The Aquaculture Stewardship Council (ASC) is the world’s leading certification scheme for farmed seafood – known as aquaculture. ASC develops and manages the strictest standards in the industry. These standards include hundreds of requirements covering the potential impacts of aquaculture – including water quality, responsible sourcing of feed, disease prevention, animal welfare, the fair treatment and pay of workers and maintaining positive relationships with neighbouring communities.
As a creator and steward of both standards for responsible farming covering both environmental and social impacts, for many organisations ASC accreditation forms part of their wider Corporate Social Responsibility program, which means that there is an expectation that the ASC itself takes compliance and governance seriously. The ASC also deals with a significant amount of commercial data relating to suppliers and retailers, some of whom are competitors, which means that it needs to be able to demonstrate its ability to protect that data and handle it correctly.
Richard Ryan, Director of Operations at ASC, explains: “As an international organisation that is part of global supply chains our data systems are extremely complex. Good data governance isn’t just a matter of compliance for us, it is wholly necessary to allowing us to serve our customers better and to position ourselves against other standards schemes in the industry.”
Compliance with the GDPR forms an important part of the ASC’s data governance framework, and Brexit has brought both opportunities and challenges – not least relating to the complexities of international data transfers and the operational requirements that arise for organisations with multiple legal entities.
When assessing whether to opt for an in-house or outsourced DPO, there were a number of factors to consider including the complexity of the data protection landscape, the ASC’s changing requirements, and cost.
“The increasing complexity of our operations and data governance as we move forward, coupled with external data protection developments, meant that we needed a DPO with in-depth legal expertise and significant experience,” continues Richard. “However, we couldn’t justify employing a full-time DPO given our current size. That’s why we opted for an outsourced DPO service – we have the guidance and advice on hand when we need it, without the overhead of a full-time headcount.”
The data protection team at norm. began by conducting a GDPR compliance review for ASC, and together with Richard built out a roadmap to follow to improve the organisation’s policies and procedures accordingly. It is an ongoing process, as with any compliance initiative, and is viewed as a strategic priority.
“We can address our data protection requirements with confidence and ease knowing that the team at norm. is always on hand for both ongoing and adhoc support,” concludes Richard. “We view adhering to the highest data privacy standards as vital to the work we do, and norm. helps us to achieve this.”