Note: This article is intended to inform our readers about the current data privacy and security challenges experienced by companies in the global marketplace. It is in no way intended to provide legal advice or to endorse a specific course of action. For advice on your specific situation, consult your legal counsel.


 

Despite the complex nature of logistics organizations and their geographical data flows, details of how the GDPR will affect the logistics industry have been thin on the ground. But here’s the key fact:

From suppliers to third-party logistics providers to employees, your entire supply chain must adhere to GDPR regulations or face a fine of up to 20 million euros or 4 percent of your annual turnover.

Only 5 percent of U.K.-based companies were fully prepared for the GDPR before it came into law—so if your organization is based outside of the European Union, it’s likely you’re unprepared for how this complex European legislation affects your business.

In this article, I’ll go through five things you need to know about how the GDPR affects the logistics industry, providing commentary from industry experts and recommendations for how to ensure your organization can stay compliant.
 

1. The GDPR rules apply to countries worldwide, not just in Europe

You can’t ignore the GDPR rules because your company is based and/or headquartered in the U.S., Canada, or, frankly, anywhere else in the world. In fact, logistics is one of the industries that should be paying closer attention because of the international nature of its trade. Customer data flows in and out of offices across the globe, and if just one of your customers is a European citizen, then you’ll need to know how to safely manage their data according to GDPR rules.

I talked to Andrew Kugler of Act-On Software about the effect this has on marketing efforts:

“If you have data in your database from any EU citizen, GDPR rules will apply to you, regardless of where you are marketing from. The GDPR pushes its regulation-related obligations across the compliance food chain, requiring all organizations that touch the contact to comply.”

 
Andrew also spoke to the GDPR’s “right to be forgotten” rule and how the complexity of the logistics industry can pose challenges for marketers:

“Right to be forgotten requests, which are a core tenet of the GDPR, need to be addressed in a timely manner, at the same time as verifying that you have received a legitimate request because once you delete the contact data, it’s gone for good”.

 

 OUR RECOMMENDATIONS: 

  • Look at marketing automation platforms that can help your organization ensure that all back-end tasks, such as right to be forgotten requests, are taken care of.

2. Establish a valid data processing agreement with all third parties

A data processing agreement (DPA) is a contract governing how one organization can process personal data on behalf of another organization and detailing how the secondary data processor is complying with GDPR data regulations. In the logistics industry, this personal data can include information such as shipping addresses and email addresses.

Andy Sambandam, CEO of Clarip, an enterprise privacy management software company, says that logistics companies in particular need to make sure that they have DPAs in place with third parties that send or receive personal data of European citizens. He says:

“Logistics companies that are covered need to be especially careful because of the breadth of what is considered personal data. For example, a vehicle identification number tracked in the shipment of a car could be personal data because it could be tied back to the buyer or owner. They need to think carefully about whether each piece of data can be personal data, and who are all of the third parties receiving it so that they can establish a valid DPA”.

 

But, DPAs are worthless without an audit trail that can prove your organization is properly handling the processing of EU citizen data. Organizations will also need to consider how to tackle the task of recording and storing data and establish a point person or department to take responsibility for this task—no matter the size of the business.

 OUR RECOMMENDATIONS: 

  • Map out all relationships that your organization has with suppliers, third-party logistics providers, customers, and resellers, and perform a “data inventory.” Through this, you’ll be able to pinpoint exactly where there are potential gaps in your data protection plan, and what kind of data flows in each direction.
  • Check whether you already have a data control/processing contract with all of these parties and whether this contract covers the extent of the new GDPR rules—if not, seek legal counsel to make sure that this contract is GDPR compliant.

3. Be clear on how you can and can’t track your drivers

GDPR rules not only cover your customer data, but your driver data, too. The logistics industry relies heavily on remote telematics to collect driver data including speed, location, license, and journey duration. The GDPR regulations, however, have not only extended the definition of personal data, but also the way the way in which organizations can store and collect data.

Additionally, “implied consent,” i.e., an assumption on behalf of an organization that they have permission to collect and store personal data, is no longer a justifiable way to collect driver data. The GDPR was designed to shift the balance of power away from organizations and back to the individual. This means that organizations will need to obtain explicit permission from drivers to collect any kind of identifiable data.

 OUR RECOMMENDATIONS: 

  • To ensure that your organization is collecting driver data compliantly, you will need to find alternative legal grounds for collecting driver data.
  • Audit the driver information you currently collect and process, how it’s collected, and who has access to it and address how you will apply the GDPR rules to your driver data collection.

4. Consider hiring a data protection officer

The fact that smaller businesses don’t have as much control over their data as larger companies do is a potential snag for small businesses in the logistics industry. Not only do small businesses need to get savvier in their data control practices, but it may also come at a cost.

Glenn Richey, Professor of supply chain management at Harbert College of Business, believes that businesses need to be mindful of how vulnerable they are to data gaps in the supply chain. He says:

“Every link in the supply chain creates a seam that exposes data, and every seam makes consumer data vulnerable. Looking after every seam and every link within the supply chain requires security expertise which costs small businesses money, which will have a negative impact on efficiency and will be a cost passed onto consumers.”

 

The GDPR stipulates the necessity of hiring a data protection officer for any organization that processes and/or stores large amounts of personal data, and small businesses are not exempt from this. There are, however, exceptions to this rule, and organizations will need to know what obligations they have.

Glenn also says that hiring a data protection officer will significantly stretch small business finances:

“Hiring a data protection officer will squeeze small or medium sized businesses, and many will opt to just risk it and ignore compliance.”

 

 OUR RECOMMENDATIONS: 

5. All of your devices need to be GDPR compliant—even your cell phones

The GDPR rules do not exempt mobile devices: All devices that you and your employees use in the name of business (i.e., that store any kind of customer data) will need to be secured. With the rise in the “bring your own device” (BYOD) policy to reduce hardware costs, employees are using their own devices for work-related activities. Companies, however, open up their supply chain to further vulnerabilities. For example, employees using their own cell phones risk exposing your customer data through mixed personal and business email use.

 OUR RECOMMENDATIONS: 

  • Create a policy surrounding the use of mobile devices and corporate data, including data encryption sites, and enforce this policy with the help of mobile device management solutions.