‘The risk
is in the

A major logistics service provider is a long way down the road towards GDPR. ‘But if we make a mistake, we are out of business. We’ll get a huge fine, but the worst will be the potential damage to our reputation.’

Even talking about privacy can be privacy sensitive in the logistics sector – at least that is the view of an international logistics giant when asked about the preparations for GDPR. ‘I’d like to cooperate because it is a crucial subject,’ says the senior business controller at the company, which dispatches thousands of packages and other freight on a daily basis. ‘But I can only talk on the condition of anonymity. Our policy is to make sure our defences are as ready as possible, but not to advertise the fact.’

What are your thoughts on the introduction of GDPR?

‘I’m all for it. GDPR fits in with our western standard of living and with our views on the importance of privacy for both the man in the street and companies. Compare our situation to that in China: there you are constantly filmed. If you have a couple of traffic fines, you are removed from the social security system. Profiling, a process of building up profiles of both customers and prospects, is very common. It makes you look at our relative freedom in a different way. GDPR is a guarantee that the situation in Europe will remain unchanged, or be improved. So it’s fine by me.’

You deliver goods from suppliers to customers, which delivers a stream of privacy sensitive data. How do you deal with it?

‘If we make one mistake, we are out of business – at least with the organisation concerned. It will also cost us an enormous fine. But the worst is the potential damage to our reputation. We have been training our staff intensively for years on how to deal with delivery data, so they don’t do anything else with it. In that sense, we are already well prepared for GDPR.

Data processing agreements, which cover personal data security and are drawn up by the companies involved in a chain of custody, are compulsory for some business relationships. How does that work at your operation?

‘We’ve talked about this with our clients. Some of them want to sign a controller-processor agreement with us. In these cases, the client sees themselves as responsible for the processing and us as the processor. But we don’t process data; we only use personal information for the delivery itself. Afterwards, we destroy it as quickly as possible. We see ourselves more as the controller, and so responsible for processing. We will work it out with our clients, but at the moment the lawyers are chewing on it.’

What is the biggest privacy risk within your organisation?

We’ve made everything as secure as possible in the design of both our hardware and our software. So there is very little that can go wrong. The risk is in the human factor. People make mistakes, they always have done and they always will, no matter how well they have been trained. Our drivers work with hand-held scanners, and that could be a vulnerable issue. They know they have to be very careful with them and not do anything stupid. We emphasise this in regular training sessions, and new members of staff get a special course on privacy and information security when they start work. It’s about making sure that they realise what they are doing, just like we do when linking data files. Also, we don’t set up any marketing campaigns using client data without getting their permission in advance.’

Is your organisation completely GDPR-compliant?

‘Our business is growing and we don’t have the capacity to free up many people to deal with it. GDPR is taking up some 30% to 40% of my time at work. That’s why we have brought in a couple of external specialists – for advice and to set up process registers. There are a lot of them because we work with various IT landscapes - in our international division, we’ve got 50 different applications running at a local level. We’ve also spent a lot of time on getting it right when it comes to destroying client data. GDPR requires that this be done as soon as the data is no longer relevant. Actually, that can conflict with the current legislation that requires us to actually register certain data. One of my colleagues told me recently that one of his clients had asked to be removed from our files. We were about to do it when we realised he had a large unpaid bill, so that put paid to his request.’

How are you organising the implementation of GDPR?

‘For the most part, yes. There are a couple of things we might not complete before the deadline, but I don’t think they will start issuing fines straight away. Regulators will be primarily concerned with making sure you have a clear GDPR policy and how you have set up your data protection and privacy systems.’