Theresa works for a precision manufacturing company. Customer data relates to large corporate clients and multinational companies.
The company’s employees present the biggest dataset of personal data with standard HR activity, Health & Safety training, time-keeping systems and other monitoring: for example, detailed records of the manufacturing process are required to identify who was involved at each stage of the process for quality assurance and traceability.
Monitoring employees includes using CCTV inside the factory. CCTV also helps to maintain the strict controls over access to laboratories for Health & Safety purposes. Only those employees that have completed the relevant training are allowed access to the labs and CCTV is a useful tool for checking that employees are following the rules.
Advised by Theresa, the company decided that its use of CCTV and maintenance of strict timekeeping controls and traceability records constituted “monitoring on a large scale as part of its core business activities” requiring the appointment of a Data Protection Officer or DPO. Theresa is taking on the role but the company is keen to ensure that it is not completely reliant on one person as a GDPR specialist and Theresa is also keen to share the workload. The DPO Support Package from Data Protection Consulting is an ideal solution, Theresa can share the audit forms with colleagues to check on the compliance of CCTV, to ensure that Privacy Notices (especially around Monitoring) are complete and up to date and to record and report findings. This all helps to establish Accountability for GDPR. The new principle of Accountability means that the company should comply with the data protection principles and be able to evidence compliance.
Recently the Managing Director mentioned introducing geolocational tracking to the company’s delivery lorries to help keep track of where the goods are and predict arrival times for customers. This will supplement the tacographs in the cabs too, helping to demonstrate compliance with Health & Safety requirements. The DPO knows that any new project or change of existing procedures might involve a data protection risk so recommends carrying out a data protection risk assessment, a “DPIA”. There is a template for carrying out and evidencing a DPIA in the Data Protection Consulting Toolkit and in the DPO Support Package.
Data Protection Consulting now provides proactive support for clients in the manufacturing sector allowing them to outsource their data protection compliance to us. It makes sense to focus on the core business and outsource business administration and compliance activities to specialists where possible. Let us take the strain of keeping you up to date with changes in law and interpretation, call us for more information.