Data protection prevents these data from being accessed, changed or misused by unauthorised parties while ensuring they are available at all times, and is thus a critical quality aspect. However, both disciplines – quality management and data protection – can benefit mutually from each other's know-how.
The food industry has long since come to accept the importance of quality management. Protecting the health of consumers is one of the top priorities in this context. In this highly diverse industry, with many stakeholders along the supply chain, data protection is also growing in importance as a quality characteristic. After all, supply bottlenecks may be one of the consequences of data leakage.
Organisations also need to address this topic with more attention as legal framework conditions keep changing. For example, organisations that provide drinking water
also fall under the scope of the European Network and Information Security (NIS) directive. In this case, these organisations must demonstrate within two years that they fulfil the minimum IT security standards and commit to reporting any significant malfunctions of their IT systems.
In addition, the EU General Data Protection Regulation (GDPR) will come into effect in May 2018, and will immediately become applicable law in the EU’s Member States. As significant fines of up to four percent of annual global revenue must be expected in case of infringement, organisations should now start analysing their data protection practices and carrying out risk assessment.
Building on existing systems
As data processing is frequently an integral part of business processes – and the food industry is no exception – it may significantly impact on quality. Therefore, data-protection and data-security risks also need to be considered in the quality management system. This also may help to avoid claims for damages, loss of image and reputation. However, in practice this does not mean reinventing the wheel.
Organisations can build on a good, well-established management system such as quality management, and adopt its methods, procedures and processes. This is made even easier as the ISO 9001:2015 revision, which also applies to the food industry, has a far more pronounced process approach. Ultimately, this approach also covers the processes of data collection and processing.
Close collaboration and exchange of information and ideas between the quality management representative (QMR) and the data-protection officer (DPO) make good sense under any circumstances. Both are appointed by the top management of the organisation and ultimately pursue the same objective – good and systematic management.
Communication becomes particularly important in case of an actual data-protection incident or during preparation for such an incident. Even though it can only be a matter of time before all organisations suffer data leakage or a hacker attack, most of them have made little or no preparations for an emergency. The data protection indicator (DPI) developed by TÜV SÜD and Ludwig-Maximilians-Universität (LMU) in Munich shows that only one-third of the organisations surveyed have defined a systematic approach to managing data-protection violations. In case of an emergency, control may become very difficult indeed. Given this, comprehensive preparation is essential.
As data protection is increasingly categorised as a quality aspect, the quality management control process applied to non-conformities should ideally also apply to data-protection problems. If this is not the case, the DPO must clarify which aspects are not in conformity with data-protection requirements and whether the issue is process-related.
First of all, the organisation must check for gaps with the requirements of their local data protection act, the EU-GDPR as well as the NIS directive and review what needs to be done to close these gaps. In this context, the organisation can also consult the expertise of external service providers who are familiar with both processes in the food industry and data-protection requirements.
Make sure to meet your obligation of documentation
If data protection is perceived as part of quality management, strict documentation is imperative in order to be able to assign clear responsibilities and tasks. Only in this way quality can be ensured. This aspect will become even more significant in future, as the EU-GDPR requires organisations to be able to provide a meaningful overview of their data-protection activities. Given this, the responsible parties will hold greater accountability for ensuring that personal data are processed according to the regulations.
This simultaneously increases the obligation to provide evidence of processes and documentation. The DPI developed by TÜV SÜD and LMU again shows that many organisations have plenty of catching up to do in this area as well. Just under one-third of organisations surveyed stated that they maintain an up-to-date directory of procedures. As the EU-GPDR also involves stricter organisational requirements and reporting duties as well as more rigorous IT security requirements, organisations should not tackle the necessary changes as merely incidental activities, but should explicitly appoint an officer to be in charge of the change process.
It is important for the food industry, too, to become aware that data protection is an essential factor for quality and that collaboration between the quality management representative and DPO is imperative for reaching the common goal of a successful management system. Given this, it makes good sense to implement a continuous improvement process for data protection and joint reporting to top management.
Rainer Seidlitz, data-security expert at TÜV SÜD Sec-IT.
Rainer Seidlitz graduated from the Technical University of Munich as a graduate physicist and has been with TÜV SÜD Management Service GmbH since 1997. In the year 2000 he developed the well-known TÜV SÜD online seal of approval s@fer-shopping for internet shops. Since 2007 he has been Head of the Strategic Business Unit IT-Security at TÜV SÜD Management Service, covering IT security and data protection competencies, providing audits and support for the management of information risks.