How Will GDPR Affect the Retail Sector?
What are some of the main concerns?
Customer Data Processing Notifications
It is already a legal requirement that organisations notify the ICO of any processing of personal data. This includes any data from which a person can be identified, such as employment details or loyalty card information.
Under the GDPR, data subjects have the right to restrict processing of their data. This means that, in the event that the processing of their data is restricted, the retailer may store the personal data, but not process it any further.
Data Processing Agreements with Suppliers and Third-Parties
Within the retail sector, there is a requirement to have a written processing agreement with all data processors. This continues under the GDPR. However, the GDPR outlines in further depth, what should be included in these agreements.
They will need to highlight required security measures, as well as the duty of the data processor to assist the retailer in the event of a breach or data portability request. It is also more likely that data processing agreements will be more negotiated than previously since the GDPR will introduce specific obligations for data processors.
Unlike existing legislation which states the notification of a breach as voluntary, the GDPR introduces new mandatory breach notifications to the regulator within 72 hours. In some cases, it will also be necessary to inform the data subjects as well.
Some of the most recent data breaches have involved companies within the retail sector, so it is of utmost importance that retailers carefully plan how a data breach would be dealt with. They will also need to raise awareness amongst staff as to the procedure that is in place, and in some cases will need to roll this information across other groups that may be involved such as insurers and PR agencies.
Cross-Border Data Flows
During the process of preparing for GDPR, retailers should also identify international flows of customer and employee data, internally, as well as with third-parties. Retailers who operate overseas stores or online sales should already be complying with international data transfers legislation, however, in addition to these rules, the GDPR brings with it the introduction of a ‘lead regulatory authority’ who will deal with complaints and sanctions amongst retailers who process data across EU borders.
Do you need more information about how you can get ready for the GDPR? Arden Group has teamed up with Microsoft and Mimecast to bring you a complimentary GDPR Seminar in Birmingham. Click here to find out more information and book your place.
We wish to emphasise that Arden Group is a Managed Service Provider and not a legal firm. That means that the views brought forward in this page are not necessarily shared by lawyers or courts.
Arden Group, therefore, does not guarantee that all information is factual and interpreted correctly. If you wish to ensure your advice or your company is legally covered by GDPR, consider consulting legal or specialised advice.