Data protection for manufacturers

Data Protection Consulting Limited

In November 2018 the Information Commissioner’s Office announced that it was targeting enforcement activity on the manufacturing sector, particularly around the revised requirements for data protection registration.

Under the old Data Protection Act (1998) there was a “core business exemption” from registration which applied if the core business did not involve processing personal data except for customer accounts and marketing and staff administration.

So many manufacturers would not have needed to register.

The general rule is that you needed to register if your “stock in trade” was personal data, for example lawyers, consultants, accountants, doctors etc However, GDPR removed the need to register for data protection instead introducing significant record keeping requirements (Article 30).

In the UK, the revenue from registration fees funds the Information Commissioner’s Office and so registration was reintroduced.

Manufacturers may not have picked up this change and the ICO decided to make an example of a few businesses from that sector last year. Other sectors targeted include business services, construction, finance, health and childcare.

Designating a Data Protection Officer

Last year we did a series of case studies to explain how we thought the DPO role might work in practice.

Our first DPO, Theresa, works for a precision manufacturing company.

Customer data is low risk as it relates to employees of large corporates and multinational companies.

So, data relating to the organisation’s employees present the biggest risk.

Standard HR record keeping will include CV information, details of family or household members, results of pre-employment vetting, sickness management records, timekeeping, Health & Safety, training and monitoring systems.

Theresa identifies that detailed records of the manufacturing process are held for quality assurance and traceability.

This includes using CCTV inside the works. CCTV also helps to maintain the strict controls over access to test laboratories for Health & Safety purposes.

Only those employees that have completed the relevant training are allowed access to the labs and CCTV is a useful tool for checking that the rules are being followed.

Theresa advises the organisation that its use of CCTV and maintenance of strict timekeeping controls and traceability records constitutes “monitoring on a large scale as part of its core business activities” requiring the appointment of a Data Protection Consulting.

Although Theresa is confident to take on the role, the organisation is keen to ensure that it is not completely reliant on one person as a GDPR specialist.

It also makes sense for Theresa to share the workload.

The Data Protection Consulting DPO Support Package is an ideal solution, Theresa can share the audit forms with colleagues to check on the compliance of CCTV, to ensure that Privacy Notices (especially around Monitoring) are complete and up to date.

The audit forms also record and report findings. For help and advice with data protection compliance call us on 01283 516 983 or email mandy.webster@dp-smart.co.uk