GDPR in the food chain – do you know what it will mean for your business?
Does GDPR apply to my restaurant?
I’m concerned as I speak to food businesses – from small restaurants to larger manufacturing companies – that there’s a feeling the General Data Protection Regulation (GDPR) does not apply to them. In fact, the GDPR applies to all businesses of any size and the penalties for breaches are high – up to €20 million or 4% of turnover – so businesses can’t afford to overlook it.
So, as a food business, the GDPR will have an impact on you. On an individual level, it should mean you will get less unsolicited mail and calls, people should not be able to buy your data as easily and they shouldn’t be able to communicate with you without your permission.
From a business point-of-view, you will need to ensure your business operates in such a way as to prevent these things from happening to those you hold data on. It’s important to make sure you can prove that:
Any personal data you hold is essential to the business
This relates to employees, suppliers, engineers that service your equipment, customers and any individual on whom you hold data. That means your database needs to be cleaned and updated regularly – you cannot just add someone‘s details and hold them indefinitely. Under the GDPR, IP addresses, social media posts and photographs are also counted as personal data, along with information you may already expect, such as telephone numbers, email addresses or postal addresses.
You have policies and procedures for protecting personal data
Access to personal data from within your organisation should also be responsibly thought through.
The businesses you work with are also GDPR compliant
This relates to all businesses you might work with, such as suppliers, engineers or organisations you may use to store your data, or back up your database, off-site.
Everyone on your database has opted in and you uphold their rights when it comes to accessing their data and objecting to its use
For instance, if somebody gives you a business card at a trade show, it does not mean they have automatically given you permission to contact them about your products – you will need to have a record of the consent they have given you and how they have agreed to you using that data. It may be simplest to have an electronic consent form available on your phones or tablets for people to sign up to at trade shows.
You are able to remove personal data or are able to update it within your database
If someone asks you to stop mailing them or calling them about a particular service you offer, you will need to be able to remove their personal data or update the information on your database to instruct how their data can be used – such as when and how you will contact them.
You are able to remove any personal data your business holds on someone
Under the GDPR, data subjects have the ‘right to be forgotten’. So you must be able to remove personal data safely and totally from your system, if the data subject requests to be erased or forgotten.
Your business gains consent in the correct way
Companies can no longer use pre-ticked or opt-out options to gain data consent from customers. A clear, positive opt-in tick-box must be used. It also means that mailings need to have clear and simple unsubscribe processes.
The wide-ranging nature of these regulations means it’s not wise to leave it until the last minute to implement any changes. Here is a basic GDPR compliance checklist to adhere to the rules:
- Recognise who your Data Protection Officer (DPO) is within the business – this is your data gatekeeper. If your business has fewer than 250 employees this is not compulsory, but it is always easier when someone champions a project.
- Make sure everyone within the business understands what the GDPR does for them as an individual and how it affects how they collect, store and use data at work.
- Clean your database and remove any information you know is no longer relevant.
- Ask everyone whose data you want to store if you can continue to keep their information. Tell them how they can see what information you’re storing on them, how you will store it, what specifically you will use it for and how they can have that information removed or altered.
- Make sure that, for each person’s data, you store the permissions you are granted and can show them if required.
- Have clear business privacy policies and make sure they are accessible to all employees.
- Regularly maintain your database and train your staff in their GDPR responsibilities.
- Make it simple for people to request to be removed from all the communications you send.
- Report any data breaches, whether internal or via an external company, to the Information Commissioner’s Office.
Above all, if you haven't already, take action now. Get the information on what you’re required to do from a reliable source and start preparing your food business for the GDPR legislation before it’s too late.
You can learn more about this subject with Virtual College, by signing up to our course The Essentials of GDPR.