Caveat venditor - what GDPR means for Retail
Most businesses will, by now, be aware that the General Data Protection Regulations (GDPR) come into force on 25 May 2018, heralding a significant upgrade to the existing Data Protection regulations that have been in place since 1998.
These regulations have wide-ranging consequences for businesses generally and bring particular challenges to the retail industry.
With fines of up to €20 million or 4% of annual worldwide turnover, whichever is greater, the financial penalties of failing to meet the GDPR requirements can be severe. The consequences of suffering reputational damage following a data breach could be even greater.
Companies should be well aware of the principles of GDPR. Broadly, GDPR applies to controllers and processors of personal data and imposes obligations on how the data is collected, stored and processed. GDPR imposes a more detailed definition of personal data, reflecting that technological changes have expanded the information that can be collected about people.
As customer data is incredibly valuable, the new rules must be met or businesses risk losing the ability to use the data without exposing themselves to the fines and reputational damage that come with a breach.
The requirement for active consent will affect the ways that customer data can be collected and processed. The customer must consent to the use of their data, which will affect targeted communications, loyalty card schemes and E receipts. Pre-filled consent boxes are no longer permitted, and a clear opt-in must be made to allow for the use of data for marketing purposes. Additional staff training will be required to ensure procedures are followed.
Customers will also be able to request access to the data the company holds about them and ask to correct, delete or transfer this data. This means that retailers will need to have the relevant procedures in place to evaluate and process such requests.
Brexit will not change the position as GDPR will be brought into UK law, and in any case GDPR will still apply for any companies doing business with the EU. Data transfers to and from the EU will need to be considered as part of any GDPR review.
In short, retailers need to get an understanding of GDPR, map the personal data they hold and ensure appropriate consent processes are in place. The basis for relying on legitimate interests for processing should be considered. Retailers need to know the rights of individuals and their organisation’s ability to meet these. Finally, they need to review their existing data protection regime and determine what needs to improve to meet the requirements of GDPR, and they need to do it quickly!