Check Your Blind Spot: GDPR Poses Veiled Risks for M&D Companies

Sharon Lindstrom, Managing Director Manufacturing and Distribution Industry Practice Leader
Jeff Sanchez, Managing Director Security and Privacy

Executives that participated in Protiviti’s latest annual top risks survey, conducted with North Carolina State University ERM Initiative, ranked regulatory changes and scrutiny as a top-five risk in 2018. That’s hardly a shocker, considering that respondents typically identify regulatory issues as a top concern each year. Companies unaware that regulatory changes could affect them are at even greater risk, however.

For manufacturing and distribution (M&D) organizations that do business in the European Union, an imminent regulatory change requiring immediate attention comes in the form of the General Data Protection Regulation (GDPR). GDPR goes into effect on May 25 this year. From an M&D perspective, the bulk of the rule appears to cover business segments unrelated to the principal operations of companies in the industry; nevertheless, GDPR affects M&D companies in ways that they may have not yet considered.

GDPR is designed to give EU citizens more control over their private information amid the growing risks associated with personal data exposure in the digital world. GDPR defines personal data as any information related to any person that can directly or indirectly identify that person. Companies that violate GDPR could face a fine of up to 4 percent of global revenue or 20 million euros, whichever is greater. The specter of a fine of that magnitude warrants attention. We have covered various aspects of GDPR on this blog, which you can read here.

The EU does not require that companies demonstrate compliance with GDPR, but it is widely believed that Data Protection Authorities (DPAs) — agencies tasked with enforcing the rule at the local level — will aggressively hunt for violations to fund their new oversight programs. Generally, DPAs will focus on two primary enforcement areas: data breaches and complaints alleging that private information was used in a manner that went beyond a person’s consent.

Know Your Sources

The good news is that M&D companies are chiefly business-to-business operations that have tangential contact with consumers. But just because DPAs may not make M&D organizations their specific targets doesn’t mean the companies get a free pass on the new regulation. For one, GDPR protects the personal information of employees, which will affect M&D companies that have an EU workforce. What’s more, even though the organizations may not deal with customers extensively, there are subtle ways that they collect consumer information, whether the manufacturer is even aware of it. For instance, this information can be collected during warranty service or parts requests, visits from websites that produce cookies, and communication with the employees of vendors or suppliers.

To avoid being blindsided by a violation and fine, we suggest that M&D companies identify and map the different kinds of personal data they gather as well as the ways in which they gather it. We also recommend that companies close gaps and implement mitigation measures to minimize the risk of breaches and complaints. Organizations should also be aware that the rights that GDPR confers upon EU citizens may limit a company’s ability to lawfully process personal data, which could impact business models. Organizations must have a legitimate right to use the data to perform a service — it cannot be obtained for one purpose and then saved and used for another purpose.

A few examples of information covered by GDPR follow, including data and collection sources that organizations may be overlooking:

  • Fundamental Data/Observable Sources — This source includes names, home addresses, phone numbers, birth dates, financial and bank information, and email addresses. Certainly M&D companies are going to have this information on their employees, in addition to other potential work-related data such as healthcare information and passport numbers.M&D organizations may also have much of this data for consumers. Consider makers of washing machines or other appliances. While consumers don’t buy appliances directly from manufacturers, they may fill out a warranty card to register the product. That information then becomes subject to GDPR, and because buyers registered the appliance for warranty purposes only, manufacturers are prohibited from using the data to market other products to the customers without consent.
  • Digital Data/Automated Sources — M&D companies also need to be aware that they digitally gather “hidden” personal information through electronic logs or system files. Shoppers beginning their research for a washing machine frequently visit manufacturer websites, for example, and automatically provide the company with their Internet Protocol (IP) addresses. As it stands now, that information is all that is needed to begin inundating web-surfing consumers with washing machine advertisements. But that type of data is also protected by GDPR, which, again, would prohibit that type of marketing without the consumer’s consent. Media access control (MAC) addresses, cookies and GPS data also fall into this bucket.
  • Business Customer Data/Company and Vendor Sources — Personal information on European business contacts is also subject to GDPR, whether M&D organizations are outsourcing functions such as their sales force programs, or are performing them in house. Outsourcing puts a premium on third-party vendor management to ensure that vendors are following the rule, but regardless of how their operations are structured, organizations need to be aware that the same restrictions that apply to consumers apply to business customers. A sales force database typically includes personal information on potentially tens of thousands of contacts. If someone in the database requests that a manufacturer stop sending marketing collateral to him or her, GDPR stipulates that M&D firms or their vendors must delete that contact. Simply flagging the account isn’t enough under GDPR.

Those are just a few examples of how GDPR may trip up M&D organizations that do business in the EU. With the GDPR effective date just over a couple of months away, M&D companies that do not yet have a handle on the regulation still have some time to prepare, but must do so with urgency. By focusing on identifying the types of personal information that they collect, and the sources that generate that information, M&D companies can then map out a strategy to shore up weaknesses and position themselves to be compliant on a timely basis. Organizations can find additional resources and information about GDPR to quicken the process here and here.

Add comment