Achieving GDPR compliance in manufacturing
As we prepare for the EU’s General Data Protection Regulation (GDPR) to go into effect in May 2018, we look at its effect on compliance in the manufacturing industry.
Historically, manufacturers have always relied on analyzing data related to their products, supply chains, vendors, employees and customers to improve insights that will help them transform their businesses. Today, manufacturers across the globe are embracing the benefits of Industry 4.0 technologies, from digital twins of processes enabled by mixed-reality to predictive capabilities enabled by artificial intelligence. These technologies improve manufacturing processes, reduce environmental impact, pre-empt potential asset reliability issues and improve health and safety.
Along with this innovation also comes an overwhelming amount of data to collect, understand, reason over, and take action on, than ever before. However, unlocking the full potential of the data can sometimes also require navigating unfamiliar or new regulatory requirements.
Introducing the GDPR
The GDPR is a critical regulatory requirement that manufacturing organizations must plan for. The Regulation will apply from 25 May 2018 – but many in the manufacturing sector may not yet be aware that the law exists, let alone that it may apply to them.
This is understandable. Just a few decades ago, manufacturing companies collected relatively little personal data. But today, manufacturing firms often do collect data that relates to identifiable natural persons, such as employees, business partners, suppliers, and customers. This type of “personal” data is squarely in scope of the new law.
The GDPR can affect non-European manufacturers
Companies heartered in Europe are, of course, aware of the GDPR. However, the GDPR also applies to companies with operations and employees in the Union – something, which sometimes companies I meet with are not aware. Additionally, one aspect of the GDPR that has surprised manufacturers I meet with is that it can apply to data processing outside of Europe, as well as to firms that do not have any EU-based establishments.
It’s true that the GDPR has a long arm. For example, the GDPR applies to processing activities that are related to the offering of goods or services in the EU – meaning sales of manufactured goods to consumers in the Union can trigger application of the GDPR, even if the manufacturer doesn’t have a facility in the EU. Similarly, “monitoring” of a customer’s behavior in the Union can also trigger application of the GDPR, which can sweep in activities like collecting data through “Internet of Things” connected products.
The message is clear: manufacturers, even outside Europe, need to consider their exposure under the GDPR and plan accordingly. While I’m not a lawyer, I’ve personally reviewed the GDPR and worked with my legal team to better understand the potential impact of the GDPR to Microsoft as a manufacturer, as well as Microsoft’s customers in the manufacturing industry. Below is a high-level summary of some of the more obvious potential issues for manufacturers that are on my radar.
What the GDPR requires
The GDPR imposes a wide range of requirements on enterprises in scope, among them:
- Expanded scope. Because of the wider reach in terms of processing data, manufacturers can be subject to the GDPR regardless of their base of operations. For global manufacturing businesses in scope, this means any personal data—from contact details to bank account information of employees, customers, suppliers, and sub-contractors must all be secured. Manufacturers should pay special attention to the wide range of personal employee records including employee data, payroll and pension records.
- Consent. Overwhelmingly, the most talked about challenge of the GDPR are the new requirements around obtaining consent. Under the GDPR, manufacturers will in some scenarios be required to obtain clear and meaningful consent from data subjects. Any consent that is needed will not be easy to get: the GDPR requires consents to be “freely given, specific, informed, and unambiguous.” And where a manufacturer is processing sensitive data, there is a heightened standard for consent. Manufacturers may be impacted by these requirements when engaging in activities like processing employees’ health and contact details on a file of record, or when dealing with vendors and sub-contractors in the manufacturing process.
- Data transparency and fairness. In order to satisfy this obligation, manufacturers should consider whether they need to inform employees, vendors, and consumers about the personal data they collect and process, and how best to do so (not always an easy task where manufacturers have no direct retail function). User interface requirements will be particularly important where manufacturers offer connected devices that interact directly with consumers (g., “smart” sensors in the home, sensors in connected cars). Manufacturers will also need to assess whether they have a “lawful basis” to process data – just because they can collect personal data does not give them an automatic right to do so, even where they inform consumers about their practices.
- Purposes of data use. Manufacturers will need to ensure controls are in place so that where personal data is re-used, or re-purposed for a new function or insight, GDPR rules are complied with. This may require for example implementing controls and procedures to manage how data analytics are carried out.
- Big data, profiling, and data minimization. At a time when manufacturers are collecting ever greater quantities of data, complying with a principle of data minimization is challenging. Manufacturers should review the personal data they collect from employees, vendors and customers, and consider why they are collecting it, and for how long they are retaining it. Internet of Things (IoT) devices, particularly those that interact with employees and consumers, should also be reviewed with privacy requirements in mind because the GDPR imposes rules on profiling which it defines as “any form of automated processing of personal data … to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.”
- Data security and breach notifications. Manufacturers already appreciate the importance of data security to protect trade secrets and other intangible assets. But the GDPR also contemplates significant penalties for companies that fail to take sufficient organizational and technical measures to keep personal data secure. The GDPR will require manufacturers to secure personal data, such as that of their employees, in accordance with a range of factors, including its sensitivity. In the event of a data breach, data controllers must generally notify the appropriate authorities within 72 hours. Additionally, if the breach is likely to result in a high risk to the rights and freedoms of individuals, organizations will also need to notify affected individuals without undue delay.
- Data subject rights for employees, subcontractors and suppliers. Under the GDPR, individuals, including employees, have a right to find out if an organization is processing their personal data and to understand the purposes of that processing. Depending on the circumstance, individuals may also have rights to have their data deleted (this is also known as the “right to be forgotten”) or corrected, to ask that it no longer be processed, to object to profiling, and to revoke consent for certain uses of their data. Complying with all these rights can be a challenging exercise even for larger companies – requiring, for example, mechanisms to handle demands for data, to aggregate all data about a person spread across different systems, and to disclose that data to data subjects where needed.
These are not the only requirements imposed by the GDPR. For example, manufacturers may also need to appoint a data protection officer, carry out data protection impact assessments, and review vendor and supplier agreements to ensure adequate controls and compliance measures are in place to cover the supply chain. Special rules also apply to transfers of personal data out of the EU to third countries.
How cloud tools can help
The list of requirements above – long as it is – is only a subset of what the GDPR can require. As a result, even large and well-established manufacturers can “get lost” in the legal thicket. The good news for manufacturers, however, is that Microsoft is already working hard to develop cloud technologies with in-built tools to help facilitate GDPR compliance. This includes a wide array of measures on our Trust Center to enable technical security, like encryption and certificate protection; organizational measures, such as access controls and audit and logging features; and many data management features, such as record-keeping and retention policy functions, data classification tools, and more. Industry 4.0 technologies can be used to transform process and products, and they can also be used to facilitate compliance with regulations.
To give just four examples:
- Office 365 can help automatically identify worker, corporate employee, subcontractor, supplier and customer data held within Office 365.
- Microsoft 365, introduced earlier this year, brought together Office 365, Enterprise Mobility + Security, and Windows into a single, always-up-to-date solution called Microsoft 365 – relieving organizations from much of the cost of multiple, fragmented systems that were not necessarily designed to be compliant with modern standards and regulations and include compliance manager (see below).
- Azure’s Azure Data Catalog / Azure App Catalog will help uncover personal data in your systems, databases, and LOB applications across your entire business – from factories to headquarters.
- Compliance Manager helps customers assess and track their data protection and compliance posture and get actionable insights to improve. With an intelligent score, customers can better understand their compliance posture against regulatory standards.
We also already provide GDPR-related assurances in our cloud service contract commitments, and offer EU model contracts to ensure that our customers can transfer personal data to our cloud from the EU.
This is a complex area, and each company’s journey to GDPR compliance will be unique. Manufacturers need to understand how GDPR impacts their business and consult with their lawyers to ensure their path to compliance. They should also be working with their vendors that help them meet their GDPR requirements and embrace technologies and services that actually facilitate compliance.
If you have questions about what manufacturers need to think about as they consider GDPR compliance, please see our GDPR Assessment, get the latest on GDPR compliance and news, learn how our services can help, or contact your account manager to begin the discussion.
Twitter: @Caglayan_Arkan