GDPR comes into force: What does it mean for the food industry?

636627919375788594tech mobile.jpg

25 May 2018 --- As of today, the General Data Protection Regulation (GDPR) is officially in force in the European Union (EU), aimed at strengthening people’s data protection rights and stepping up the powers of authorities to target companies who break the law. Since we live in a digital era, the new regulations are tightening up how companies gather consumer data and how they share or use it. Today’s new rules are set to bring in multiple changes, which primarily includes the need for consent for anyone listed on a company mailing list.

The new laws around GDPR are introducing the possibility of fines up to up to €20 million (US$23.4 million) or 4 percent of turnover, for any company that breaches the law and if that data falls into the wrong hands. The implementation comes just months after the Facebook/Cambridge Analytica data debacle came to light, but the regulation has been on the horizon for several years already. 

While the food industry has not been as creative in online marketing campaigns as other sectors, it will undoubtedly impact strategies moving forward here too. 

The BBC points to a UK survey of 906 firms by the Federation of Small Businesses, which found that only 8 percent had completed their preparations. And there is likely to be further disruption today as the regulation comes into force.

The GDPR applies to over 500 million EU consumers and aims to protect their privacy regardless of where the companies handling their data are based. It embodies the EU’s aim to protect their citizens’ fundamental rights and lays the groundwork for more privacy-friendly business models.

According to consumer lobby group, BEUC (The European Consumer Organisation), the GDPR will put consumers back in control. Companies will now have to give a choice to consumers when they ask for their consent to use their personal data. This will require many companies to rethink their business model, especially those who make access to their service dependent on online tracking and profiling.

Monique Goyens, Director General of BEUC, comments: “Consumers are people, not products. The GDPR is the EU’s response to the privacy challenges of a digitalized society.”
“It is a game changer,” she claims. “Consumers should use their rights and draw clear boundaries regarding the use of their personal data.”

“All companies would be well-advised to take the GDPR obligations very seriously. Not only because of the possibility to get fined, but because it responds to the expectations of users who highly value their privacy. Companies need to bring their technologies and services in line with people’s fundamental rights,” Goyens explains.

“The GDPR has bestowed national data protection authorities with substantial powers to make companies play by the rules. They have a big responsibility to make GDPR a success.”

“Consumer organizations also have a role to play. We will keep a close eye on the market and make use of the GDPR’s toolbox to help consumers exercise their rights and to defend their collective interest.” 

Click to Enlarge
David Martín,
Senior Legal Officer for BEUC

While he wouldn't specify on how the regulation would impact the food industry per se, David Martín, Senior Legal Officer for BEUC did make some relevant observations to FoodIngredientsFirst, particularly when it comes to retail channels. “The GDPR regulates the use of personal data, so it is likely to have more impact on those parts of the industry that have direct contact with consumers and therefore process consumers’ personal data as part of their activities. It will particularly have an impact on all direct marketing and advertising operations, as well as on loyalty schemes,” he says

“We expect companies to be much more transparent towards consumers about how they use their personal data, and to give consumers more control over their data. Ultimately, companies will change their mindset and adopt a more privacy-friendly and user-centric approach to privacy issues. Privacy protection should become a priority for them, if only because the consequences of breaching the rules can be very serious,” he claims.

But how has the industry leveled up?
For many food businesses, the GDPR will have an impact. GDPR relates to employees, suppliers, customers and any individual on whom you might hold data for, meaning your database should be cleaned and updated regularly. Under the GDPR, IP addresses, social media posts and photographs are also counted as personal data, along with information such as telephone numbers and email addresses.

On Nestlé’s website, the company states: “We know that data privacy is a top issue today, and that is why we want to ensure that you can enjoy interacting with us on our website in the knowledge that your personal information is fully protected and that it remains under your control.”

The company also promises: “Your personal data will not be disclosed to the public or sold to third parties. If our commercial partners need data to provide you with services, we will ask your permission. We may also have to provide access to specific data if required to do so by authorities.”

When approached by FoodIngredientsFirst, Nestlé declined to comment further on the matter.

Unilever is also stepping up to keep personal data private. The company lists the hashtag: “#yourdataisyours” on its website and further details below regarding GDPR.

“We know that you care about your personal data and how it is used, and we want you to trust that Unilever uses your data carefully. This Privacy Notice will help you understand what personal data we collect, why we collect it and what we do with it.” They have also been approached for further comment.

Speaking to FoodIngredientsFirst, Richard Clarke, Managing Director at the PR agency Ingredient Communications says that most food brands and retailers will have databases of past and present customers to whom they send marketing material. GDPR will decimate a lot of those databases because many consumers will ignore requests to opt-in to lists again for GDPR compliance purposes.
“It’s tough, but it’s the same for all businesses, so at least it’s a level playing field, which offers a crumb of comfort. If there is one chink of light, it’s that those consumers who do opt in to stay on marketing lists are likely to be the most engaged consumers of all. If you like, it’s a process of correcting databases that might have become crowded over the years. It could enable companies to get even closer to those shoppers who are most loyal,” he explains.
For most consumers, GDPR merely offers a great way to reduce the number of marketing emails they receive, including those they never signed up to receive, or don’t recall signing up to receive.
“And we have to remember that GDPR exists because it was perceived there was a need for it. The insidious practice of requiring people to opt out pro-actively of receiving marketing materials from companies enabled the feeling to develop that personal data was being misused. GDPR will correct that imbalance and put power back in consumers’ hands,” Clarke continues.
“But it will also enable companies and brands to be more targeted and more confident that the people who are receiving their marketing messages want to get them,” he concludes.

By Elizabeth Green

To contact our editorial team please email us at