The introduction of GDPR on 25th May was just the start, rather than the finish line for any GDPR projects. There was never going to be a big bang – GDPR compliance isn’t a one-off thing and will continue to have a big impact on supply chains.
A bit of background
GDPR is an evolution of previous European data protection law rather than a big change. Arguably the biggest change is the introduction of the ‘accountability’ principle, which requires data controllers and processors to demonstrate that they comply with the law. This is achieved by meeting specific obligations and applying a continuous, risk led approach to data protection. The risks you need to monitor and manage are individual data subjects rather than risks to your business.
What to be aware of going forward:
Introducing new services, implementing new technologies and winning new contracts could all introduce new data protection risks and these need to be recognised and managed.
GDPR compliance will change as businesses change and therefore requires ongoing monitoring and review. Organisations need to take account of national data protection laws, such as the Data Protection Act 2018 in the UK, that exist alongside the GDPR to enforce certain discretions and add other obligations.
The keys to getting it right:
• Take account of internal considerations (for example, employee personal data and monitoring, such as using CCTV, vehicle telematics, work force tracking and lone worker systems).
• Meet buyers’ contractual obligations.
Buyers are likely to regulate GDPR compliance as fiercely as the Information Commissioner’s Office (ICO). They are usually large companies, more likely to receive a fine and whose reputation (and maybe share price) would be impacted in the event of a breach. They will want to manage risks in their supply chain (and internally), to ensure they do not become liable or suffer reputational damage caused by suppliers.
• Be aware of data protection obligations.
Buyer contracts will include additional data protection obligations and data processors will be required to sign a data processing agreement with buyers. These will include very specific obligations to meet GDPR obligations, to be subject to audit and, potentially, to indemnify the buyer for non-compliance.
• Ensure continuous monitoring of compliance; regularly evaluate the risks to individuals; and help demonstrate accountability.
Audits can help avoid compliance risks and help mitigate the impact of any enforcement actions if there’s a breach.
An audit programme can also help demonstrate taking GDPR compliance seriously to buyers. Achilles has credibility as a long-established supply chain auditing organisation, therefore using Achilles to validate your ongoing compliance will help demonstrate commitment to being accountable and meeting obligations.
The implications of getting it wrong:
• The maximum fine the ICO can levy is €20m or 4% of worldwide turnover – but this is a worst-case scenario; big fines are likely to be reserved for the worst offending, big businesses.
• The ICO can: investigate; audit; issue warnings, reprimand; order to comply; and impose restrictions or bans on processing personal data.
Whilst these may seem lower impact than a fine, they could hurt SMEs. Investigations and audits will consume valuable time and resource. A temporary or indefinite ban on using personal data for specific purposes could also lead to a loss of business.
• Any enforcement action carried out by the ICO will be made public. This will have an impact on reputation and credibility. Buyers are refusing to work with suppliers who have been subject to any level of enforcement action in past.
• Individual data subjects can also take civil action for damages where they have suffered material (financial) or non-material (such as distress) loss, including ‘class action’ style claims. The recent Morrisons case was the first data protection ‘class action’ data protection style claim and occurred before GDPR came in to force. The supermarket chain was held to be vicariously liable for the actions of a rogue employee who stole employee records and sought to sell them on the internet.
Achilles has launched a GDPR desk-based audit. These are one, and two, day onsite audits (with additional remote days for analysis and report writing). The right audit for your organisation will depend on your size and also the nature, volume and variety of the personal data you collect and process.
The audits provide you with a view of your level of compliance and, optionally, high-level guidance on steps you should take to meet your obligations. They can be used to provide you with a ‘point in time’ benchmark for your compliance level.
Talk with one of our Sales team to learn more about GDPR audits.