As you will have heard repeatedly by now on May 25th 2018 the long awaited European General Data Protection Regulations (GDPR for short) will come into force in the United Kingdom. Food Business Operators are no less accountable to GDPR rules. Because of their small size most food businesses concentrate on bread & butter issues and may hold the mistaken view or vain hope that they are too small to concern themselves with getting ready for GDPR. However since a lot of the F&B trade relies on ‘in person’ interaction the forward leap in e-commerce options, website and social media marketing means even the smallest businesses in this sector are obtaining and therefore responsible for the careful management of customer information.
With only five weeks to go, food businesses should have looked at key provisions of the legislation by now and made their preparations. So let’s look at GDPR readiness from the point of view of that fictitious company we created in our last blog on Brexit for FBOs. NuOatCo is an organic granola manufacturer in the west of England that sells most of its products through its online portal. It fulfils orders from across the UK, EU and even international markets and has been growing year on year since its first year of operation. It’s run by a husband and wife team and while they outsource their manufacturing to a contracted facility they handle distribution and promotion with a small in-house team of six. This is a business which relies heavily on online administration and here are three baseline actions it should have already taken or should get cracking on right away.
NuOatCo must know what personal information they hold for customers, employees, suppliers and service providers, where this is stored and create an internal storage policy. But first it must know what personal data looks like. It ranges from:
• Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
• Contact Data includes billing address, delivery address, email address and telephone numbers.
• Financial Data includes bank account and payment card details.
• Transaction Data includes details about payments to and from the customer and other details of products and services purchased.
• Technical Data includes internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices used to access the NuOatCo website.
• Profile Data includes username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
• Usage Data includes information about how the customer uses NuOatCo’s website, products and services.
• Marketing and Communications Data includes customer preferences in receiving marketing from NuOatCo and third parties on their behalf and your communication preferences. This also includes note made of conversations in person and/or communications supplied.
Now that it knows what it has, NuOatCo should also know what it does with it and be able to produce the record if required. NuOatCo will not need to appoint a data protection officer (DPO) its size and core function means that isn’t a necessity however it should have someone in the organisation who manages the administration of its data protection obligation.
The very nature of the relationship between NuOatCo and its customers is a contractual one. They buy the product, pay online or by phone and have the product shipped to them. Processing the data becomes a necessary part of NuOatCo’s delivery of its side of the contract. The contract justification would certainly apply to the first four types of data listed above and arguably to the fifth and sixth too.
For the last two categories (which is where most businesses like NuOatCo get the information they rely on to build their customer mailing lists) we will have a look at consent. NuOatCo has a clear justification for processing this data but it must also show that it will maintain the data in a secure manner and will only retain it for as long as is necessary to fulfil the purpose of collection.
Usage and marketing related data is arguably not necessary to complete the purchasing contract between NuOatCo and its customers but NuOatCo wants this information. The GDPR recognises this and therefore requires that it find a way to show the customer is aware of and consents to this type of data processing. Consent must be specific, granular, clear, prominent, opted-in, properly documented, easy to be withdrawn by individuals for the processing of their data. Like many food businesses NuOatCo invites users and customers to subscribe to its online newsletter, a loyalty scheme and general permission to contact the customer for further and third- party communications. They have a tick-box mechanism which they will now have to upgrade and specify. Consent will no longer be assumed but must be ongoingly obtained for each type of communication method.
NuOatCo will have to retain evidence of consent and if it intends to allow third parties access to this data, must obtain fresh consent. It’s likely NuOatCo will also be required to identify the third parties to whom the data will be supplied. (Again: See Facebook).
It’s not too late to be ready for the new legislation and there is no need to panic. Bear in mind at all times that like your customers you too are an individual with data rights to be protected and this legislation’s sole function is to achieve that purpose. Let it work for you.
To consult with Gaile, please submit an enquiry for a free 15-minute consultation or call our dedicated GDPR Hotline 0845 241 1843.
We have also put together a special LawBite Rescue GDPR Package for clients who need a little extra last minute help with compliance. Our LawBite GDPR Rescue Package contains 12 GDPR compliant document templates crafted by our expert data protection lawyers and written in plain English.
In addition to GDPR templates the package contains a 30 minute GDPR audit consultation and an additional 2 hours of specific GDPR legal advice all for only £495 + VAT (versus £675 + VAT).