Customer data is not usually a high risk area in a manufacturing company, being related to large corporate clients and multinational companies. So why would a manufacturing company need a DPO?
The company’s employees often present the biggest dataset of personal data with standard HR activity, Health & Safety training and time-keeping systems. Quality assurance and traceability requirements in manufacturing also mean that monitoring of employee activities may be more commonplace and it is likely that detailed monitoring records are also kept.
Monitoring of employees can include using CCTV inside the factory. CCTV also helps to maintain the strict controls over access to laboratories for Health & Safety purposes. Only those employees that have completed the relevant training are allowed access to specialist equipment and CCTV is a useful tool for checking that employees are following the rules. Where dangerous machinery is in use requiring the use of appropriate safety guards, the employer has a legal duty to ensure that safety procedures are being followed by their staff.
The GDPR requires that a company who carries out “monitoring on a large scale as part of its core business activities” should appoint a Data Protection Officer or DPO. Companies must consider whether or not their use of CCTV, strict timekeeping controls and traceability records mean that this requirement is applicable to them.
The DPO role is key within the company, with statutory duties set out in the GDPR and has to be carried out by someone of sufficient seniority, reporting directly to the Board. As this person undoubtably has other responsibilities alongside, it is important that they have support to share the workload. There are many roles which have conflicting interests to those of the Data Protection Officer, such as the IT Manager, so having the support of an objective third party is vital to mitigate such conflicts.
Data Protection as a Service from Data Protection Consulting is an ideal solution. We can prompt audit work to ensure that the appropriate checks are being carried out for example, on the compliance of CCTV, to ensure that Privacy Notices (especially around Monitoring) are complete and up to date and to record and report findings. This all helps to establish Accountability for GDPR. The new principle of Accountability means that the company should comply with the data protection principles and be able to evidence compliance.
The addition of new technology to enhance the productivity of existing processes, or improve Health and Safety within the organisation should trigger the requirement to carry out a data protection risk assessment, a “DPIA”. We support our clients by providing templates for carrying out and evidencing a DPIA, providing sample DPIAs and reviewing the output.
It makes sense for manufacturing companies to focus on the core business and outsource compliance activities to specialists where possible. Let us take the strain of keeping you up to date with changes in law and interpretation, contact us for more information.