We recently collaborated with Retail Week on this article, exploring how The Internet of Things (IoT) is dramatically reshaping how retail supply chains operate now and in the future.
A supply chain can be optimised through real-time management of information, such as personal or industry data, collected by connected objects and robots in increasingly automated industrial environments. But, using data and connected information systems also generates risks and triggers the application of data processing and cyber security regulations and, more generally, raises concerns on confidentiality and contractual terms. Below, we look at some of the legal issues involved in the setting-up and management of a supply chain powered by the IoT.
Customer analytics: To what extent can customer interactions be analysed?
Personal data can be found anywhere: technical data such as IP or MAC addresses qualify as personal data, and the frontier between anonymous data and personal data is too uncertain to rely on anonymity without an in-depth prior legal assessment. Enhancing customers’ experience by analysing their purchasing habits or in-store behaviour may therefore fall within the scope of personal data regulations.
And when it comes to analysing personal data, strong governance is required. In this respect, May 2018 will open a new era in data management, with the entry into force of the European General Data Protection Regulation (GDPR) throughout the European Union. Under the new rules, companies will have to set up strong data governance policies. What does it mean in practice?
Mainly, the focus will be on customers’ consent to the use of their data for analytics purposes, and clear information on who will use the data collected. Identifying the parties involved in data collection, use, analysis and processing is key to develop a data analytics business model, as it generally implies different stakeholders from various viewpoints, such as a retailer or manufacturer and a payment services provider, partnering to analyse data and offer enhanced services to their joint customers. Such data sharing typically requires distinguishing precisely between the roles and responsibilities of each of them, as “data controllers”, “data processors” or “joint” data controllers. Moreover, all the data processing will have to be secured, traceable and managed in compliance with the GDPR and internal governance rules.
Business intelligence: Are there any constraints to use supply chain data?
Data collected in the supply chain on stock, deliveries, etc. has no fixed legal status or regime, unlike personal data. No standard rule about ownership and use has been developed so far because the business case is so recent. However, such data may reveal critical information on a business and therefore be sensitive.
Where such data is collected and processed within a group or an integrated supply chain, the confidentiality issue may not be too critical. However, a business secret issue may arise where the processing reaches out to third parties’ data such as service providers or business customers. In this respect, managing business data should be governed by contract. The difficulty here is to determine the regime applicable to business intelligence governance in the absence of express contractual provisions envisaging confidentiality and competition aspects. A case-by-case analysis must therefore be performed.
Need for IT security
The Networks and Information Security Directive (NIS) will be effective in 2018 subject to domestic implementation in European Member States. Operators of essential services in sectors such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure will be subject to cyber security requirements and will have to notify serious incidents to national authorities. In addition, the digital industry (search engines, cloud computing services and online marketplaces) will have to comply with security and notification requirements.
In addition to general liability risks arising from IT and personal data security breaches – including the reputation risk –, this new regulation is intended to raise awareness among the industry to improve security standards. These new security levels should be anticipated in the allocation of obligations and liabilities in commercial contracts being entered into now.
What does this mean for businesses?
The IoT is revolutionising the supply chain and businesses need to start putting their cyber security strategy on top of the agenda to ensure success in tomorrow’s world.
If you would like to speak to OC about the issues raised within this article, please contact Lise Breteau or your usual Osborne Clarke contact.
If you would like to receive the next edition in our series of articles examining how to get ready for tomorrow’s supply chain, you can subscribe here.