What GDPR Means For the Freight Forwarding Industry
GDPR stands for General Data Protection Regulation and is the forthcoming legislation set to change the way in which data is protected for EU citizens. It will be impossible for businesses and individuals to ignore. Indeed if we look at the freight industry in particular, digitalisation has markedly increased the amount of personal data organisations are storing. If we take the example of in vehicle drivers, they capture a lot of personal data from handheld devices, telematics devices, and vehicle videos. Therefore it is anticipated that GDPR will have a significant impact within the freight industry, and organisations are encouraged to ensure full readiness. Within this article we will take a closer look at what GDPR is, why it was created, some of the key elements of the legislation, and the penalties in the event of non-compliance.
Key dates and Brexit
The European Commission published the GDPR in January 2012 and it will be enforceable from the 25th May 2018. Some people have questioned whether organisations in the UK need to comply since we are exiting the EU (Brexit). The quick answer is yes – those who do not comply whilst we are still a member of the EU will be in breach and subject to the penalties which are detailed within this article. It is not yet clear how the UK will deal with data protection post Brexit but there is no reason to expect a marked deviation from GDPR.
Why GDPR was created
There are two primary reasons cited for the existing data protection regulations to be replaced:
- The EU believe it is appropriate for their citizens to have a higher level of control over their own personal data.
- The EU recognise that there are a number of different legislative frameworks for the protection of data within the European Economic Community which makes it confusing and inefficient for organisations. Therefore they are aiming for a harmonised legal framework to solve this issue.
GDPR key legislative elements
- Personal data must be processed lawfully. Lawful in this context has a number of meanings with the fundamental one being that the individual must have provided their consent. There are a number of other inclusion points such as being essential for the life of the subject and compliance with a legal obligation.
- Under GDPR there is a big change in terms of consent which must be active. Under the current regulations consent may be passive. One of the most common examples is by not ticking a box you opt into having your personal data stored, and maybe even be shared with other organisations. Active consent will mean you have to tick a box to confirm your personal data can be stored and shared. In addition, data controllers have an obligation to record how and when consent was provided by the subject.
- There is an expansion of the definition of personal data to reflect the extended range of personal data that organisations hold, such as a number of online identifiers including IP addresses. This is a reflection of the increasing digitalisation of businesses.
- Data subjects have the legal right to access their personal data at ‘reasonable intervals’. ‘Reasonable’ is based on both the nature of the data being stored and the expected frequency of change. The data controller must deal with all requests within a one month time frame. It is anticipated that the number of subject matter requests will increase and organisations should ensure they understand what information they are holding, where it is stored, and their process for responding to requests within the time frame.
- One of the most publicised concepts within GDPR is the ‘right to be forgotten’. This has hit the press in relation to social media platforms including Facebook. GDPR outlines that if the data is no longer necessary with respect to the purpose it was stored for, the subject can request for its deletion and the controller must comply.
- Some organisations will be required to appoint a Data Protection Officer (DPO) if they conduct regular and systematic monitoring on a large scale. This may be a role carried out by an individual within the organisation already. However GDPR places a greater expectation in terms of experience and qualifications for the individual.
What if there is a data breach?
The organisation must notify the data protection authority within 72 hours of first becoming aware of a suspected or actual data breach. This is an initial alert which should be followed by a thorough investigation and impact assessment.
There are significant penalties for non-compliance – the greater of 20 million Euros or 4% of the organisation’s annual turnover.
Furthermore and perhaps more concerning from a reputational perspective is that the Information Commissioners Office will publish any steps they take against an organisation. This places the breach in the public domain and may cost the organisation dearly in terms of current and future custom.
GDPR is a monumental piece of legislation which responds to the way in which advancements in technology have disrupted how personal data is stored and processed. It is widely viewed as a positive step for individuals within the EU, but it will place an additional burden on organisations who will have to uphold an uplifted standard with respect to data management. Freight like almost every industry will feel the impact of the legislation and we expect to see them in the final stages of business readiness – particularly as the stakes for non-compliance are so high.