With just over two weeks to go until the new data protection laws come into effect, Drapers asks legal experts for their advice on what retailers can do to ensure compliance – and avoid penalties – at this stage.
The General Data Protection Regulation (GDPR) comes into force on 25 May, and brings wide-reaching implications for all companies that hold and process personal data.
All businesses must comply with the new European Union data protection laws, which require more transparency from companies on why they are storing personal data of citizens living within any of the EU member states and how they are using it.
GDPR will have a particular impact on the way fashion retailers use personal data they collect from customers.
Fashion retailers that rely on data to communicate with customers will have new obligations and need to ensure procedures are in place to meet those requirements. Those who fail to comply may be hit by severe penalties for non-compliance – a maximum fine of €20m (£17.8m) or 4% of annual global turnover, whichever is greater – so it is important to have measures in place to protect your organisation.
GDPR applies to all personal data relating to an identified or identifiable person, such as names, email addresses, photos and social media posts. The lawful bases for data processing include: consent, contract, legal obligation, vital interests, public task and legitimate interests. For retailers, consent will be essential to permit personal data processing of customer information. Requests for data must be given in a clear, intelligible and easily accessible form, not hidden in complicated “legalese”.
As customer consent is needed to use email addresses for marketing purposes under GDPR, many retailers have emailed customers asking whether they would like to opt in to receive marketing updates. To legally send marketing and promotional emails, the customer must have given their consent – for example, they would need to tick a box saying that they are happy for their email address to be used for marketing purposes. And it must be as easy for a person to withdraw their consent as it is to sign up in the first place, and consent can be withdrawn at any point.
Customers also have the right to be informed about what data is being kept on them and how it will be used. They may have the data rectified if it is inaccurate, and can have it erased under their “right to be forgotten”. They can also request their personal data to be sent to them in a readable format.
E-receipts are also affected. An email address given for the purpose of receiving an e-receipt can be used to send the receipt, but the email address cannot be used for marketing or any other purpose. To do so would break the law.
Crucially, GDPR introduces mandatory data breach notifications to the regulator (the Information Commissioner’s Office in the UK) within 72 hours and in some cases to the individual affected, too. Until now, data breach notifications have been voluntary.
In October, Drapers outlined how retailers such as Hawes & Curtis and Marks & Spencer were preparing for GDPR. With two and a half weeks to go, Drapers asks two legal experts what retailers can do to ensure compliance in the final countdown.
Carol Osborne, partner at law firm Bryan Cave Leighton Paisner
Which aspects of GDPR are the most pertinent to the retail sector?
Customer engagement is critical for retailers, both online and in-store retailers are always exploring new methods of connecting to their customers in a more meaningful way. Maximising customer engagement can include the collection, processing and retention of personal data, especially given the very broad definition of “personal data” under the GDPR, which includes everything from the obvious name and address to the ISP address of a customer’s computer.
What are some of the critical things retailers should be doing in the final run-up to the introduction of GDPR?
If the retailer holds large amounts of customer data, it is going to be challenging to just get started on GDPR compliance now given the imminent deadline. At a minimum, there needs to be an awareness of the incoming changes under the GDPR, an understanding at the highest level of the organisation of the potentially significant monetary penalties associated with non-compliance, and an appropriate allocation of resources dedicated to achieving compliance.
Retailers will hopefully already understand the personal data they hold – where it came from, what it is used for, who they share that data with, and why. Reviewing and updating privacy policies is obviously critical, but requires a clear and detailed understanding of the lawful basis on which the retailer intends to process data, so it can be clearly communicated to their customers.
Developing the right procedures to address a security breach, appointing a data protection officer (where applicable) and identifying the lead data protection supervisory authority for cross-border retailers should also be high on the to-do list.
What does the term “valid consent” mean and how can retailers ensure they obtain it?
If a retailer is relying on consent from a customer as the lawful basis for processing that customer’s data, the consent must be freely given – it needs to be specific, informed and unambiguous. It must also be evidenced by positive action – for example, checking a box or clicking on an accept button. Silence, pre-ticked boxes or inactivity will not be considered permissible methods of consent.
Consent also has to be verifiable, so the retailer must keep records of how consent was obtained. Relying on consent as the basis for processing data does give the customer additional rights – including the right to have data deleted and the absolute right to withdraw consent – which would not apply to other lawful mechanisms for processing data.
Nicola Conway, associate at law firm Bryan Cave Leighton Paisner
How does the right to be deleted apply to retailers?
The right to erasure (or to have your data deleted) is one of the fundamental individual rights granted under the GDPR and applies to every business that processes data – not just retailers.
However, retailers need to consider whether they have procedures in place to actually implement a request from a customer to have their data deleted. Does the retailer’s system actually allow the retailer to locate and delete data permanently and crucially, securely? Does the customer service team know how to initiate a request for erasure? Does everyone understand the deletion of data must occur within 30 days of the request?
Will retailers need to change the way they profile their customers to comply with regulations?
Hopefully, even before the GDPR, retailers have been transparent with their customers about the types of profiling activity they undertake, and have given their customers an ability to opt out of profiling or tracking (through a policy or otherwise). Any profiling activity should be clearly disclosed – both in terms of the profiling technique and who is conducting the profiling.
What steps can retailers take to ensure compliance throughout their processes?
Retailers should be able to implement GDPR-compliant practices on a relatively straightforward basis. One of the more challenging issues for retailers may be understanding the scope of the data they currently hold, how it was collected and whether it can be used in a compliant way.