Electronics supply chain professionals have more questions than answers when it comes to the European Union’s General Data Protection Regulation (GDPR). The rule, which protects EU citizens from privacy and data breaches, is viewed as a b2c initiative rather than b2b. However, one expert warns that manufacturers and the supply chain should prepare for GDPR compliance.
According to the GDPR criteria, any company that stores or processes personal information about EU citizens must demonstrate compliance. “Because the scope [of privacy protection] has been broadened so much that IP addresses are considered personal data, it is hard to find a company that does not, by some definition, deal with personal data,” according to Alvaro Hoyos, chief information security officer at OneLogin, a cloud-based identity management platform. It’s not just the data itself that’s a concern, he added, but data transfer as well. “The U.S. is viewed as not offering enough data protection for EU citizens,” he said.
A significant amount of data is typically shared among companies in the electronics supply chain. If a distributor sells components to an end customer, that customer’s information is shared with component suppliers. In most cases that data identifies the end customer as a business, according to Robin Gray, chief operating officer and general counsel for the Electronics Components Industry Association (ECIA). The GDPR applies to individuals’ data privacy. But in the electronics design chain, engineers frequently buy small volumes of components with a credit card that may be associated with that individual. Makers and inventors also buy electronics components. “I think there is a nagging question if a buyer doesn’t have a corporate credit card or uses their own credit card for a transaction, are they covered by GDPR exceptions?” said Gray. “I think they are but it is not absolutely clear.”
One in four U.S. companies don’t know if they’re prepared to meet GDPR compliance, according to a survey of more than 1,600 organizations conducted by research firm Vanson Bourne. The results show that 37 percent of respondents simply don’t know whether their organization needs to comply with GDPR, while 28 percent believe they don't need to comply at all.
Of the respondents who don’t believe the law applies to their organization, one in seven collect personal data from EU citizens, while 28 percent of respondents unsure about compliance also said that they collect this type of information, the study noted. The results suggest that many organizations are misinterpreting which types of data constitute a mandate for compliance.
Any company that conducts multinational business should be prepared for GDPR, Hoyos said. The issue of data transfer may be particularly problematic for U.S. and online companies. Even if a company inadvertently accesses an EU individual’s information, that data may be captured and then stored in a U.S. database. Technically, that’s considered data transfer. “That’s very hard to avoid,” Hoyos said.
The first step toward compliance is examining the data your company currently handles. “You may come up on some surprises on data you didn’t know you were collecting or data that you already have,” Hoyos said. “You should only collect data that you need; determine where it resides; and how protected that data is. You need to map all that out within your IT system -- that will help your internal compliance efforts.”
Organizations should also identify who controls their data; who acts on the data; and who is responsible for protecting the data, Hoyos said. These roles include a data controller, a data processor and a data protection officer (DPO). The data controller defines how personal data is processed and the purposes for which it is processed. Data processors may be the internal groups that maintain and process personal data records or any outsourcing firm that performs all or part of those activities. The GDPR holds processors liable for breaches or non-compliance and the controller is responsible for making sure that outside contractors comply. “If there is a misunderstanding between a customer, vendor or supplier, it’s important to identify where the system broke down,” Hoyos said. Failure to comply with GDPR will result in major fines.
Finally, said Hoyos, companies need to be cognizant of the language used in partner or third-party contracts. Many businesses outsource their data management to other companies. “Contract language is very important and builds on other topics such as the data controller,” Hoyos said. Contracts are not documents that are updated a lot, he added, so changes in polices or practices need to be documented.
GDPR takes effect in May of 2018. “That may seem far away and we don’t know how quickly GDPR will be enforced,” Hoyos said. “But that date is coming up fast and you should make sure your bases are covered. If you are dealing with a lot of different IT systems and if you need to fix things, that will take some time. You don’t want to wait until the law is enacted to figure out whether you are in compliance.”
ECIA’s Gray does not foresee a similar rule enacted in the U.S. “It would add a whole new level of complexity in the supply chain,” he said. “What is going to alter the landscape in this country is [the data breach at] Equifax,” he said. “That whole issue is leading to a heightened awareness of data mining and data protection and it’s likely the U.S. government will have to act.”