Despite all the coverage of GDPR, I am still hearing people say “I don’t think it applies to us, or “can we avoid it somehow?” The answer is: GDPR is just as relevant to all organisations, large and small, as food hygiene and traceability is to all food manufacturers. However, food manufacturers don’t just comply with regulations because they have to, nor do they comply because they might get a visit from the Food Standards Agency. They worry far more about their customers, and their customers are the ones who will do the checking.
The customer is usually not you or me, because we rarely buy products directly from the factory. Many food manufacturers’ customers are the big supermarkets, and many food manufacturers also manufacture food products for the supermarket’s own labels. This means that if anything, but anything goes wrong with the products, from contamination to a wonky label, the supermarket gets the bad press not the manufacturer. The supermarkets go to great lengths to ensure that won’t happen.
The customers – the supermarket buying teams – are what the food manufacturers are most concerned about, not the legal requirements. These customers have exacting standards, often way in excess of the minimum legal requirements. They conduct spot inspections to ensure compliance and can take business away in an instant.
So what is the relevance to GDPR and our non-food organisations? It is the customer. In fact there are two types of customer that are important to us – the client organisation and the individual, and each will have relevance depending on your market.
If you provide services to a larger organisation, particularly if that organisation has a brand to protect and you record any form of personal data, you can expect that they will ask you about your readiness for GDPR. They may send you a questionnaire or they may ask for sight of your policies and procedures.
If you have contact with individuals, whether they are end customers or individuals within an organisation, you may receive one of several forms of Data Access request. This might be reasonable, or it might be entirely unreasonable if the individual is following their own personal agenda (to put it politely). Either way, you have to be ready to comply with their request. If you don’t, they now have a very easy way to raise a complaint about you to the Information Commissioner’s Office (ICO).
This is what the food industry can teach us about GDPR compliance. It is not the ICO that are most likely to check up on us, it is our customers. If we fail in those checks, it won’t look good. GDPR compliance need not be a lot of work for small companies, so it is worth making the effort to put the basics in place.
Here is a very simple list of the minimum you need to have ready. You can obtain templates for most of these on-line or from your industry membership organisations.
- A named person responsible for Data Protection on your organisation (not necessarily full time in smaller organisations).
- Privacy Statements – a version on your web site, and a more comprehensive document to support internal and external contractual agreements.
- Data audit – at its simplest, this is a spreadsheet listing where you keep personal data (e.g. email, contact lists, CRM, order files, correspondence etc.) and what processes and agreements are in place to protect it. Most major cloud storage providers will be aligned with TRUSTe or EU-US Privacy Shield frameworks, but you need to check.
- Data Retention Policy and Procedures
- Data Subject Access Procedures and form
- Data Breach Procedures and Incident Form
- Purchase Order Terms and Conditions to include a GDPR Addendum for use with your suppliers, e.g. web site hosting and management if you have an Enquiry Form; or your Auditors and Accountants
- GDPR training for your staff, and a log recording training you have given to employees and contractors.