Data protection: Moy Park
18 March 2011 | By Abigail Townsend
21 February 2014
M&A Weekly Update: fraud, bribery and money laundering sentencing guidelines; limited liability partners as workers; and more
2 June 2014
5 March 2014
28 February 2014
14 November 2013
Moving from financial services to the poultry industry would for most people require a major shift in attitude. But for Debbie Bloomfield, who joined food processor Moy Park from Sweden’s Ikano Financial Services in March 2010, what struck her first were not the differences but the parallels.
Moy Park, which has its head office in Northern Ireland and sites in England (where Bloomfield is based), France and the Netherlands, supplies own-label and branded chicken products to a host of retailers and food outlets. Ikano, owned by the same family that owns retail giant Ikea, specialises in providing companies with financial services such as store cards.
“I don’t see much difference compared with financial services in terms of regulation,” argues Bloomfield, now company solicitor at Moy Park. “We have to deal with regulations on hygiene, the environment, food and so on. We also have a massive workforce and numerous health and safety rules: I don’t see the regulation being any less stringent.”
Much of Bloomfield’s work at Ikano was focused on ensuring that the company understood its regulatory requirements. She was keen to adopt a similar approach at Moy Park, which had, she says, a “very out-of-date policy” that few in the company knew about. As a further incentive, in April 2010 the Information Commissioner’s Office was given new powers to fine companies that breached the Data Protection Act 1998 (DPA). Bloomfield’s first priority therefore was to draw up a new DPA policy as well as retention guidelines. These were approved by the board and launched in October 2010.
Staff training started well before that, however. In the UK alone, Moy Park employs around 8,000 people, so Bloomfield decided to focus her training primarily on the HR team. Training could then be rolled out across the company. She was aware that a talk on DPA compliance by the in-house lawyer was not going to excite people, and so looked at ways to convey how serious the issue was without boring her audience.
Expanding the regulatory universe
When at Ikano, Bloomfield had to give a talk to top management about how the regulatory environment was expanding. Realising that this could be a dry subject, she ditched PowerPoint and adopted a sci-fi theme: a graphic of planets, each representing a different regulatory body or company, was the main image; she used her son’s light sabre as a pointer; and unveiled her presentation to the Star Wars theme music.
This time, she sketched out a rough diagram of a typical office setting, albeit one featuring a big chicken, and loaded it with data protection breaches. She then spent “a few hundred pounds” having it drawn professionally by an illustrator. At subsequent training sessions, staff were asked to identify what was wrong with the picture and discuss why they constituted breaches and how they could be rectified.
“I don’t see myself as a lawyer in an in-house role,” explains Bloomfield. “Instead, I’m part of the business and just happen to have legal skills. It’s about working out how to get a message across effectively.”
The image acted, in her words, like “a pyramid scheme”: once trained, the HR department and managers could use it to teach fellow employees, who in turn used the image if they were carrying out training and so on, thereby spreading details of the new policies without micromanaging the flow of information.
Bloomfield also lobbied the board to create a new role of data protection officer. The board agreed. Bloomfield currently holds the post, but feels it could easily became a separate compliance-based role.
Less formally, a team of people from across the company is charged with keeping an eye on compliance.
“It’s a loose team we can pull together when needed,” says Bloomfield. “It also lets people look at what legal and other issues are affecting their teams and assess how to approach them. It turns compliance, which is a big issue, into smaller, manageable bites.”
Working closely with staff across the company like this is a priority for Bloomfield, who has put in place quarterly meetings with the HR department. These are used to discuss “things they want to get done, improving things they feel could be done better, and to share best practice”. But the meetings extend far beyond data protection.
“You can be isolated as an [in-house] lawyer,” she says. “The HR department is an obvious one that you would expect the legal team to work closely with, yet often HR and legal are segregated, only coming together when there’s a problem such as a tribunal. Effective compliance stops that sort of thing.”
In less than a year Bloomfield has overhauled outdated data protection guidelines and educated staff about new policies. But the work has not stopped, and she is now drawing up an information security policy.
As she says: “All these policies complement each other to support DPA awareness.”