How Will GDPR Affect the Retail Sector?
What are some of the main concerns?
Customer Data Processing Notifications
It is already a legal requirement that organisations notify the ICO of any processing of personal data. This includes any data from which a person can be identified:
- Employment details
- Loyalty card information
- Email addresses
- Location data
Under the GDPR, data subjects have the right to restrict processing of their data. This means that, in the event that the processing of their data is restricted, the retailer may store the personal data, but not process it any further.
Under the GDPR, the importance of protecting endpoint technologies is higher than ever. This means going above and beyond standard controls and responses, and considering even the most extreme scenarios.
The retail industry is notorious for having one of the highest employee turnover rates. However, under the GDPR it is important to ensure that all staff, even those working under a temporary contract, are aware of the procedures in place to protect customer data.
Data Processing Agreements with Suppliers and Third-Parties
Within the retail sector, there is a requirement to have a written processing agreement with all data processors. This continues under the GDPR.
However, the GDPR outlines in further depth, what should be included in these agreements.
They will need to highlight the required security measures, as well as the duty of the data processor to assist the retailer in the event of a breach or data portability request. It is also more likely that data processing agreements will be more negotiated than previously since the GDPR will introduce specific obligations for data processors.
Profiling requirements under the GDPR are separate from existing e-Privacy rules, which still require you to obtain consent when placing cookies on an individual’s’ device. However, the European Commission has also issued a new draft e-privacy regulation which is intended to replace the existing rules.
This will come into effect at the same time as GDPR. Ensuring alignment with GDPR as well as new e-privacy rules should be a top priority for retailers.
The GDPR introduces new mandatory breach notifications to the regulator within 72 hours. In some cases, it will also be necessary to inform the data subjects as well.
Some of the most recent data breaches have involved companies within the retail sector. Therefore, it is of utmost importance that retailers carefully plan how a data breach would be dealt with.
They will also need to raise awareness amongst staff as to the procedure that is in place, and in some cases will need to roll this information across other groups that may be involved such as insurers and PR agencies.
Under the GDPR, retailers will have to ensure that a customer’s consent to receive these emails is fully informed and freely given. No details about the way in which their data will be used should be hidden, or hard to find such as within a long set of terms and conditions.
Cross-Border Data Flows
During the process of becoming GDPR compliance, retailers should also identify international flows of customer and employee data. This includes both internally, as well as with third-parties.
Retailers who operate overseas stores or online sales should already be complying with international data transfers legislation. However, in addition to these rules, the GDPR brings with it the introduction of a ‘lead regulatory authority’ who will deal with complaints and sanctions amongst retailers who process data across EU borders.
Do you need more information about how you can get ready for the GDPR? Arden Group has teamed up with Microsoft and Mimecast to bring you a complimentary GDPR Seminar in Birmingham. Click here to find out more information and book your place.
We wish to emphasise that Arden Group is a Managed Service Provider and not a legal firm. Therefore, the views brought forward in this page are not necessarily shared by lawyers or courts.
Arden Group, therefore, does not guarantee that all information is factual and interpreted correctly. If you wish to ensure your advice or your company is legally covered by GDPR, consider consulting legal or specialised advice.