A Question and Answer Guide on GDPR for Manufacturers

May 10, 2018
Compliance, IT Security, Manufacturing

A manufacturing factory in hilly landscape and clouds

The acronym “GDPR” has practically become a buzzword in the manufacturing industry, given how frequently it’s dominating business discussions and online searches. That’s because the broad reach of the EU’s data protection legislation, which takes effect May 25, 2018, makes it likely to affect many US manufacturers.

If your manufacturing company processes the data of EU citizens—even if it doesn’t have a physical presence in the EU or run operations there, it could very well be among them. If that’s the case, you probably have questions. Below are answers to the some of the most frequently asked.

What is the GDPR?

GDPR, which stands for General Data Protection Regulation, provides updated data protection legislation throughout the EU to cover many of the new, previously unforeseen ways that personal data is used.

It introduces tougher fines for non-compliance and breaches and gives EU citizens more say over what companies can do with their personal data. It also makes data protection rules more comparable throughout the EU.

What data is considered ‘personal data’?

The GDPR defines ‘personal data’ as any data that a person could be identified by, such as name, email, IP address or online behavior. Personal data is becoming a hot commodity in the manufacturing world with many companies using IoT connected devices to collect massive amounts of  consumer information. Meanwhile, AI and RFID technologies are increasingly used to collect, use and integrate personal information into product manufacturing.

Who must abide by the GDPR?

The GDPR requirements apply to any organization doing business in the EU or that processes personal data originating in the EU, whether it’s the data of residents or visitors. Because data may be processed outside the EU, manufacturers can be subject to the GDPR regardless of their base of operations.

What happens in the event of a data breach?

Your company must notify the appropriate authorities within 72 hours. It should also provide information on the nature of the data that was breached, the approximate number of people affected, the potential consequences for those people, and what remediation measures are being taken.

What’s the big deal about consent?

Under the GDPR, there may be situations in which your company will be required to obtain clear and meaningful consent from data subjects. This could be an activity such as processing employees’ contact details on a file of record or dealing with sub-contractors in the manufacturing process. The GDPR requires consents to be “freely given, specific, informed, and unambiguous.” If your company is processing sensitive data, there is a heightened standard for consent. 

What about data transparency and fairness?

Under the GDPR individuals, including employees, vendors, and consumers, have a right to find out if your company is processing their personal data and to understand the purposes of that processing.  They may also have the right to have their data deleted or corrected, ask that it no longer be processed, object to profiling, and revoke consent for certain uses of their data. 

If IoT and connective devices are used to interact directly with customers, their user interface requirements need to be considered as well.

What are the penalties for non-compliance with the GDPR?

Your company could incur fines up to €20 million or 4% of its worldwide turnover (revenue), whichever is greater, for non-compliance. Less serious violations, such as failing to notify the appropriate authorities about any breaches, can result in fines of a maximum of 2% of annual global turnover, or €10 million.

Who should handle GDPR compliance within my company?

The GDPR defines several roles that are responsible for ensuring compliance, including the data controller and data processor. The data controller specifies how and why personal data is processed. The controller is also responsible for making sure outside contractors comply.

Data processors are the internal groups that maintain and process personal data records. Or, they could be a third-party company that performs all or part of those activities. The GDPR holds processors liable for breaches or non-compliance.

Is US Signal considered a controller or a processer?

US Signal is considered a processor of customer data hosted at US Signal, and its customers are the controllers. US Signal has limited knowledge of the data that each customer processes via its hosting environments, and only processes data according to our customers’ instructions.  

What services does US Signal offer to help me comply with GDPR?

US Signal can’t ensure your company is GDPR-compliant, but we can offer services to help meet some of the GDPR requirements. Make sure to consult a legally qualified professional to discuss how the GDPR applies specifically to your company and how best to ensure compliance.

To find out more about US Signal can help or for information on our data protection, managed security, and compliant IT solutions, call us at 866.2. SIGNAL or email: [email protected].