Farm businesses must get ready for new data rules

Farmers should be aware of the implications of new data protection laws which come into effect in late spring, as their businesses often hold more data than they might realise.

The General Data Protection Regulation (GDPR) comes into force on 25 May 2018. It is designed to ensure that businesses and organisations store any “personal data” – information which identifies a living individual – safely and securely.

Within farming businesses this will include the personnel and payroll details of any employees.

See also: Dos and don’ts for starting a diversification

However, it could also include the details of customers or of any contractors, suppliers or business partners.

Graeme Fearon, a partner with lawyer Thrings, says the new rules need to be taken seriously by farming businesses and will require a change in mindset.

“However, this legislation is not something that needs to give you sleepless nights and much of it requires people to take a common sense approach.

“A good question for people to be asking as they consider this is: Would I be happy for my own data to be handled in this manner?”

Limit the data

Mr Fearon says the new laws require businesses to think about whether they have a good reason to hold an individual’s personal data on their systems.

In essence, this means don’t take on more data than you need, don’t keep it for longer than you need and don’t use it for purposes beyond what you agreed.

So while you may need the name, phone number and bank account details of someone who works for you in order to pay them, you may not need the details of someone who left the business three years ago.

“If there is any data that a business doesn’t need, it shouldn’t have it – particularly as there’s always a chance it may be misused,” he says.

“If the business doesn’t possess the data, it can’t be leaked, hacked or stolen and so can’t come back to bite you.”

Accountability

A key feature of the GDPR is an obligation of accountability, which is about businesses showing how they have embedded compliance with the rules in their working practices.

The guidelines issued to date seem to be deliberately vague in a bid to encourage businesses to aim high, rather than just meet a set of minimum requirements, he says.

All businesses should keep a file, either electronic or paper-based, setting out the procedures in place for keeping data secure, confidential and up-to-date, and logging any issues or breaches.

In practice, this means farmers should regularly review their security settings making sure they are using an industry-standard firewall, which is regularly updated, and any data files are kept password protected on a secure server.

“Recently a business got fined for not installing security upgrades for an 18-month period.”

The procedure file should also describe how the business will seek to limit the amount of data it holds – for example, by scheduling regular culls where any data is deleted if it is no longer required.

Businesses must also ensure if they are contacting an existing customer, perhaps looking for a repeat sale, they give them the option to unsubscribe.

Similarly, if they are collecting data it must be for justifiable reasons which are explained clearly and simply to the customer so they know what they are signing up for.

For example, if a farmshop has a large consumer database, it should not be used to try and sell them something completely unrelated to the shop.

“Essentially, people need to demonstrate that they are doing the right thing,” says Mr Fearon.

“Much like a maths GCSE question, if you can demonstrate your process clearly but make a mistake with your final answer, the application and intention will still hold weight.

“If it’s clear you haven’t tried sufficiently or haven’t learned lessons from previous events, your business may well face harsher sanctions.”

Penalty risks

There are some scary headlines about the level of potential fines if someone is found to be in breach of the GDPR.

Under the current Data Protection Act 1998, the maximum fine for non-compliance is £500,000.

However, under the GDPR, this could rise to 4% of global turnover or €20m (£17.53m) – whichever is greater.

“It is very unlikely that a small farm business would be hit by a massive fine straight away, as the authorities are likely to go down an advisory route first,” says Mr Fearon.

“However, a fine of 4% of turnover could really hit the bottom line for some.”

Farmers should also consider the reputational damage, which could prove worse than any fine, particularly for farm businesses selling direct to the public.

In a digital world, trust is everything and your customers need to be able to trust you with their data.