What is GDPR?
On 25 May 2018, the General Data Protection Regulation (the GDPR) will come into force. The GDPR imposes much more prescriptive obligations on organisations in terms of how personal information is used. While May 2018 might seem like a long way off, the nature of the obligations under GDPR mean that organisations in the process industry should be considering the steps they need to take to comply now, particularly in light of the significant new penalty regime.
What does this mean for the process industry?
The GDPR will apply to all personal information and will affect any organisation that has employees or deals with individuals at customers or suppliers.
Organisations in the process industry are unlikely to use significant quantities of personal information beyond that of their employees and individual contacts at other organisations (e.g. contact details of customers and suppliers). The way personal information is used in the process industry is unlikely to be intrusive. So, although the process industry will need to address the GDPR's requirements, the risks associated with use of personal information are likely to be lower than other sectors (such as the financial services sector where organisations employ data analytics to maximise opportunities).
Key issues for the process industry
- Employee data: You will need to ensure your use of employee data complies with GDPR (e.g. do you have a privacy notice telling employees how their data is used?).
- Contracts: GDPR requires certain provisions to be included in all contracts where one party processes personal information for another (e.g. a cloud based storage provider). Existing contracts should be amended and new contracts entered into should be drafted to comply.
- Cross-border transfers: If you are part of an international group, you will probably transfer personal information outside the EEA ( e.g. the sharing of employee data for management purposes). The GDPR requires that certain protections are put in place for such transfers.
- Record keeping: The GDPR requires organisations to "demonstrate" they comply. You will need to update your policies/procedures and keep records of your processing activity.
Does it matter?
The potential fines for non-compliance will increase massively from the current maximum of £500,000 to an eye-watering maximum of €20million or 4% of global turnover (whichever is higher) depending on the breach. Data breaches tend to be widely reported and any negative publicity associated with GDPR non-compliance could cause reputational damage.
It can take time to implement a GDPR compliance project and we would recommend adopting a well thought out compliance strategy which is implemented in a controlled and measured way over the next twelve months, rather than trying to rush things through before 25 May 2018.