GDPR: Practical advice for retailers

20th August 2018

Walker Morris’ Gwendoline Davies, a specialist in commercial dispute resolution in the retail sector; and Jeanette Burgess and Andrew Northage, specialists in data protection regulation, explain what the EU General Data Protection Regulation (GDPR) changes mean for retailers and why it’s important to implement a compliance strategy now.

Retailers like other businesses cannot have missed the fact that the GDPR came into effect in May 2018 – but how do the changes really impact the retail industry?

All retailers are likely to hold and use a wide variety of personal data, relating to employees, customers and potential customers (for example, for consumer research and marketing purposes). These records are a hugely important and valuable resource for retailers, whose customers will expect complete compliance with data protection legislation.

So, as responsible data controllers and processors, retailers should be getting to grips with the new, more extensive data protection regime imposed by GDPR (and the draft ePrivacy Regulation), and implementing their compliance strategies, now.

Some of the key changes which are particularly relevant for retailers are explained below.

Changes to the rules on consent

Many retailers rely on obtaining a consumer’s consent to processing their data. GDPR encourages retailers to review their processes and procedures and to identify whether they really need consent for the processing.  If consent is required, for example for direct marketing, GDPR significantly raises the standards which must be met for consent to be valid.

Consent must be freely given, specific, informed and unambiguous. It also requires a clear affirmative action by a consumer (as compared with the ‘old’ days of pre-ticked opt-in boxes and opt-out boxes consenting to marketing communications).  Retailers now need to keep clear records of how and when consent was given.  Existing consents will need to be renewed if they don’t meet the higher standards imposed by GDPR, or if retailers are unable to provide sufficient evidence that the consent was validly given.

Contracts with suppliers

Retailers will often use other companies to deliver packages, send customer communications, analyse data, process payments and provide customer service. In order for these companies to provide such services, retailers will need to share personal information with them. Under GDPR, contracts between retailers and their suppliers must be in writing and must include certain mandatory provisions, including requiring suppliers to implement appropriate technical and organisational security measures to protect data, obliging suppliers to report data breaches, only processing data on documented instructions from the retailer and allowing and contributing to audits by the retailer.

Data breaches

GDPR imposes a new obligation on retailers and other organisations to notify data breaches without undue delay and where feasible within 72 hours of becoming aware of the breach.

Retailers need to have a data breach response plan in place which will enable them to respond quickly and effectively in the event of a breach, to ensure damage limitation to both the brand and its customers.

Increased enforcement powers

GDPR has introduced a two-tier system of:

• fines of up to 2% of annual global turnover or €10 million, whichever is the greater, for violations relating to certain administrative data protection failings; and
• fines of up to 4% of annual global turnover or €20 million, whichever is the greater, for violations relating to certain more fundamental failings, such as breaches of data protection principles, breaches of data subject rights, and so on.

Record keeping

GDPR requires organisations to maintain detailed records regarding their data processing activities, which must be provided to the ICO on demand.

Enhanced data protection rights for individuals

GDPR also enshrines new rights for individuals, including:

• changes to Subject Access Requests (SARs). The information that individuals can request pursuant to a SAR has been expanded, whilst the time frame for complying has been reduced from 40 days to one month and in most cases it will no longer be possible to charge a fee for providing the requested information and
• the right to be forgotten. Individuals are entitled to have their personal data erased in certain circumstances (for example where the data is no longer necessary in relation to the purpose for which it was collected; where the individual withdraws consent; where the data has been unlawfully processed etc). Where an organisation removes data pursuant to this right ‘to be forgotten’, it must also inform others to whom they have passed the data of the erasure request.

GDPR has also introduced other new rights for individuals, including the right not to be subjected to wholly automated processing for the purposes of evaluating personal aspects such as health, personal preferences, behaviour and movements (known as ‘profiling’) and the right to receive their data in a structured, commonly used and machine-readable format or to require retailers to transfer that data to another data controller without hindrance (known as ‘data portability’).

The new rights have a number of practical implications for retailers. For example, there is currently no requirement for individuals to make any of the above requests in writing, so retailers will need to ensure that their HR, customer-facing and marketing teams are able to recognise SARs and other requests and know how to deal with them appropriately. Retailers will also need to consider who will be responsible for responding to the requests and whether they have sufficient resources to deal with them. Unless managed properly, responding to such requests could be costly in terms of staff and management time and, if mistakes are made, in terms of customer relations, brand reputation and potential fines from the ICO.

Data protection officers (DPOs)

Under GDPR, appointment of a DPO (who must be an expert in data protection law) is mandatory for organisations whose core activities involve either the monitoring of data subjects on a large scale or the processing of special categories of data (i.e. sensitive personal data) on a large scale. The DPO must be an expert in national and European data protection law and have an in-depth understanding of GDPR.

Security and pseudonymisation

Retailers should already have appropriate technical and organisational security measures in place to protect personal data, similar to PCI DSS but for non-payment data.

Encryption technology is already a fairly commonplace tool for addressing data security, but GDPR introduced the concept of ‘pseudonymisation’, also known as ‘keycoded data’. Data is anonymised so that it can only be used to identify individuals by reference to additional information such as a unique identifier. For example an anonymised list of employees identified only by their National Insurance numbers.

Pseudonymised data is still personal data for the purposes of GDPR, but the risk of processing such data is reduced.

Next steps

Whilst GDPR means greater consistency across the EU in data protection rules and regulation, which should be a good thing for both businesses and individuals, it also means greater scrutiny and greater administrative pressures on retailers.

As easy as 1, 2, 3?

The key to compliance for retailers is:

• ensure you understand in detail how you deal with personal data across every aspect of your business;
• ensure you understand how the GDPR requirements impact your business; and
• develop and implement a comprehensive compliance strategy.

Step 1 – full information audit

The best way to understand how you deal with personal data is to carry out a full information audit, which should include a data mapping exercise, i.e. identifying what personal data is collected; how it is processed; where it is stored; the security measures which are in place to protect the data; how long data is retained etc.

The report produced from the audit should form the basis of the records that retailers are required to maintain in respect of their data processing activities.

Step 2 – gap analysis

The results of the audit should also enable retailers to perform a gap analysis to identify where changes are required to bring policies, procedures, processes and systems into line with GDPR.

Step 3 – compliance strategy

The outcome of the information audit and the gap analysis should together form the building blocks of the retailer’s GDPR compliance strategy.  If any further strategic advice or practical assistance is required, Walker Morris’ retail and regulatory specialists will be very happy to help.