Bruce Potter, chairman of Blake Morgan law firm, on the Incoming General Data Protection Regulation.

Bakery owners and managers will be no strangers to the importance of protecting people’s personal information.

Whether collecting and using personal information from customers interacting with your website, or keeping records of past and present employees, data protection compliance has been critically important for many years now. The high-profile data breach at Morrisons supermarket three years ago, where personal details of almost 10,000 staff were leaked by a disgruntled former employee, underlined that fact.

Yet the bar will be raised even higher with the General Data Protection Regulation (GDPR), coming into force on 25 May next year. All organisations that retain or process personal information will need to comply – so it’s important to start preparing now.

The most salient point to highlight is that food businesses will face much higher penalties when things go wrong.

Under GDPR, the regulator will be able to issue fines of up to €20m (£22.7m) or 4% of worldwide turnover – a significant increase on the current penalties, which are limited to £500,000.

Under the new rules, businesses will have 72 hours to report a data protection breach to the Information Commissioner’s Office (ICO) and, where the breach is likely to result in a high risk to individuals, they must notify individual data subjects without undue delay.

There will also be enhanced rights for individuals.

In addition to subject access rights, which are retained from the current law but with some important changes, individuals will have the right to receive their data in a commonly used and machine-readable format (the right to data portability). They will also have the right to have their data erased (the right to erasure – also called the ‘right to be forgotten’).

Businesses will be required to give individuals more information at the time their data is collected – this includes explaining the legal basis of processing, data retention periods, and that individuals have a right to complain to ICO.

An overarching theme of the GDPR is the principle of ‘accountability’. Broadly, this means there will be new requirements on businesses to demonstrate their compliance by fully documenting all their data-processing activities, which may include carrying out data protection impact assessments.

If all of this sounds like a logistical nightmare, there are practical steps that can be taken now to ensure compliance:

  • Review your customer- facing terms and privacy policies. These are likely to need revisions to meet the new requirements.
  • Larger baking businesses may already have them, but it is worth reviewing whether an in-house data protection officer needs to be appointed. Alternatively, explore whether the role could be outsourced.
  • It would be advisable to review contracts to ensure there are robust provisions around record-keeping.
  • Now would be a good time to map out arrangements with data processors, such as outsourced services. The obligations on processors will affect all providers who process personal data, so your business may find providers want to renegotiate terms to reflect increased risks.
  • Consider whether your business is acting as a processor on behalf of anyone else. If so, you will need to comply with the direct obligations.
  • If your business collects information about children, you may need a parent or guardian’s consent to process their data. Consent must be verifiable and privacy notices written in language that children will understand.
  • With regards to the new ‘right to be forgotten’ regulations, businesses should consider whether they need to change their communications with individuals to ensure they are aware of the new rights.

While it might seem a complicated process at this stage, the pay-off for compliance with GDPR can only be seen as a positive for any baking business. 

Ultimately, compliance will ensure that reputation is not at stake, that your business is not at risk of huge fines and, last but by no means least, that the public have confidence and trust in your business in the digital age.