According to one YouGov survey, up to 72% of Brits have never heard of the General Data Protection Regulation (GDPR). More importantly for the manufacturing sector, according to another YouGov survey, up to 70% of manufacturers have not begun preparing for the GDPR.
What is the GDPR?
For those who are unaware, the GDPR will take effect from 25 May 2018. It will bring in a new regime for the protection of personal data. It will replace the old regime governed by the Data Protection Act 1998 (DPA).
While many of the main concepts and principles of the GDPR are the same as those of the DPA, there are some new elements which it is important to understand.
Why is it important to know about the GDPR?
The sanctions for an organisation which breaches its duties under the GDPR are much sterner than those under the DPA. A breach of the GDPR can result in a fine of up to €20million or 4% of global turnover, whichever is larger. So, the importance of understanding the principles of the GDPR, and complying with its duties, are pretty obvious.
The need for all businesses to prepare
The GDPR will affect virtually every business. It requires businesses to know everything about the data they have on their customers, their employees and their trading partners (where those trading partners are sole traders or partnerships). So, all businesses need to know exactly what data they have and where it is. Furthermore, they must ensure that they only have personal data for legitimate reasons and that clear consent has been obtained to record the data and use it in the particular way it is being used.
The need for manufacturers to take a ‘hands on’ approach
The GDPR brings in new, tighter rules in respect of data processing. Given that so many manufacturers outsource some data processing, manufacturers should be particularly aware of these rules.
Under the DPA, manufacturers (in their role as data controllers) were able to rely on clauses in their outsourcing contracts with data processors (such as sales and marketing, HR, payroll and pensions) as evidence that they were protecting the personal data of customers and staff. Under the GDPR, manufactures (in their role as data controllers) will no longer be relieved of their obligation by contractual clauses. Now, in addition to having tightly-worded contractual clauses in their outsourcing contracts, manufacturers will need to take a more hands-on approach in the way they deal with data processors. This will include carrying out audits of the data processors and implementing data protection policies and procedures to ensure compliance with the duties under the GDPR.
How to find out more
The Information Commissioners Office (ICO) has published a wealth of user-friendly guidance to help organisations prepare for the new data-protection regime brought in by the GDPR. This guidance includes a 12-step checklist which organisations can use to check their progress in preparing for the GDPR.