Why brewers need to pay attention to General Data Protection Regulation (GDPR)

If you have a database of customers, former customers, mailing lists, information on current or former employees; or indeed another database with information on individuals, then you will need to adhere to GDPR.

The regulations in brief

The General Data Protection Regulation (GDPR) is an EU wide regulation that extends the scope of the UK’s Data Protection rules.

Becoming law on 25th May 2018, failure to comply with the regulation could incur hefty fines of up to EUR 20 million, or 4% of a company’s turnover, whichever is higher.

Greater rights of anyone that’s on any of your databases or computer systems

Individuals, such as your customers, prospective customers, former employees, interviewees etc., will have many more rights, including: the right to have data held on them erased, if it’s no longer relevant to the purpose it was originally collected; to be able to access and correct data; to be informed if there is an issue (for example the loss of data); the right to restrict processing (for example not to receive direct marketing); and to have compensation if they have suffered damage due to an infringement of the GDPR.

Legal perspective: be prepared for individuals to exercise their rights; only hold data on individuals that you really need to

Consent to be on your databases

After the introduction of the GDPR, where data is processed on the basis of consent, consent must be freely given, specific, informed and unambiguous.  It requires a statement or clear affirmative action.  Effectively, consent requires ‘opt-in’ rather than ‘opt-out’.

If you have already obtained consent to certain types of processing from your employees or current customers, then this may not be an issue.

But, this could prove to be a thorny issue for any brewer that has an active marketing campaign that relies on “opt-out” consent as a basis for processing, as both former customers and prospects, including any databases that you buy-in, must now ‘opt-in’ to receiving communication from you.

Legal perspective: start changing your documentation on sales and marketing material now to opt in. Take appropriate advice on the wording.  Instead of relying on consent to process personal data, review whether another basis for processing is appropriate.

Keeping the data safe – governance and accountability

Businesses are responsible for how they collect, store and use personal data and must demonstrate that they are complying with the data processing principles.  Larger companies must keep detailed records of their processing activities.  You must give more information to individuals about how you will handle their data and must also carry out impact assessments when using new technology or high risk processing.   Staff training is essential to ensure businesses comply with their governance and accountability obligations under GDPR.

Legal perspective: pay special attention to sales and marketing department, HR and anyone that interviews staff and may receive CVs and the like – ensure that they are appropriately trained in the new requirements of GDPR.

Data breaches and mismanagement

The new regulation is particularly stringent around loss of data, unauthorised disclosure or access to data.  You should therefore review the way in which you handle data to ensure there is no possibility of data being mishandled, misused or lost.

Any cases of breach of data where a breach is likely to “result in a risk for the rights and freedoms of individuals” must be reported to the Information Commissioner.

Legal perspective: check where personal data is held and the risks e.g. make sure your sales staff don’t keep unencrypted databases on their laptops. 

Data management

You now need to document what personal data you hold, including the source of data, who has access to it, and where it has been shared.  This could, for example, include marketing agencies employed to direct mail customers on your behalf.   

Legal perspective: carry out a data audit

Your employees and HR

The same issues apply to your employees. Whilst most records, such as payroll will be centralised, a lot of other data is decentralised, and often unstructured such as recruitment records, recruitment consultant resumes, appraisals and disciplinary reviews. 

Legal perspective: look at the data held and possibly centralise it and consider deleting old records that are no longer required.

Conclusion

With data breaches set to become increasingly costly, both in terms of financial penalties and reputational damage, creating a culture of taking data protection compliance seriously could go a long way to minimising the risks of falling foul of the regulations.

Our recommendation is to get ahead of the game now by carrying out an audit on the data you hold, and the way that data is stored and managed.  Rectifying any issues now before the regulation comes into force could pay dividends down the line.

Picture credit: smeders.nl

ARTICLES
PODCASTS