much of this is done legitimately. Indeed, we’re all a lot more willing to share our personal information, willing to move it between companies and even willing to share our whereabouts on location services.
However, all this data has also increased the scope for cybercrimes of all kinds – from identity theft to account takeover. People are also concerned about the accuracy of the personal data held on them, and the ability to access and update that data, and ensure that it’s not used for purposes that they don’t approve of. They also want to be able to ask for it to be deleted unless there are legitimate grounds for retaining it.
A Form of Insurance
GDPR is meant to address these concerns and provide a higher degree of protection to consumers. Many companies in the baking industry, especially the smaller ones, will see compliance with it as a bit of a headache, but, in fact, regulation is also a form of insurance for them. It provides guidelines and standards for businesses to face a world full of threats, and certainty about the measures they need to implement to avoid legal action. Thinking about the changes in this way will help companies to tighten up their policies and procedures, and push through the culture change necessary to protect themselves, and their employees and customers.
The baking industry has more difficulties than others do in many ways in coming to terms with GDPR. There is a high turnover of staff in the food industry. As employees come and go, there is a responsibility of those running businesses to ensure that all the data is collected, stored and processed appropriately.
From May 25, companies in breach of the regulation will face hefty fines, which for certain infringements could be up to EUR20m or 4% of total global revenue, whichever is greater. And there is nowhere for smaller suppliers to hide, as commercial contracts are being updated to make suppliers liable for the losses and GDPR penalties arising from their data protection negligence or misconduct. Companies will have to consider insolvency and closure of business as a real risk of non-compliance.
While many companies have already adopted privacy processes and procedures that are consistent with the directive, GDPR contains new protections for EU data subjects, and threatens huge fines and penalties for non-compliant data controllers and processors once it comes into force.
In this changed climate on matters such as data subject consent, data anonymization, breach notification, trans-border data transfers and the appointment of data protection officers, GDPR requires companies that handle EU citizens’ data to greatly reform their processes.
Personal Data Will Be Safe
To put the issue into perspective, the UK Government and Information Commissioners Office (ICO) have declared that no new legislation will be introduced to cover the growing threat of cybercrime, as it is a business owner’s responsibility to address this. However, what will be enforced though legislation is the use of data protection. If data is protected, then personal data will at least be safe from any cyber-attacks.
This legislation has been introduced because the threat of attacks on sensitive data remains strong. We live in a world where the threats are growing and the scale of the attacks is getting larger. The reasons for this include more sophisticated criminals and poorly protected data, which is still often held in antiquated systems without adequate security. That means the baking industry will have to have its house in order.
For bakers, many of which have spent generations building up a great business, the damage caused by being hauled over the coals for being sloppy with data cannot be underplayed. The media will seize on the opportunity to hold those who have not dealt with this sensitive area as they should responsible. The long-term cost of rebuilding their reputation could well be significant to those not meeting requirements.
The crux of the matter is that GDPR will be strictly enforced whether you’re a butcher, a baker or a candlestick maker, in order to protect data diligently. It will strengthen the rights that individuals have to control their own data. In particular, it will protect the right to data portability, so an individual will have the right to transport his/her personal data from one organization to the next.
In short, companies in the baking industry have to get ready, and by that we mean that all organizations that process personal data will need to make sure that this data is stringently safeguarded against loss, theft, unauthorized access etc.
The importance of the security of personal data is such that GDPR includes a personal data breach notification rule, which states that security issues should be reported within 72 hours. If these issues are likely to result in a high privacy risk for individuals, these individuals must be informed.
As part of the changes, data protection by design and by default are both included in the GDPR rules. This means, firstly, that it will be mandatory to make sure that data protection considerations are taken into account when designing a new system, process, service etc. Organizations will also need to be able to prove that they have done so. Secondly, the new system, process, service, etc. must include choices for the individual on how much personal data they wish to share.
Getting ready for these changes is very much in the minds of many businesses, and the first piece of advice we would give is to ensure that you understand all the rules. Even businesses that don’t see themselves as dealing in personal data, such as those in bakery, can be surprised at how much personal data they do hold and how much of the new regulations apply to them.
A Complex Topic
The law is a complex subject, so we would advise that companies that are not yet fully aware of the changes ensure that their senior managers and all those affected take advice on what’s coming and what they need to do to comply.
The bigger the organization, the more people will need to be involved, not least those in HR and IT. Many of our clients have these departments working in tandem, while also giving a sound briefing of what is to come as a result of GDPR to many others in their organizations.
Ultimately, compliance with GDPR is about systems and people. Data security has long been regarded as too complex and expensive for many small and medium-sized businesses, and GDPR will be a wake-up call for them. These businesses need to be aware of the sensitivity of the personal data they store and the risks associated with it. They may need new systems, hardware and software, and analysis of their entire information security cycle from collection, retention, storage and retrieval to destruction.
However, the way to achieve better data security is not always expensive new systems, but just good procedures and safeguards, and, crucially, better staff awareness of data protection and training on the procedures in place. And this is not expensive through the variety of e-learning courses, assessments and games that are available to engage and educate staff.
GDPR is not a problem that will go away, and all companies in the baking industry, regardless of their views, must take steps to comply with it. Good planning and timely action will unquestionably help to make the journey a lot easier and might even prove critical for their survival.