GDPR (General Data Protection Regulation) is a new EU regulation that comes into force from May 25, 2018. GDPR provides a legal framework that sets guidelines for the collection and processing of personal information of individuals within the EU. It replaces the 1995 data protection directive and its central aim is to give greater protection to individuals and how their private data is handled.
Multinationals will also have to comply with the regulation. The GDPR Preparedness Pulse Survey recently released by PwC examined GDPR preparedness in the US, explaining that US companies are willing to spend $1 million or more on GDPR readiness plans. It states: “No legislation rivals the potential global impact of the EU’s General Data Protection Regulation (GDPR), going into effect in 2018. The new law will usher in cascading privacy demands that will require a renewed focus on data privacy for US companies that offer goods and services to EU citizens.”
Thus, the retail industry is on the verge of the biggest transformation in recent decades with the introduction of GDPR, radically altering the data protection landscape. Retailers will need to be far more transparent with their customer data and this will mean that retailers will have to prioritize and understand their data more carefully with more consideration on what data they are holding, the security of the data being held and who is accountable for it.
This process needs planning and time to implement. Yet retailers of all sizes will find it challenging to locate and secure the data under significant time constraints before the enforcement date next year.
Most importantly, fines for noncompliance are going to be much greater than they were under previous regulation, equating to €20 million or 4% of worldwide turnover, whichever is larger.
For a quick overview of GDPR and what it means for retail, watch this Retail 90 video:
What are the Key Components of GDPR?
We can think of the main components of GDPR as falling into four broad categories:
2. Transparency & Customer Control
4. Customer Trust
It will be important to prove that you have the positive consent of customers to hold their data.
As the ICO explains: “Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity.”
Retailers will have to consider how they document that consent has been given and review processes where necessary.
2. Transparency and Customer Control
Individuals will have more rights under the GDPR.
In conjunction with this, it’s important to consider the definition of personal data - the scope of which is increasing. The GDPR states that: “Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
As IT Governance explains, “Perhaps the biggest implication of this is that, under certain circumstances, personal data now includes online identifiers such as IP addresses and mobile device IDs. Similarly, the GDPR introduces the concept of ‘pseudonymous data’ – personal data that has been subjected to technological measures (for instance, hashing or encryption).”
Individuals can ask for confirmation that their data is being processed, and request any information that’s held about them to be provided, changed if it’s inaccurate, or deleted entirely. This aspect is not completely different from the current Data Protection Act in the UK; the key change being that information now must be provided without delay and - at the latest - within one month of the request.
Again, this is likely to require a review to be undertaken to ensure that the mechanisms are in place to provide the scope of information described under GDPR within the time frame.
According to the ICO, however, one of the most important principles underpinning the regulation is accountability.
The GDPR requires retailers to show how they are complying with the requirements, which will demand more thorough documentation. For example, this could be being able to prove that data minimization measures are being implemented, or ongoing security reviews are taking place.
In the event of a data breach, an organization must notify the relevant supervisory authority within 72 hours of becoming aware of the breach.
4. Maintaining Customer Trust
The regulation is especially pertinent for retailers who stake their brand reputation on trust and openness. The regulation is a symptom of a wider cultural shift in society about how personal data is perceived and an individual’s rights in being able to control it.
It means that the stakes are higher for retailers who will not want to be caught off guard or considered out-of-touch in terms of their approach.
The full regulation needs to be reviewed carefully by retailers – it is extremely detailed with a total of 99 articles. It’s considered a living document that will be reviewed on an ongoing basis.
But it also represents an opportunity for retailers to audit their data handling processes, to identify areas for improvement and to implement a more future-ready approach. A twelve-point action plan is available from the ICO.