New data protection rules set to have big impact

Newly-agreed EU data protection laws will significantly increase the regulatory burden on food and drink businesses, a legal specialist has warned.

Hailed as the most important change to data protection in the UK and EU since 1995, the European General Data Protection Regulation (GDPR) will require firms to adhere to much tighter laws, claimed Sean Crotty, a partner specialising in data protection law at legal firm Weightmans.

Changes to the law include more rigorous processes for an individual’s consent of data usage, and a ‘right of erasure’ if an individual withdraws consent.

Data breach requirements have also been considerably tightened. Under the new law, authorities will need to be informed about breaches within 72 hours – and potential fines have been increased from a maximum of £500,000 to £20M, or 4% of annual turnover (whichever is the greater).

Need to appoint data protection officer

Meanwhile, all companies with more than 250 employees will need to appoint a data protection officer.

While the law isn’t expected to come into force until 2018, Crotty advised companies to start preparing for the changes soon.

“The food manufacturing industry, like many other similar industries that are already burdened by regulation, will feel the impact of the GDPR,” he said.

A chief driver of the GDPR is to standardise data protection law across EU Member States. However, Crotty said it might also affect non-European companies if, for example, they were monitoring or processing personal data of European nationals.

Concern and benefit

“Although some international food manufacturers may welcome such uniformity across group companies, while older UK-based food manufacturers may have the opposite reaction, there is also a concern that the increased burden provided by the GDPR may offset any potential benefit,” Crotty said.

“Therefore, start preparing now – the GDPR will be with us sooner than you think.”

Adrian Davis, principal analyst at think-tank the Information Security Forum, suggested getting privacy policies, procedures and documentation in order and keep them up to date, as data protection authorities will be able to ask for these at any time.

He also advised forming a governance group that oversaw all privacy activities, led by a senior manager or executive.