25 May 2018 is a date every EU based company looks to with a sense of uncertainty, the date when the General Data Protection Rules (GDPR) become de facto effective. These are the tightest regulations in terms of personal data protection and come with crippling penalties for non compliance: EUR 20 million or 4% of the company’s global annual turnover, whichever is higher.
How Does GDPR Affect Your Supply Chain and Logistics?
GDPR creates a new concept: whoever collects personal data is automatically treated as liable for the adequate storing and processing of the said data. Also, the concept of personal data was clearly defined, and it has the broadest possible extent. Every company which collects personal data is obliged, among others, to make sure that:
- It obtains traceable, documented consent from each person whose data it collects;
- For each new type of data processing, the person is asked for consent;
- It gives the persons a simple and intuitive procedure for withdrawing consent.
This is just the tip of the iceberg, and this article in no way presumes to represent legal advice for your company. However, based on the experience of the Logistic Packaging team in preparing our own business processes for GDPR compliance, we want to share with you some of the key steps we took in this respect.
1. Know What Kind and How Much Personal Data You Collect
You may not be aware how much personal data your company collects, but you must do so. Inviting website visitors to subscribe for your newsletter represents data collection. Keeping a database with contact persons for your suppliers, distributors and clients represents data collection.
2. Involve All the Departments in Building a GDPR Compliant Supply Chain
GDPR is not only something to do with your IT department. You do not become GDPR compliant by installing updates to your software or an antivirus solution. Your accounting and sales departments work with personal data. The warehouse managers work with personal data. The legal and logistics team also have access to personal data. The right way to implement GDPR compliance is by creating a multi-disciplinary team with members from all the departments in your company.
3. Analyze Compliance on Contract by Contract Basis
You cannot afford to forget about a single addendum or additional act where the full consent of the person was not obtained, or security was not provided for the storage and processing of data. It seems easier to go on a client by client basis, but it is simply not worth the risk.
4. Update Your Supply Chain and Logistics Procedures
Every aspect of your activity which involves the collection and usage of personal data must be reviewed and documents updated to include information on data protection. These documents are more important than ever, because they are your traceable proof of having obtained consent for data collection and processes.
5. Educate Your Employees
Everyone in your company is responsible to maintain your supply chain GDPR compliant. For instance, do your warehouse employees use their personal smartphones to receive picking orders which contain personal data (deliver address and the name of the person who formally receives the order)?
The BYOD (bring your own device) policy is spreading among companies because it means cutting costs on purchasing mobile phones or laptops for their employees. But this policy also exposes your company to risks. Personal devices can be infected with malware. Your employees may mix personal and business emails and send sensitive data to unauthorized persons.
6. Continually Monitor GDPR Compliance
Being GDPR compliant is not something you do once and you’re set for years to come. It is a daily activity for your official representatives, whether it is the Data Protection Officer or another employee in charge with this task. You must always be aware of how personal data is collected, processed, and stored in your company and make sure that every safeguard is use to prevent data loss or theft.
7. Create Response Procedures for Breaches
Last, but not least, in order to be GDPR compliant, a company must be ready to respond to any threatened or actual breach. The rules state that in case of a breach, companies are obliged to notify authorities within 72 hours and, in case this breach may affect the rights and freedom of the person whose data was compromised, this person must be notified as soon as possible, without undue delays.
The Logistic Packaging team is aware of our own responsibilities towards our clients and suppliers and is already involved in the process of becoming fully GDPR compliant by 25 May 2018.