I’m concerned as I speak to food businesses – from small restaurants to larger manufacturing companies – that there’s a feeling the General Data Protection Regulation (GDPR) does not apply to them. In fact, the GDPR applies to all businesses of any size and the penalties for breaches are high – up to €20 million or 4% of turnover – so businesses can’t afford to overlook it.
So, as a food business, the GDPR will have an impact on you. On an individual level, it should mean you will get less unsolicited mail and calls, people should not be able to buy your data as easily and they shouldn’t be able to communicate with you without your permission.
From a business point-of-view, you will need to ensure your business operates in such a way as to prevent these things from happening to those you hold data on. It’s important to make sure you can prove that:
This relates to employees, suppliers, engineers that service your equipment, customers and any individual on whom you hold data. That means your database needs to be cleaned and updated regularly – you cannot just add someone‘s details and hold them indefinitely. Under the GDPR, IP addresses, social media posts and photographs are also counted as personal data, along with information you may already expect, such as telephone numbers, email addresses or postal addresses.
Access to personal data from within your organisation should also be responsibly thought through.
This relates to all businesses you might work with, such as suppliers, engineers or organisations you may use to store your data, or back up your database, off-site.
For instance, if somebody gives you a business card at a trade show, it does not mean they have automatically given you permission to contact them about your products – you will need to have a record of the consent they have given you and how they have agreed to you using that data. It may be simplest to have an electronic consent form available on your phones or tablets for people to sign up to at trade shows.
If someone asks you to stop mailing them or calling them about a particular service you offer, you will need to be able to remove their personal data or update the information on your database to instruct how their data can be used – such as when and how you will contact them.
Under the GDPR, data subjects have the ‘right to be forgotten’. So you must be able to remove personal data safely and totally from your system, if the data subject requests to be erased or forgotten.
Companies can no longer use pre-ticked or opt-out options to gain data consent from customers. A clear, positive opt-in tick-box must be used. It also means that mailings need to have clear and simple unsubscribe processes.
The wide-ranging nature of these regulations means it’s not wise to leave it until the last minute to implement any changes. Here is a basic GDPR compliance checklist to adhere to the rules:
Above all, if you haven't already, take action now. Get the information on what you’re required to do from a reliable source and start preparing your food business for the GDPR legislation before it’s too late.
You can learn more about this subject with Virtual College, by signing up to our course The Essentials of GDPR.