Note: This article is intended to inform our readers about the current data privacy and security challenges experienced by companies in the global marketplace. It is in no way intended to provide legal advice or to endorse a specific course of action. For advice on your specific situation, consult your legal counsel.
Despite the complex nature of logistics organizations and their geographical data flows, details of how the GDPR will affect the logistics industry have been thin on the ground. But here’s the key fact:
From suppliers to third-party logistics providers to employees, your entire supply chain must adhere to GDPR regulations or face a fine of up to 20 million euros or 4 percent of your annual turnover.
Only 5 percent of U.K.-based companies were fully prepared for the GDPR before it came into law—so if your organization is based outside of the European Union, it’s likely you’re unprepared for how this complex European legislation affects your business.
In this article, I’ll go through five things you need to know about how the GDPR affects the logistics industry, providing commentary from industry experts and recommendations for how to ensure your organization can stay compliant.
1. The GDPR rules apply to countries worldwide, not just in Europe
You can’t ignore the GDPR rules because your company is based and/or headquartered in the U.S., Canada, or, frankly, anywhere else in the world. In fact, logistics is one of the industries that should be paying closer attention because of the international nature of its trade. Customer data flows in and out of offices across the globe, and if just one of your customers is a European citizen, then you’ll need to know how to safely manage their data according to GDPR rules.
I talked to Andrew Kugler of Act-On Software about the effect this has on marketing efforts:
Andrew also spoke to the GDPR’s “right to be forgotten” rule and how the complexity of the logistics industry can pose challenges for marketers:
2. Establish a valid data processing agreement with all third parties
A data processing agreement (DPA) is a contract governing how one organization can process personal data on behalf of another organization and detailing how the secondary data processor is complying with GDPR data regulations. In the logistics industry, this personal data can include information such as shipping addresses and email addresses.
Andy Sambandam, CEO of Clarip, an enterprise privacy management software company, says that logistics companies in particular need to make sure that they have DPAs in place with third parties that send or receive personal data of European citizens. He says:
But, DPAs are worthless without an audit trail that can prove your organization is properly handling the processing of EU citizen data. Organizations will also need to consider how to tackle the task of recording and storing data and establish a point person or department to take responsibility for this task—no matter the size of the business.
3. Be clear on how you can and can’t track your drivers
GDPR rules not only cover your customer data, but your driver data, too. The logistics industry relies heavily on remote telematics to collect driver data including speed, location, license, and journey duration. The GDPR regulations, however, have not only extended the definition of personal data, but also the way the way in which organizations can store and collect data.
Additionally, “implied consent,” i.e., an assumption on behalf of an organization that they have permission to collect and store personal data, is no longer a justifiable way to collect driver data. The GDPR was designed to shift the balance of power away from organizations and back to the individual. This means that organizations will need to obtain explicit permission from drivers to collect any kind of identifiable data.
4. Consider hiring a data protection officer
The fact that smaller businesses don’t have as much control over their data as larger companies do is a potential snag for small businesses in the logistics industry. Not only do small businesses need to get savvier in their data control practices, but it may also come at a cost.
Glenn Richey, Professor of supply chain management at Harbert College of Business, believes that businesses need to be mindful of how vulnerable they are to data gaps in the supply chain. He says:
The GDPR stipulates the necessity of hiring a data protection officer for any organization that processes and/or stores large amounts of personal data, and small businesses are not exempt from this. There are, however, exceptions to this rule, and organizations will need to know what obligations they have.
Glenn also says that hiring a data protection officer will significantly stretch small business finances:
5. All of your devices need to be GDPR compliant—even your cell phones
The GDPR rules do not exempt mobile devices: All devices that you and your employees use in the name of business (i.e., that store any kind of customer data) will need to be secured. With the rise in the “bring your own device” (BYOD) policy to reduce hardware costs, employees are using their own devices for work-related activities. Companies, however, open up their supply chain to further vulnerabilities. For example, employees using their own cell phones risk exposing your customer data through mixed personal and business email use.