Importance of Data Security in the GDPR Era
By David Rogers
This is the fourth blog of a six-part series written by David. Each blog will discuss the many forces that emerge which can potentially disrupt the way logistics execution is done. Follow along with us on this six-week journey.
Data. The very thing that lubricates the supply chain, especially in logistics and transportation, may cause the greatest security threat to the process it is enhancing. Data security issues in logistics can be identified and managed, albeit with some hurdles and planning. In this article I will address some of the issues that we are confronting today surrounding data security, and also identify some upcoming challenges for the logistics industry with the impending General Data Protection Regulation (GDPR). Companies are scrambling to meet the implementation deadline of May 25, 2018 and the regulation is already impacting how data is managed.
As data permeates supply chain operations, logistics managers are increasingly finding themselves becoming experts in IT. They understand that their IT systems, and those of their customers, suppliers, and third-party logistics partners are becoming more interdependent. While efficiencies and information flow are positive byproducts, the potential for a cyber-attack, or theft of data from just one of the systems, can have a devastating impact on the entire extended supply chain. The security of data in the supply chain should be at the top of every company’s risk assessment protocol.
Gartner, in their 2018 CIO Agenda: Transportation Industry Insights research report, notes that cyber security continues to be an areas of investment in the transportation sector. They identify the convergence of information technology (IT) and operational technology (OT), coupled with the adaptation of IoT has created new venues and opportunities for cyber-attacks. Their research found that more than half of transportation CIO respondents to their industry survey indicated that they have responsibility for OT, and that percentage looks to grow as technology intensifies.
They advocate that logistics leaders should take an inventory of all their systems to identify security gaps and limit exposure to cyber-attacks. It would also be a good idea to check upstream and downstream customers and suppliers and determine their plans and processes to ensure data security. Gartner actually advocates for a ‘hackathon’ to test for system integrity. Data breaches large and small occur constantly. Recently, the U.K. based shipper Clarksons was the victim of a security breach. It found that a single and isolated user account was granted unauthorized access to its computer system. One inadvertent innocuous click on a link in a phishing e-mail can bring down a business.
One recent & important discussion point on data security is the impending implementation of GDPR (General Data Protection Regulation) and how that may impact logistics. GDPR is the new data protection act for businesses in the European Union and for those doing business with EU companies. It regulates how companies, both public and private, manage personal information. GDPR is applicable not just to companies head-quartered in Europe but also covers companies headquartered outside, say in Australia or China, and have their operations in Europe. Given that data driven business may hold substantial amounts of personal information, the consequences are far reaching. Considerations include how companies can process and store personal data; how the consent to process personal data is obtained and how to manage the ‘right to be forgotten’. Heavy fines will be levied to companies that do not comply.
GDPR will certainly have an impact on transportation and logistics. Bluesource notes that consideration will need to be given to companies that collect information on customer names and addresses as well as specific order information. This information can be maliciously leaked, or released through negligence or human error. If the data is not protected, companies can face large fines and also civil claims. Properly complying with GDPR may limit these breaches but may not fully eliminate them.
Mark Hue-Williams of Willis Towers Watson writes that under GDPR, some transportation companies will need to appoint a Data Protection Officer (DPO) if they meet certain conditions. According to the International Association of Privacy Professionals (IAPP), 50% of transportation companies will need a DPO due to the data intensive nature of their operations. The DPO would act as a clearinghouse of GDPR information for their companies, monitor compliance, manage data protection activities and assessments, provide staff training and audits, and interact with the authorities. The GDPR requires that the DPO have ‘expert knowledge of data protection law and practices.’
For logistics professionals, it is important to work with suppliers and partners who have the same respect for data not by proclamation, but with actual procedures. It is also essential to work with technology providers who understand the importance of securing data, especially as more business transitions to the Cloud. Companies such as Ramco Systems have significantly and continuously addressed this issue and have a commitment to data security.
While GDPR will no doubt permeate throughout global supply chains and impact non-EU companies, logistics professionals worldwide should be proactive in securing the very data that drives their supply chain. With access to data comes responsibility to maintain and protect that data, through comprehensive regulation & good business practices.
About the Author
David is part of the BPI membership community and is exceptionally experienced in supply chain management, logistics, and strategy. He is currently running his own boutique consulting business called Insync Supply Chain Management Pty Ltd which provides an extensive range of supply chain consulting services across Australia and Asia. Insync Supply Chain Management Pty Ltd has significant expertise in the development and execution of supply chain strategies, transforming the integration, alignment and functional synchronization across all supply chain stakeholders. Prior to starting his own business, David worked in the corporate environment in various senior supply chain management positions with blue chip companies. David has also lectured on Supply Chain Management at RMIT University and Victorian University.
David is the Chairman Asian Pacific Logistics Federation (APLF), Past Chairman – Director of the Supply Chain Logistics Australia Association (SCLAA), Australian Roundtable President of the Council of Supply Chain Management Professionals (CSCMP), National Councilor for GS1 Board in Australia.
For more information regarding his blogs, please navigate to this page: http://www.iscm.com.au/2018/01/19/importance-of-data-security-in-the-gdpr-era-by-david-rogers/.