Metafour and GDPR
We are committed to protecting the rights and freedoms of data subjects, and securely processing personal data
The General Data Protection Regulations (GDPR) came into effect on the 25th of May 2018, to protect the personal data and privacy of EU citizens. It has had a significant impact on UK logistics companies and how they process their data. From personal information relating to staff and subcontractors, to the identities of mail senders and recipients, all personal data and its usage is now heavily regulated. Both data controllers and processors will be liable for huge fines in the event of any data breaches.
Does GDPR affect you?
GDPR applies to ‘controllers’ and ‘processors’. A ‘controller’ determines the purposes and means of processing personal data. A ‘processor’ is responsible for processing personal data on behalf of a controller.
In the relationship between a logistics company and its software provider, the logistics company or courier is the controller, and their software provider, such as Metafour, is the processor.
If you are a processor, GDPR places specific legal obligations on you. For example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach. However, if you are a controller, you are not relieved of your responsibilities where a processor is involved. GDPR places further obligations on you to ensure your contracts with processors comply with GDPR.
GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU. GDPR does not apply to certain activities, including processing covered by Law Enforcement Directive, processing for national security purposes, and processing carried out by individuals purely for personal/household activities.
Logistics providers and courier companies process enormous amounts of personal data each day in the form of customer books, which means that data protection and information security are critical business risks. The GDPR rules also impose strict contract requirements, and you will need to update legal agreements and policies to avoid a breach of the law. All contracts need to be GDPR compliant, you may be required to appoint a Data Protection Officer, and you will have to carry out privacy impact assessments, and facilitate enhanced data subject rights.
These enhanced data subject rights include:
- Right to be informed
- Right of access
- Right of rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Rights related to automated decision making including profiling
If you do suffer a security breach, it will have to be reported to your customers or the regulator, and possibly also to the individuals affected, depending on the circumstances.
Data security and Metafour
Metafour is dedicated to providing a level of data security that meets the needs of our clients, and conforms to the requirements of GDPR. The Metafour Information Security Project demonstrates our continued commitment to cyber security, and keeping our customers’ systems safe. We have been certified to ISO 27001 standards, which helps us keep information assets secure. We have also passed our Cyber Essentials assessment, which aims to help organisations implement basic levels of protection against cyber attacks.