The General Data Protection Regulation (GDPR), is the biggest shake-up of EU data protection laws in two decades, and retailers will be amongst the hardest hit. But despite the complexity of the GDPR, understanding the broad outline of what it means for retailers is not difficult.
The May 2018 coming into force of the EU’s General Data Protection Regulation (GDPR) will have a dramatic impact on the retail industry, and in order to avoid massive fines, retailers will need to get control of their business data.
While the GDPR is a complex and expansive piece of legislation, the key issues for retailers are not, in principle, difficult to understand.
All data collected on individuals in the EU—with a few limited exceptions— now falls within the scope of the GDPR, which is already law in every EU state but will be enforced from May 25, 2018. The data subject to control and regulation is any personally identifiable information, such as email addresses, loyalty schemes and transaction history, making it of importance that retailers get up to speed sooner rather than later.
For many retailers, particularly medium-sized businesses, having a full-time Data Protection Officer is not a possibility, but this does not mean they can be exempt from the GDPR. A good solution is to purchase data protection as a service, which is increasingly common as the GDPR and wider fears about security have caused data protection and IT security salaries to skyrocket. However, businesses are still liable as data controllers under the GDPR if they take on service providers, even if those providers go as far as providing data processing services.
In other words, everyone in a business, from board level down, needs to understand at least the broad outlines of the GDPR and how it relates to their business practices and the data they collect.
This also means that getting ready for the GDPR will mean that businesses have to expect the unexpected, says Gavin Peacock, Group CEO of TRC Solutions.
“The legislation is so big that we won’t know how the various data commissioners will interpret it until the horse has bolted,” he said.
[cta link=”http://www.trc-solutions.com/gdpr-and-your-business/” colour=”grey”]Download the GDPR Guide from TRC Solutions[/cta]
TRC Solutions has developed an SAP certified Add-On for its implementation of the Business One enterprise resource management (ERP) system that means all data is kept in one unified repository and can be easily audited.
“This SAP Certified Add-On is designed to identify personally identifiable information across the ERP landscape. A name could come up in 55 CRM entries, four invoices, 25 quotations and 17 payments. The fact that you can discover that simply by putting that in means you have a highly defensible GDPR strategy.
“The bottom line is that if a customer reports not getting the information they requested, or not being forgotten, with this Add-On there will be a full audit trail from the initial contact to the removal of data,” he said.
All of this is intended to protect a business from the crippling fines that will be imposed for non-compliance with the GDPR, which can rise as high at €20 million (approx. £17.2 million), or four per cent of annual, worldwide turnover, whichever is greater.
A general rule of thumb is that retailers need to consider what data they collect, why they collect it, how long it is stored for, where it is stored, who can access it and how secure it is.
With that in mind, there are some basic facts about the GDPR in retail environments that need to be understood:
Reversing the current practice, the GDPR introduces mandatory data breach notifications: within 72 hours of a breach occurring, businesses must notify their governing data protection regulator if there is personally identifiable information at stake. As things stand, notifications have been subject to company’s’ own decision to admit breaches, making this a massive change to business operations.
Under the provisions of the GDPR, a customer’s consent must be sought and freely given before any personal data is collected and used in any way. This consent, for something a simple as collecting an e-mail address for marketing purposes, must be “opt-in”, and cannot be hidden in lengthy statements of terms and conditions. Data collected in store, even on paper, is also subject to the GDPR once it has been digitised.
Retailers are also obliged to show any collected data to customers on request, and, under the “right to be forgotten”, delete it if asked.
Data collected and subjected to automated processing, for example for Amazon-style marketing or loyalty programmes can, if it is held to have “legal effect”, must also be sought under an “opt-in” system of explicit consent—and this regulation is in addition to existing privacy rules governing the collection of online “cookies” from web browsers under the PEC regulations.
One of the most common causes of malicious data breaches barely deserves the epithet ‘hacking’: sites that have been hacked, even trivial ones, often provide a veritable goldmine of passwords to those with malicious intent and, human nature being what it is, many people use the same password across sites and services. Thus, an unimportant site being hacked can lead to passwords on other sites, including work sites, being exposed. This can lead eventual grabs of administration powers and, through that, massive data breaches. In the end, a system is only as secure as its users.
Off-loading data processing to service providers is increasingly common, particularly with the growth of cloud computing and many retailers seeking to keep up with the seemingly infinite computing resources of Amazon and its ilk, but the fact that data processing is not handled in-house does not mean responsibility for data can be kicked upstairs. Businesses are still liable as data controllers, even if their processing is done by a third party, and any third party arrangements need to be revisited to ensure that they comply with the GDPR. For example, is data kept within the EU, or is it backed up to locations such as the United States?
Bits cross borders with an ease that will never be achieved by atoms, but our increasingly digital world has not rendered borders a thing of the past. The GDPR seeks to ensure that the movement of data across borders, whether within the organisation or to third parties is tightly monitored and is fully compliant. Even within the EU, there is also the new concept of the “lead regulatory authority” who will deal with complaints, which may not be the jurisdiction that a business has its headquarters in.
With a year until penalties are levied for non-compliance, it’s time to ready your enterprise for GDPR.
[cta link=”http://www.trc-solutions.com/?page_id=232″ colour=”grey”]Arrange a call with one of our Retail Industry Consultants[/cta]