Q&A

What You Need To Know About The General Data Protection Regulation (GDPR)

By The GDPR Advisory Board

EU Flag

What You Need To Know About The General Data Protection Regulation (GDPR)

The General Data Protection Regulation, or the GDPR, is the European Union’s new regulation on data and cyber-security that will become law in the EU on May 25, 2018. It’s designed to legally strengthen data protection for everyone living in the European Union, and create a single data protection regime for businesses and consumers to rely on.

The GDPR will apply to anyone doing business in the EU that handles personal data — it doesn’t matter whether you’re based in the EU or not. If your company processes, stores or transmits personal data belonging to EU residents, you’ll have to comply as well as show evidence you want to comply.

The GDPR Advisory Board took time to answer questions about training your workforce with the latest legal requirements, working to manage your data in a compliant way, and other ways to become legally compliant before the May deadline.

Q: What kind of information does the GDPR apply to?

The use and storage of personal data. Loyalty cards, purchasing information, e-shots and any personal data that you hold for your customers will all need to be handled in a GDPR compliant way. Currently, when you collect data, you have to provide individuals with certain information, such as your identity and how you plan to use their data. This is usually done via a privacy notice. Under the GDPR you will have to also outline your “lawful basis” for processing the data, detail your data retention periods and explain that the participating individual has certain rights. Such as ‘the right to be forgotten’ or, as is a concern for some major retailers ‘the right to data portability’.

Q: What are the penalties for non-compliance?

The penalties for failing to comply with GDPR will be severe: maximum fines of up to 4 percent of worldwide annual turnover or $23,500,000 (€20m) — whichever figure is greater. As well as the financial implications, the detrimental PR a public penalty can bring in the already competitive retail sector could be huge.

Q: How does the GDPR affect policy surrounding data breaches?

Data breaches are going to happen, and the regulators know it. What matters is how well you respond; and the GDPR demands that breaches are reported within 72 hours. With this in mind, having a crisis plan in place to deal with data breaches is essential, as is testing it.

Q: What rights will individuals have under GDPR?

Rights for the consumer increase considerably under GDPR — retailers will need to be responsive and avoid dodgy small print. Article 12 of the GDPR says that you must communicate with individuals about their data and the way you process it “in a concise, transparent, intelligible and easily accessible form, using clear and plain language… in writing, or by other means, including, where appropriate, by electronic means.” You also need to respond to consumers who want to invoke their right to be forgotten within one month of the request.

Q: Explain the GDPR Advisory Board and the role it plays within the retail industry?

Industry leaders and academics have joined together to create The GDPR Advisory Boar —- an easily-accessible, authoritative platform for organisations, including retailers, baffled by the implications of the forthcoming GDPR to access. Expert advice from the new ‘GDPR Advisory Board’ is available through a non-commercial website — www.gdpr-board.co.uk — where users can contact the GDPR Advisory Board with questions via a Q&A portal or by emailing info@gdpr-board.co.uk.

Professor David Stupples provides data protection advice for the UK government as well as lecturing at Cambridge University. Alfred Rolington was formerly CEO at Jane’s Information Group and is an expert in cyber-security, presenting at Oxford University from time to time. Piers Clayden is the Founder of IT and Data Security legal firm, Clayden Law whilst Nick Richards heads up the GDPR e-learning provider Me Learning.

Training provision is recommended by visiting www.melearning.co.uk/gdpr which provides cost-effective GDPR e-learning solutions written by legal experts. Legal advice can be sought by GDPR legal specialist www.claydenlaw.co.uk

Q: What do retailers need to understand about GDPR and its implications on the business?

Piers Clayden, Founder of Clayden Law and legal expert for the GDPR Advisory Board comments: “GDPR is primarily about bolstering the rights of individuals (which in a retail environment means the consumer) to give them more control over how organisations use their personal data. It is clear that the direction of travel for the UK’s regulator will be very much focused on the B2C arena when it comes to enforcement. From the retailers’ point of view, where they are going to have to really change their mind set is around (a) being totally transparent with consumers over how they plan to use their personal data; and (b) moving away from a tick box environment to one where privacy is at the heart of what they do (and being able to demonstrate that this is the case). Those retailers who are successful in doing this should bolster their reputations and build consumer trust and loyalty. For those that fail to do so, the consequences are potentially severe — not just in the form of regulatory fines, but also damages claims from individuals and loss of reputation.”

Alfred Rolington, also a member of the GDPR Advisory Board and former CEO of Jane’s Information Group adds, “At a basic level, GDPR means that the retail businesses will, like other organisations, need to be transparent concerning what client and personal data they are holding and where.

If this is not clearly done non-compliance could result in very large fines — $23,500,000 (€20million) or 4 percent of their worldwide turnover (whichever is the larger amount).

Specifically, for retailers, there are other very crucial elements at risk.

There is a large PR problem for retailers when a brand that fails to comply with GDPR as it will probably be publically reported and the effect on its business could be devastating as trust in brands is crucial for the retail arena and it could bring down household brands.”

Q: How should retail organisations plan ahead for the introduction of the GDPR and understand their obligations under the new regulations?

Expert Alfred Rolington continues, “Over the next few weeks, retailers should focus on understanding their data, where it is stored and how and how much are they storing and who is managing this data.

Retail data, because of the way retailers operate is often held on a series of databases and a significant issue for many retailers will be that data is often held on multiple databases. These databases should be reviewed and analysed for content and security.

Retailers who are operating shops, stores or online sales cross-border should already be complying with the rules on international data transfers which remain similar under GDPR.

However, some recent changes to the EU approved Model Clauses and the EU-US Privacy Shield and challenges means retailers will need to monitor these connections especially as the UK leaves the EU.

Overall an IT audit should take place and the senior management and directors should understand the compliant issues arising has been completed, businesses should develop a plan to ensure their operations are compliant and a Data Protection Officer must be appointed.

All staff and management who review and use customer data should be trained on GDPR and what the changes and security means for the business and customers.

This applies across the company and cannot be left to IT and the legal management.”

For further information and to field questions on the forthcoming GDPR please visit www.gdpr-board.co.uk or alternatively email directly at info@gdpr-board.co.uk.