As part of European Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of personal data, the new regulation requires all European organizations to be in compliance with it, since on May 25, 2018.
The regulation requires in particular:
- transparency towards the owners of the personal data processed [article 13]
- respect for the rights of owners of processed personal data [article 16 to 23]
- the implementation of technical security measures [article 32]
- supervision of subcontractors [article 28]
- Demonstrate compliance (Accountability)
The logistics sector is particularly affected by the regulation. Delivery distribution channels are increasingly diversified (relay point, customer delivery with different players, locker, etc.) and involve numerous subcontractors.
Service providers involved in the delivery chain process personal data in significant quantities, particularly in last mile deliveries. Personal data is transmitted from subcontractor to subcontractor with as many information systems where the information passes.
The regulation requires identifying all subcontractors in the delivery process and obtaining from each subcontractor sufficient guarantees in terms of protection of personal data.
The major difficulty is to ensure the security of personal data throughout the package delivery process, from ordering to delivery and to ensure that each subcontractor provides sufficient guarantees for the data controller who origin of the order taking, or even the connection with another supplier as is the case on many e-commerce platforms.
The world of logistics will have to rethink the information systems involved in the delivery routing processes to guarantee that the data exchanged benefits from protection from order taking to delivery and that each subcontractor is committed to comply with the new regulations.
The risks are significant in the event of a data breach, the data controller may be fined 4% of its global turnover. In the event of a data breach, the data controller has the obligation to report the security incident to the supervisory authority, the image of the company may be significantly damaged.
