Retailers get ready! The countdown has started to the new general data protection regimePrint publication
With only a little over 12 months to go until the new EU General Data Protection Regulation (GDPR) takes effect on 25 May 2018, Walker Morris’ Gwendoline Davies, a specialist in commercial dispute resolution in the retail sector, Jeanette Burgess and Andrew Northage, specialists in data protection regulation, explain what the changes mean for retailers and why it’s important to implement a compliance strategy now.
A new regime for all
The existing data protection regime is now over 20 years old and the retail industry has changed markedly since it came into force in the late 1990s, not least because of the exponential increase in online shopping and significant advances in data collection and marketing technology in that period. GDPR aims to harmonise data protection legislation by the creation of an EU-wide single legal framework, to recognise and embrace technological advances for all businesses (in accordance with the EU’s Digital Single Market Strategy) and to strengthen citizens’ fundamental data protection rights.
GDPR will have direct effect in all EU Member States (that is, it will apply directly in all Member States without the need for UK legislation to enact it) from 25 May 2018. Although GDPR is a piece of European legislation, the UK government has confirmed that, for data protection at least, Brexit doesn’t mean Brexit and the UK will adopt GDPR on 25 May 2018. To quote the UK’s Information Commissioner in a recent speech: “If I could give you just one piece of advice today, it would be not to put this off. The GDPR is happening“. The Minister of State for Digital and Culture also recently reiterated that the UK will implement GDPR, which will start to apply part way through the two-year Brexit negotiations.
Even after Brexit, GDPR’s expanded territorial scope means that UK retailers which offer goods or services to EU data subjects, or which monitor EU data subjects’ behaviour, will be subject to GDPR.
Crucially, there is no transitional period. When GDPR comes into force on 25 May 2018, UK organisations must comply with the new regime from that date. This means that the countdown has started and there is now only a little more than 12 months in which to develop and implement a compliance strategy.
New rules on electronic direct marketing, cookies and other forms of online monitoring are also in the pipeline with the publication of the draft ePrivacy Regulation in January 2017. The Commission wants these new rules to come into force on 25 May 2018 (the same date as GDPR), but this will depend on how quickly the Regulation can get through the EU legislative process.
What do the changes mean for retailers?
All retailers are likely to hold and use a wide variety of personal data, relating to employees, customers and potential customers (for example, for consumer research and marketing purposes). These records are a hugely important and valuable resource for retailers, whose customers will expect complete compliance with data protection legislation.
So, as responsible data controllers and processors, retailers should be getting to grips with the new, more extensive data protection regime imposed by GDPR (and the draft ePrivacy Regulation), and implementing their compliance strategies, now.
Some of the key changes which are likely to be particularly relevant for retailers are explained below.
Changes to the rules on consent
Many retailers rely on obtaining a consumer’s consent to processing their data. GDPR encourages retailers to review their processes and procedures and to identify whether they really need consent for the processing. If consent is required, for example for direct marketing, it will be much harder to obtain, as GDPR significantly raises the standards which must be met for consent to be valid.
Consent must be freely given, specific, informed and unambiguous. It also requires a clear affirmative action by a consumer. This means that the days of pre-ticked opt-in boxes and opt-out boxes consenting to marketing communications are numbered. Retailers will need to keep clear records of how and when consent was given. Existing consents will need to be renewed if they don’t meet the higher standards imposed by GDPR, or if retailers are unable to provide sufficient evidence that the consent was validly given.
Contracts with suppliers
Retailers will often use other companies to deliver packages, send customer communications, analyse data, process payments and provide customer service. In order for these companies to provide such services, retailers will need to share personal information with them. Under GDPR, contracts between retailers and their suppliers must be in writing and must include certain mandatory provisions, including requiring suppliers to implement appropriate technical and organisational security measures to protect data, obliging suppliers to report data breaches, only processing data on documented instructions from the retailer and allowing and contributing to audits by the retailer.
Currently, there is no legal requirement to report a data breach to the Information Commissioner’s Office (ICO), although the ICO expects to be informed of any serious breaches.
In light of the potentially huge damage to a brand arising from a data breach (as demonstrated by the $350 million price cut agreed for the sale of Yahoo’s core internet business to Verizon following the announcement by Yahoo that it had suffered two major data hacks), many organisations currently choose not to report data breaches.
However, GDPR will introduce a new obligation on retailers and other organisations to notify data breaches without undue delay and where feasible within 72 hours of becoming aware of the breach.
Retailers will need to have a data breach response plan in place which will enable them to respond quickly and effectively in the event of a breach, to ensure damage limitation to both the brand and its customers.
Increased enforcement powers
The maximum fine for a data protection breach in the UK is currently £500,000. GDPR will introduce a two-tier system of:
- fines of up to 2% of annual global turnover or €10 million, whichever is the greater, for violations relating to certain administrative data protection failings; and
- fines of up to 4% of annual global turnover or €20 million, whichever is the greater, for violations relating to certain more fundamental failings, such as breaches of data protection principles, breaches of data subject rights, and so on.
Instead of registering with the ICO on an annual basis, GDPR will require organisations to maintain detailed records regarding their data processing activities, which must be provided to the ICO on demand.
Enhanced data protection rights for individuals
GDPR will also introduce new rights for individuals, including:
- changes to Subject Access Requests (SARs). The information that individuals can request pursuant to a SAR has been expanded, whilst the time frame for complying has been reduced from 40 days to one month and in most cases it will no longer be possible to charge a fee for providing the requested information and
- the right to be forgotten. Individuals are entitled to have their personal data erased in certain circumstances (for example where the data is no longer necessary in relation to the purpose for which it was collected; where the individual withdraws consent; where the data has been unlawfully processed etc). Where an organisation removes data pursuant to this right ‘to be forgotten’, it must also inform others to whom they have passed the data of the erasure request.
GDPR also introduces other new rights for individuals, including the right not to be subjected to wholly automated processing for the purposes of evaluating personal aspects such as health, personal preferences, behaviour and movements (known as ‘profiling’) and the right to receive their data in a structured, commonly used and machine-readable format or to require retailers to transfer that data to another data controller without hindrance (known as ‘data portability’).
The new rights have a number of practical implications for retailers. For example, there is currently no requirement for individuals to make any of the above requests in writing, so retailers will need to ensure that their HR, customer-facing and marketing teams are able to recognise SARs and other requests and know how to deal with them appropriately. Retailers will also need to consider who will be responsible for responding to the requests and whether they have sufficient resources to deal with them. Unless managed properly, responding to such requests could be costly in terms of staff and management time and, if mistakes are made, in terms of customer relations, brand reputation and potential fines from the ICO.
Data protection officers (DPOs)
Under GDPR, appointment of a DPO (who must be an expert in data protection law) will be mandatory for organisations whose core activities involve either the monitoring of data subjects on a large scale or the processing of special categories of data (i.e. sensitive personal data) on a large scale. The DPO must be an expert in national and European data protection law and have an in-depth understanding of GDPR.
Security and pseudonymisation
Retailers should already have appropriate technical and organisational security measures in place to protect personal data, similar to PCI DSS but for non-payment data.
Encryption technology is already a fairly commonplace tool for addressing data security, but GDPR introduces the concept of ‘pseudonymisation’, also known as ‘keycoded data’. Data is anonymised so that it can only be used to identify individuals by reference to additional information such as a unique identifier. For example an anonymised list of employees identified only by their National Insurance numbers.
Pseudonymised data is still personal data for the purposes of GDPR, but the risk of processing such data is reduced.
Whilst GDPR means greater consistency across the EU in data protection rules and regulation, which should be a good thing for both businesses and individuals, it is also likely to mean greater scrutiny and greater administrative pressures on retailers.
As easy as 1, 2, 3?
The key to compliance for retailers is:
- ensure you understand in detail how you currently deal with personal data across every aspect of your business;
- ensure you understand how the new requirements will impact your business; and
- develop a comprehensive compliance strategy, including an implementation timetable, to ensure that you are ready for 25 May 2018.
Step 1 – full information audit
The best way to understand how you currently deal with personal data is to carry out a full information audit, which should include a data mapping exercise, i.e. identifying what personal data is collected; how it is processed; where it is stored; the security measures which are in place to protect the data; how long data is retained etc.
The report produced from the audit should form the basis of the records that retailers are required to maintain in respect of their data processing activities.
Step 2 – gap analysis
The results of the audit should also enable retailers to perform a gap analysis to identify where changes are required to bring policies, procedures, processes and systems into line with GDPR.
Step 3 – compliance strategy
The outcome of the information audit and the gap analysis should together form the building blocks of the retailer’s GDPR compliance strategy. As changes to systems and processes can require a significant lead-in time, it is important that the strategy includes a timetable to ensure that the deadline of 25 May 2018 can be met.
How much retailers will need to do to bring their existing practices into line with GDPR will depend, to a large extent, on how compliant they are with the current regime. Some will have more to do than others but, in the words of the former Information Commissioner, “Don’t panic, be prepared“. Following our 3-step process will set you off on the right foot and Walker Morris will be monitoring and publishing updates as and when more information and guidance becomes available.
This article only provides a very brief overview of some of the key changes taking place under GDPR. If you have any queries or concerns relating to GDPR, or if you would like advice and assistance with undertaking an information audit or implementing a compliance strategy, please do not hesitate to contact Gwendoline Davies, Jeanette Burgess or Andrew Northage, who will be very happy to help.