GDPR: 10 key issues facing UK retailers

GDPR

The law regarding personal data will change on 25th May 2018 when the EU General Data Protection Regulation (GDPR) comes into effect. Replacing the UK Data Protection Act 1998, which was drafted long before the exponential growth of the internet, GDPR reflects the new data landscape and sets out to protect the fundamental rights and freedoms of individuals and their data. With fewer than 100 days until GDPR becomes law, the pressure is on to ensure compliance is achieved and maintained into the future.

SRM has operated in the information security environment for many years. Our GDPR consultants have undergone GCHQ certified training and gained GDPR Practitioner certification and are able to advise on the strategic management of GDPR compliance. While GDPR applies across all sectors and services, addressing the key issues of consent, security and access rights, there are a number of key issues which will directly affect retailers.

1. What is considered personal data?

In short: anything and everything. From mobile telephone numbers to individually named email addresses. Generic email addresses are not considered personal data because they could belong to multiple individuals.

GDPR also includes ‘sensitive personal data’ which includes information on, for example, biometric data, race, political opinion, physical or mental health conditions or sexual orientation. This may not be information commonly held on customers but may frequently be held on company employees by HR departments.

If personal data is unidentifiable, under the rules of GDPR retailers may keep that information for as long as they like. Anonymising data is not sufficient: pseudonymisation or encryption  of personal data are the best security measures.

2. Consent

When any form of personal data is collected – from customers and employees – the legal basis of its processing must be considered. In the vast majority of cases where customer data is collected, consent must be given.

Customers: many retailers ask their customers for their email addresses at the point of purchase. This data is then used for marketing purposes but under GDPR retailers will need to ensure an individual’s consent is fully informed, actively and freely given. That is, they must positively affirm their willingness to be contacted. Pre-ticked boxes are not allowed.

Employees: the issue of consent also relates to the people who work for you. GDPR has made clear that the same rules of consent apply to employees and customers. Retailers should update their employee consent procedure to be fully compliant when it comes to the processing of their personal data for which consent is required

3. Profiling

Retailers profile customers in a number of ways. Data can be collected through automated forms, loyalty cards or through the use of Cookies. While this information is a valuable tool when targeting online advertising, if it includes ‘legal effects’ – perhaps deals are restricted to certain behavioural types – then the customer must have the right to object.

Note that the profiling requirements of GDPR are separate from the current e-privacy rules (Privacy and Electronic Communications Regulations – PECR) which still require consent to place Cookies on an individual’s device. This regulation is also being updated at the same time as GDPR is implemented.

4. Loyalty programmes

As part of the profiling process, many retailers use loyalty cards. Where rewards under a loyalty programme might involve a customer’s data being shared with the applicable reward provider, this arrangement is likely to involve data sharing. Not only does a detailed agreement need to be in place with all parties but the ICO’s Code of Data Sharing should be considered too.

5. Data processing

The responsibility for data processing extends to all suppliers. For example delivery logistics providers as well as marketing agencies. Data processors have a responsibility for security under GDPR and all agreements should be reviewed and, where necessary, renegotiated.

Under GDPR both the retailer and its data processor suppliers must adhere to specific security requirements. This is a change from the current law where processors do not have direct liability.

6. Data breach notification

GDPR introduces the mandatory reporting of data breaches to the regulator without undue delay and no later than 72 hours of becoming aware of the breach. In some cases this will apply to the data subjects as well. Retailers therefore need to give careful thought to breach prevention and to ensuring that there is a data breach procedure in place.  Awareness among suppliers and in-house training for staff is a vital element of this process. Retailers which trade across geographical borders will have to ensure that they are compliant in different jurisdictions. Having a coherent approach to data breaches will not only ensures compliance with GDPR but has the added benefit of minimising adverse publicity.

7. Access (rights of the individual)

At the moment, an individual who makes a written request is entitled to know what personal data is held on them by a retailer for a £10 fee. This charge will be removed after 25th May. In addition, once GDPR is in place there are likely to be large awareness campaigns, supported by the EU, to increase awareness of this right. These requests must be answered within one month. Retailers running loyalty programmes can start preparing for this by creating a form for these type of requests, reviewing what personal data is held and removing anything which has no purpose.

8. Third party suppliers

In addition to the other responsibilities relating to third party suppliers under GDPR, retailers should know that they are ultimately responsible and address some fundamental questions: if third party processors are based in the EU, do they have a safeguarding contract in place? Are these suppliers ready for GDPR? If the answer is no, alternative suppliers may need to be considered.

9. Cross border data flow

An essential element of GDPR compliance is identifying international data flow (including employee data) within a group of retail companies or their third party suppliers. Those operating stores or online sales across geographical borders must comply with the rules on international data transfers. The retailers lead regulator will be in the country where the controller or processor is based.

10. DPOs and CISOs

GDPR compliance requires the majority of organisations to have a Data Protection Officer (DPO) or a Chief Information Security Officer, whose responsibility it is to manage and drive the GDPR compliance process. When GDPR comes into effect, inadequately protected organisations which suffer a breach will be penalised by fines of up to 20 million Euros or 4% of global turnover (whichever is higher) so these officers are under a lot of pressure to deliver. SRM can support and resource in-house DPOs and CISOs or can take on the full responsibility through our VirtualCISO service.

SRM’s GDPR team provides a business-focused service to organisations of all types and size, at all ends of the GDPR-readiness spectrum. Our GDPR consultants are trained through a GCHQ-approved qualification and are able to advise on the strategic management of GDPR compliance. While we provide unrivalled technical and compliance expertise, we also understand how businesses operate, working with clients in the GDPR compliance process with the focus on delivering robust and effective compliance, not on selling products.

For more information on our GDPR services visit our website.

To gauge your level of GDPR readiness, complete our GDPR Self Assessment Questionnaire.

Or read our blog:

GDPR: the world will not stand still on 25th May 2018

GDPR: a question of confidence

How a CISO can exert influence at board level

Posted 6 months ago on · Permalink