In the age of data-rich global commerce where products can be sourced and sold anywhere, manufacturers, distributors and transportation companies here in the United States may have more exposure to foreign data regulations than they think.
As the General Data Protection Regulation (GDPR) goes into effect in the European Union on May 25, it will have wide-ranging impacts that will reach far beyond Europe. The law extends to any company processing personal data of EU citizens and covers a wide range of data privacy and protection elements. Under the law, consumers will now have the "right to be forgotten," and companies — the duty to secure that.
Experts say logistics providers will have to consider not only their own data collection and security practices, but of those that they do business with.
New standards for data protection and privacy: a primer
GDPR requires organizations have a transparent data collection, management and security system in place.
It implements a "privacy by design" requirement where privacy must be front and center when developing new products. It also requires individual consent for their data to be processes and gives companies a 72-hour window to report any suspected or confirmed data breaches to the Data Protection Authority and requires individuals to give consent for data to be processed. The law also affords individuals the "right to be forgotten" where a consumer can request an organization purge all their data from the system.
Due to the geographically expansive nature of supply chains and to the fact they can hold great amounts of personal information, the regulation reaches far wider than one might imagine.
Many companies may have contractors, vendors, suppliers or other partners somewhere down the line with ties to the EU, Brad Bussie, Principal Security Strategist at Trace3 told Supply Chain Dive. However, many organizations don’t always know what kind of data they have. Companies may have "unstructured data" where people have entered information about someone, filled out an application, or taken and stored images.
"You see this at scale even with larger companies where they don’t have good data classification. They don’t have good sensitive data discovery," said Bussie. "And if you don’t know what type of data you have, how could you possibly protect it?"
How will U.S. companies comply?
Many U.S. companies are simply not prepared to fully comply with GDPR by the deadline.
Technology association CompTIA surveyed 400 U.S. Companies and found only 13% are fully compliant with GDPR, while another 35% said they were "somewhat" or "mostly" compliant.
Many organizations remain confused about the regulation or mistakenly believe it doesn't apply to them if they don’t have direct business in the E.U., according to Greg Sparrow, senior vice president and general manager of Compliance Point.
The company has received calls week over week on a daily basis "as many have finally concluded it’s not going away," Sparrow told Supply Chain Dive. "It’s something they need to deal with and they have to start down that path. Most U.S.-based organizations are probably still playing catch-up with GDPR at this point."
Many organizations are looking to consultants and third-party solutions to determine if GDPR impacts them and how to attain compliance. While a logistics company may not be directly doing business with someone in the E.U., "they may be doing business with someone who is," Dean Weber, Chief Technology Officer at Mocana, told Supply Chain Dive. "It’s all about the data and the problem everyone is having is downstream liability."
“You really need to be able to do a global search in your organization for specific information and be able to remove it."
Principal Security Strategist, Trace3
Most manufacturing and supply chain organizations should assume they’re already required to be compliant with GDPR and start by analyzing their fundamental data security standards, said Sparrow.
Organizations should generally have the appropriate technology and IT frameworks "in line (with) what others are doing for their particular vertical" and should that to their vendors and partners. "I would not recommend that people create that out of thing air or try to come up with that themselves," he said.
GDRP compliance issues can vary for data controllers and data processors, said Sparrow. Data controllers are those that have a direct relationship with the consumer while data processes are those on the supply chain side that are involved in fulfillment or distribution on the supply chain side. "What I think the supply side is going to see is – they’re going to have to manage this through contracts. Whether they like it or not. They will likely be bound through contractual language to comply with GDPR, based on service offerings," he said.
One challenging aspect of GDPR in the supply chain is the “right to be forgotten,” which grants consumers the right to have their information purged from a company’s system. In this case, it could be difficult for companies to fully comply when they don’t know where the information is.
In one example, an organization conducted an audit on the ability to delete records and found data remaining in email servers. "Many people use email as a file repository. You really need to be able to do a global search in your organization for specific information and be able to remove it," said Bussie.
The cost of non-compliance
Organizations in breach of the regulation could be fined up to the greater amount of 4% of annual global turnover or €20 million ($23.5 million) in the event of a serious violation. An organization could also be fined 2% of turnover for not having their records in order or not notifying the authority about a data breach.
In practice however, there may not be a wave of crackdowns straight out of the gate. U.K. Information Commissioner Elizabeth Denham said in a blog post in December 2017 while there will be no grace period, compliance will be an "ongoing journey." Denham dispelled myths that the agency would be seeking to make early examples of violators and said, "we pride ourselves on being a fair and proportionate regulator and this will continue under the GDPR."
Regardless of GDPR, recent data breaches — such as those at Facebook and Equifax — are already leading to growing support for more data protection and privacy standards in the U.S. In February 2018, a security firm discovered 119,000 private documents of FedEx customers were exposed through a company that helped with shipping calculations and currency translations.
"Sooner than later, I’d say these organizations are going to be held a little more accountable," said Bussie.
Things are already happening at the state level. The California Consumer Privacy Act would require companies to disclose the types of personal data they gather and give consumers the right to prevent businesses from selling or sharing that data. Massachusetts also has rigid data standards and requires any entity owning or licensing personal information to notify the state when data is compromised. Should more states enact such legislation, Sparrow believes it could eventually lead to action at the federal level.
"If we allow this type of legislation to be defined at the state level, you’re going to get a patchwork of regulatory compliance and that leads to complexities, inefficiencies and uncertainty from an enforcement standpoint," Sparrow said.