Data Protection and Privacy Checklist

Walk every data path: customer-supplied CAD landing in SolidWorks PDM or Windchill, BOMs and routings in NetSuite or Epicor, traveler and OEE data in Tulip or MachineMetrics, and any IoT bridges from PLCs to the cloud. Note where data leaves the plant — supplier portals, customer EDI, file shares with contract programmers.

Apply four tiers — Public, Internal, Confidential (customer drawings under NDA, pricing, supplier scorecards), and Restricted (ITAR/EAR technical data, employee PII, payment data). Tag at the folder level in PDM and at the record level in ERP where the system supports it.

Review the part catalog against customer purchase order flowdowns and the USML / CCL. Capture ECCN classifications for dual-use items and confirm DDTC registration is current for any defense articles. Drawings, models, and process specs all count as technical data — not just the finished part.

Pull every active NDA, MSA, and data processing addendum from contracts. Note expiration dates, scope of permitted use, and any flowdown obligations to second-tier suppliers. Aerospace and medical-device customers usually require explicit data-handling clauses tied to AS9100 or 21 CFR 820.

Update the central register with system, owner, classification, retention period, and lawful basis. The register is the document an ISO 27001 auditor or customer security questionnaire will ask to see first.

Pull the AD group membership for ITAR-flagged PDM vaults and ERP roles. Cross-check every member against the I-9 / citizenship record on file in HR. A foreign-person login viewing a controlled drawing is a deemed export — DDTC violations carry seven-figure penalties per occurrence.

Confirm engineers, operators, and outside contractors have only the vaults and rev states they need. Common gotcha: terminated employees still in an Arena or Windchill group because offboarding only revoked AD, not the application-level role.

Confirm BitLocker or equivalent on engineering laptops, TLS 1.2+ on the supplier portal and EDI endpoints, and database-level encryption on the ERP and QMS. Capture the verification screenshot — auditors want evidence, not assertion.

Schedule the patch window with production scheduling so a NetSuite or Epicor restart does not strand a release-to-floor. Patch the MES (Plex, Tulip, MachineMetrics) and the historian; legacy SCADA on Windows Server 2012 is a frequent gap.

MFA on the VPN, the engineering jump host, and any vendor remote-support paths into PLCs or robots. Service accounts used by integrators are the most common bypass — require named accounts with logging.

Map retention to the record class: quality records and FAIs per AS9100 (typically lot life + 7 years, or per customer flowdown), DHR for medical device per 21 CFR 820 (device life + 2 years), OSHA 300 logs for 5 years, hazmat shipping papers for 3 years, employee PII per state law. Customer NDAs often override — read them.

Execute the retention job for records past their schedule. Pause and escalate if a record is on legal hold or is part of an open NCR or CAR investigation.

Cross-cut shred at the cell or use a locked bin with certificate-of-destruction service. Walk the floor for stale prints — superseded revs taped to a workstation are both a quality risk (operator follows wrong rev) and a confidentiality leak.

NIST SP 800-88 Purge for laptops and engineering workstations; physical destruction for drives that held ITAR or restricted data. Don't forget CNC controllers and CMM PCs — they hold customer programs and inspection results.

Attach the vendor certificate (shred service, e-waste recycler) to the asset record. Customer audits — especially aerospace primes — will sample disposal records and ask to see the chain from asset retired to certificate received.

If you ship to EU customers or have EU-based employees, GDPR applies to their personal data — Article 30 records, transfer mechanisms (SCCs post-Schrems II), and 72-hour breach notification. CCPA / CPRA covers California residents including employees. New-state privacy laws (TX, VA, CO, CT) keep widening; check the matrix.

Privacy Impact Assessment for new operator-tracking, badge-scan, or vision-system deployments. Operator productivity data, biometric clock-ins, and floor cameras are the usual triggers — Illinois BIPA and similar state laws make this a litigation exposure if skipped.

For most small-to-mid manufacturers, the IT manager or quality manager wears this hat. GDPR Article 37 only requires a formal DPO for large-scale processing or special-category data — but the named accountability matters either way.

Engineers get ITAR / EAR awareness and customer-NDA handling. Operators get clean-desk, removable-media, and phishing basics. Track completion in the LMS — auditors and customers ask for the matrix.

Walk the team through a realistic scenario — ransomware on the file server holding customer drawings, or a stolen engineering laptop with cached PDM files. Test the notification clock: GDPR is 72 hours, most state laws are 30–60 days, and customer contracts often require notice within 24–48 hours of detection.

Engage outside counsel, the cyber insurance carrier's breach hotline, and the forensic IR retainer. Preserve logs before remediation; segment the affected network; prepare customer notifications under the tightest contractual clock. Do not communicate externally until counsel has reviewed.