September 1, 2017
Peter Snaith, partner and head of the chemical and manufacturing sector group at Bond Dickinson, reflects on the new Data Protection Bill and the forthcoming General Data Protection Regulation (GDPR) and how they will impact technologically savvy manufacturers
The manufacturing sector is increasingly turning to automation and innovative IT-based solutions to drive efficiencies and improve the way factories operate. These solutions often result in the production of a wealth of valuable data which needs to be analysed, managed and stored. The recent Wannacry NHS cyber-attack highlighted the importance of keeping data secure and the devastating impact of failing to do so. Against this backdrop, the law in this area is changing rapidly with the latest development being the new Data Protection Bill which was announced by the government on August 7.
Innovation and technology
In what has been referred to as the fourth industrial revolution, manufacturers are investing significant sums in automating equipment and machinery and enabling those items to talk to each other using Internet of Things solutions. These solutions can improve the speed and accuracy of manufacturing, reduce waste, predict and identify faults using sensors and alarms, and improve health and safety. They often involve the collection of real time data from the factory and supply chain which can be used to reduce costs and increase profit. However, the connected factory is not without risk.
The data collected using these technologies may be commercially sensitive and the IT systems that connect equipment and machinery could be central to the running of the factory. This makes manufacturers a potential target for cyber criminals who seek to exploit weaknesses in IT systems – for example, through ransomware or distributed denial of service attacks. Manufacturers must therefore start to address real risks which until recently have not existed. Practical steps include keeping IT systems up to date, staying on top of software updates/patches, and investing more time and resources into implementing and maintaining security measures. Manufacturers should also ensure contracts with suppliers are robust and require the implementation of security measures to keep data safe.
The law is evolving quickly to keep pace with technological advances. On August 7, 2017, the Government announced its new Data Protection Bill and from May 25, 2018, the General Data Protection Regulation (GDPR) will come into force. The
GDPR will affect all manufacturers because they will hold personal information about employees, customers and suppliers.
The GDPR imposes stringent obligations on organisations that fail to comply and depending on the breach, fines of four per cent of global turnover or €20,000,000 (whichever is the greater) could be levied.
The technologies being employed by manufacturers may involve the collection of significant volumes of personal information. For example, technology which measures output on a production line might enable the efficiency of a worker to be reviewed. Manufacturers will need to ensure that they are transparent about the personal information that is collected using these technologies by updating privacy notices and ensuring those notices comply with the GDPR. They will also need to ensure that contract terms are put in place which meet the requirements of the GDPR.
Bond Dickinson has a dedicated manufacturing team which has an in-depth knowledge of the sector and its privacy experts are well placed to help manufacturers capitalise on the significant opportunities connected factories represent while managing the legal risks.