Data, and specifically personal data, isn’t something that is typically at the top of the agenda in the food and beverage industry. But, there are good reasons why it should be. 

Data can significantly maximise opportunities for food manufacturers to get closer to your end customers, know their likes and dislikes, when and how they wish to buy your products, how they consume them, and how you can improve them.  

With the emergence of AI technologies like machine learning and data analytics, businesses can transform their supply chain by better optimising routes to market and applying algorithms to identify trends and predict consumer tastes and interests. For example, bakeries armed with the knowledge that their sausage rolls are more favourably consumed by people north of the Watford Gap, can limit the distribution of such products in the south to maximise profits. 

When you don’t have a direct-to-consumer relationship, it can be challenging to gain that insight. There is a big market in buying and selling third-party information to use for your own purposes and to enrich your existing datasets. This is a legitimate practice, but you must tread carefully to ensure you stay on the right side of data protection compliance. If you are buying in data, here are the top 5 things you need to think about:

1. Do diligence on the list and the provider of that list e.g. find out how it was compiled, who by and when. Confirm if the data is accurate, if it has been lawfully collected and if it is up to date. Make sure your contracts with the provider of the list include adequate warranties regarding the data. 
2. Does it include personal data and if so, does it need to? Can you get your intended benefit without using personal data? For example, obtaining aggregated or anonymised information rather than raw datasets. Remember, personal data isn’t just name and contact information, it also includes any indirect identifiers such as location or IP address.
3. If you are collecting personal data, you will need to comply with data protection laws which require you to let individuals know that you are using their data for specific purposes and where you obtained it from. This can be challenging if you don’t have a direct relationship with them. You may have to work with the provider to determine how this can be managed, but once you collect the data, the responsibility to inform consumers rests with you. 
4. In some circumstances, consent may be required for your collection and processing of the data. Again, this can be challenging and you must check that any consents already obtained clearly demonstrate the individual’s agreement for you to use their data for your purposes. Otherwise, the consents could be invalid, and you run the risk of having a worthless dataset which could expose you to enforcement action if used improperly. 
5. You should be aware that even if you intend to swiftly aggregate the data to remove identifiers, that activity is also a form of processing and will require you to comply with data protection obligations. Therefore, you might want to see if it is an option for the provider to anonymise before sharing with you.

You may have some routes to consumers directly, for example through product testing, consumer interest groups or competitions. Again, be careful to ensure that if you want to use such data beyond the initial engagement with the individuals for further analytics purposes, you must let them know. Asking for consent is one way to do this and is a must if you are collecting any sensitive information such as health, ethnicity or biometric data. However, consent can come with problems, particularly as individuals have the right to withdraw that consent meaning that you have to siphon their data from your datasets which can be difficult when using GenAI tools. An alternative which may apply is to determine that the information you’re collecting from these engaged consumers is necessary for your legitimate interests to better understand and build demographic or interest-based profiles (for example) and that these interests are not overridden by the privacy rights of the individuals. Key to satisfying this is establishing that your intended processing is within the consumers’ reasonable expectations. So, the bottom line is that you need to let them know. This does not need to be ‘chapter and verse’ but you shouldn’t bury the information deep within lengthy privacy notices. It is better to use clear, succinct statements to explain what you’re collecting and what you’re using it for. 

You may also be embarking on your own direct-to-consumer distribution model. Many brands have successfully achieved this by sidestepping aggregator sites or complex logistics arrangements in favour of direct interaction with end customers. If you are doing this, data protection must be front and centre of your strategy. Privacy by design requires you to ensure that the privacy interests of individuals are baked into your delivery model at the outset for example, by ensuring data collection forms are limited to obtaining only the bare information that is required for your purpose and that you have robust security to protect customer personal data from accidental or malicious disclosure. Slicker customer experiences can be yielded from personalisation, for example, remembering customers’ previous orders and preferences. There are high stakes however, if you get this wrong – you could face fines from regulators, claims or complaints from your customers, or be exposed to breaches or attacks from cyber criminals. Get it right though, you can really enhance customer trust in your brand - which is priceless.