GDPR: Key considerations for the manufacturing sector 17 August 2018

By Natasha Bougourd, lead applications writer, TSG

GDPR has been enforced for around two months now, and yet despite the deadline passing, many businesses still don’t consider themselves prepared to comply. Only a month before the deadline, a Crowd Research report declared that 93% of respondents were not yet ‘in full compliance’ with the regulation.

Headlines around GDPR have focused on the potentially eye-watering fines – a maximum of 4% of global turnover or €20 million, whichever is higher – but haven’t offered much detail or guidance. The good news is that 80% of those surveyed identified GDPR as a key business priority, and compliance is more of an ongoing journey than a task that could be marked as completed on 25th May 2018.

The manufacturing industry has seen a significant uplift in recent years thanks to getting a grasp on big data. It’s been argued that GDPR could pose a threat to the innovation afforded by correctly utilising big data to make smarter decisions. The key element to consider with GDPR is that it only applies to Personally Identifiable Information (PII); this is the data you need to protect and identify more consumer-led methods of processing. Consent is key, with businesses heavily sanctioned for using data without explicit individual consent.

Here are some of the key areas manufacturers need to address to ensure long-term compliance with GDPR.

Protecting your digital data
When you’re dealing with data – whether that’s big data or not – chances are, you’re processing more than ever before. Many businesses that don’t store customers’ personal information make the mistake of thinking this doesn’t apply to them; however, all businesses will at the very least hold employee information. Therefore, all businesses must put measures in place to safeguard that digitally-stored data.

Cyber security is the first stop on your GDPR journey. By building your walls of defence and making them as high and complex as possible, you not only drastically reduce the risk of your data being breached or stolen, but in the event a hacker does get through, you’ll be able to prove that you put those measures in place. That itself is more important to the data protection governing body than experiencing a breach itself.

Start by encrypting data
You shouldn’t just implement one technology to protect your data; a multi-pronged defence means there are more hoops for the cyber criminals to jump through. However, the method that should be at the top of your list is encryption; not only is it a robust way to keep your data inaccessible to cyber criminals, it’s recommended throughout the full GDPR documentation. Should any PII data you hold fall into the wrong hands – whether deliberately or accidentally – encryption will render it unintelligible. Encryption can operate at a file, folder, device or even server level, offering the level of protection most suited to your business needs.

Evaluate how you process data
As with many regulations, it ultimately boils down to your policies and processes, which will detail how you protect and process personal data. The GDPR states that data controllers must “adopt internal policies and implement measures that meet in particular the principles of data protection by design and data protection by default”. All new policies, whether specifically related to GDPR or not, must be compiled with a ‘privacy by design’ model. Existing policies, including your data protection policy, privacy policy and training policy should also be reviewed in light of GDPR.

The deadline for Subject Access Requests (SAR)
The GDPR empowers consumers to check how you’re processing their data, as well as rectifying and, in some cases, removing their data from your database. Under GDPR you’ll have only a month to respond to these requests, otherwise you’ll be at risk of non-compliance. Not all deletion requests need to be followed, as some businesses have a legitimate interest in holding your data. Could your landlord serve you whilst holding no contact information for you? More guidance on this in the UK can be found on the Information Commissioner’s Office (ICO) GDPR guide.

Finally… don’t panic
It’s a subject nobody wants to talk about, but you need to know what happens in the event that your data is stolen or breached. Whilst businesses are most fearful of experiencing a data leak, not reporting it could be considered a bigger infraction than the breach itself. Businesses must report it within 72 hours of discovery. It’s especially important to note this, as failing to meet this obligation could be considered a bigger breach of the GDPR than the data leak itself.

Not all breaches need to be reported. For example, if an employee loses a business issued smartphone that has been encrypted, you don’t need to report it because your data will be inaccessible. It’s best to check the guidance to find out exactly what you need to report.

It’s important to note that simply experiencing a cyber attack or data breach won’t automatically result in financial punishment; the GDPR clearly states that, should you prove you put in place measures to protect your PII data, you won’t be hit with the most severe fines. Reviewing your existing policies and processes, as well as implementing new GDPR-specific processes, adding layers of cyber security and knowing what to do in the event of a breach are actions that will all stand you in good stead for GDPR.

About the author
Natasha Bougourd is TSG’s lead applications writer, specialising in IT support, Office 365, Dynamics Nav modules, hosted telephony solutions and business intelligence.

TSG is an IT support company that has expertise across a wide range of technologies and has helped businesses achieve GDPR compliance through the use of technology. From Office 365 to Sage and Pegasus ERP solutions to IT support, infrastructure and cyber security solutions, TSG has a highly skilled workforce working across all areas of business tech. Holding 8 Microsoft Gold competencies, TSG places focus on a highly skilled and qualified workforce with over 1,000 recognised accreditations between its team of experts, including MSCE Certifications, Prince2 and ITIL qualifications.

Deputy Editor

Claire Aldridge Deputy Editor t: +44 (0) 1727 814 450

Biog

Having joined the magazine in 2012, Claire developed her knowledge of the industry through the numerous company visits, exhibitions and conferences she attended both in the UK and abroad.

Responsible for social media and the online platforms, Claire prides herself on keeping readers well informed and up to date with the latest industry news.