New data protection rules: how manufacturers can avoid incurring hefty fines Manufacturers are urged to get to grips with the biggest overhaul of data protection law in a generation when new rules come into effect on May 25, 2018. The General Data Protection Regulation (GDPR) will spark a series of challenges for production companies, engineers and technology firms. It will be regulated by the Information Commissioner’s Office (ICO), a government watchdog, and fines for non- compliance could be as much as €20,000,000 or 4% of annual turnover. A very complex area, covering a huge array of requirements, GDPR will govern how all private, public and third sector organisations across the EU handle personal data. The government has said that it will remain in place post- Brexit. Under GDPR, every person whose personal information is stored by a manufacturer - or any other business for any r eason - must be told why that organisation wants it, and what it will do with it. Manufacturers seeking to share the data with any third party will also need the specific consent of the individual. This consent must be very clear. For example, you cannot simply rely on a click confirming that a privacy policy has been read. Legal consent under GDPR must be explicit, informed and freely given. It can be made in a statement or by ticking a box. Personal data must be stored securely with specified protocols to ensure that it is not breached, stolen, leaked or shared without authorisation. The far-reaching changes allow anyone to inspect their personal data at any time. As such, organisations must be geared up to handle ‘subject access requests’ - informing anyone who asks what data is held on them - and how it is used - within one month. This means that it must be kept accurate and up to date, with any changes made as and when they occur. The need for easy amendment and management is also vital as anyone can request that their personal data be removed at any time. GDPR also requires that employees are trained in how to protect and manage the information As many manufacturers routinely collaborate with other companies, formally and informally, on product development, distribution and knowledge sharing, they will need to hold and share the personal data of every person involved. In a pan-European supply chain, for example, this might run to hundreds of individuals. GDPR also applies to collaborations with different divisions of the same company, universities or outside research/scientific organisations. All this is further complicated if an organisation or its partnerships are based outside the EU. In these cases, it will be necessary to establish how other jurisdictions regulate the protection of data that is shared beyond its borders. A particular headache for manufacturers, who may already have amassed large amounts of information, is that GDPR applies retrospectively to all data collected before May 2018, as well as all data from that date. Comprehending and complying with the massive changes will be extremely challenging. In the adage that forewarned is forearmed, enlisting a legal practice with a track record in data protection upfront can help to avoid severe financial non-compliance penalties further down the line. Despite the complexities involved, the new rules demand that data is securely stored and can be easily tracked, retrieved, quizzed, amended and destroyed.

Made with FlippingBook flipbook maker