Data protection and its legal implications on logistics
The backbone of every successful logistics operation is the wealth of data collected from customers and other stakeholders along the supply chain, which then translates into greater efficiencies and shorter lead times.
With digital transformation efforts underway in many companies today, most sensitive customer data — delivery addresses, purchase history and other personal information — sits on internal or outsourced cloud-based platforms.
To enforce data privacy, new regulations and laws such as the EU’s General Data Protection Regulation (GDPR), Australia’s amended Australia Privacy Act, or Japan’s Personal Information Protection Act (PIPA) have been enacted to safeguard such data. Companies have the added responsibility of ensuring the proper collection and usage of all forms of customer data — a tall order given the sheer amount of data circulating in the logistics supply chain.
From a legal perspective, what are some of the key implications of data privacy regulations on the logistics sector? Napoleon Ng, Vice President Legal, Asia Pacific, Deutsche Post DHL Group, weighs in.
Data privacy issues have come under increasing scrutiny over the years. How has that impacted the logistics industry?
Ng: The handling of data, particularly personal data, is integral to the business processes in the logistics industry. Now, more than ever, logistics managers increasingly find the need to be directly knowledgeable of data protection rules and regulations, and to understand how these rules impact their daily work functions.
Gone are the days when the responsibility over data protection was merely relegated to an IT or legal expert. Every stakeholder in the logistics industry has a role to play in protecting the personal data of its customers, employees, and business partners.
There are multiple data touch-points in today’s digital supply chains. What can be done to minimize the misuse of data?
Ng: Training and awareness play an important part in preventing the misuse of data. Everyone in the company responsible for using personal information must have, at a minimum, some basic understanding of the company’s data protection policy and applicable data protection laws and regulations.
Employees with roles having deeper involvement in the processing of data — such as in the collection of customer leads, maintenance and storage of the employee database, and transfer of personal data to third parties for reporting or operations purposes — will benefit from extra training on data protection rules relevant for their particular job function.
But awareness alone is not enough. Technical and organizational controls in systems and business processes are needed to ensure that data protection or privacy by design is applied wherever necessary in order to enforce policy.
Based on your understanding, how are the data protection laws like across different countries or regions?
Ng: We need to understand that each country or region is unique and laws can vary widely, but there are minimum general standards that apply across the globe.
In particular, there must be a legitimate basis for processing of personal data, and that it is processed in a transparent manner within the scope of its specified purpose. Safeguards must also be in place to ensure the security of data and that the rights of data subjects must be respected, amongst other things.
Can you give any examples of how some of the laws and regulations differ?
Ng: Consent from data subjects can be obtained in a number of ways depending on the country’s legislation. There are countries that impose strict rules on the appropriate form of consent depending on the circumstances, while other countries do not have rules that specifically address consent requirements.
Country laws and regulations also differ on the definition of data “processing”. This can cause confusion especially where there is a cross-border transfer of personal data. Data processing can be a broad concept as it can encompass a wide set of operations involving personal data, including handling, collection, recording, storing or deleting.
What do you foresee are the main challenges for the logistics sector in complying with the regulations?
Ng: Data protection is not a static set of rules and regulations. It continues to evolve and expand, often at a very fast pace. The logistics sector needs to be always on the alert for emerging privacy issues and trends, such as new technology on cybersecurity, privacy principles surrounding “big data”, and anti-spam legislation.
Our aim is not just to simply comply and react to such developments, but to anticipate them and be able to operate with a competitive advantage.
From a legal perspective, what are the implications for companies that fail to comply?
Ng: The fines and penalties can be quite severe. Organizations can no longer afford to put the security and privacy of their customers’ data on the back burner, and think that non-compliance will involve a mere ‘slap on the wrist’ or minor fines for data breaches. Penalties can run into the millions or even be calculated as a percentage of a company’s global turnover.
This can be massive; non-compliance with data laws and regulations is not a viable option for companies to survive in today’s world. This aside, business is based on trust. When looking for a logistics provider, businesses would also want to be assured that they are able to safeguard personal data.
What are the best practices you recommend for data users to avoid any possible legal consequences?
Ng: Data users should be aware of a company’s data protection policy and applicable laws and regulations by keeping up to date through trainings and workshops. When in doubt, data users should contact data protection experts within the company for more detailed information and guidance.
Many of the security and privacy incidents that appear in the news are related to human error. It is therefore important for each data user to exercise a culture of security and privacy within the organization.
Data users should not be driven by fear, but by a genuine desire to do their best to know, understand and follow data privacy rules and regulations for the overall benefit of the company, its employees and stakeholders.