As of May 25, 2018, the European Union (EU) started enforcing the General Data Protection Regulation (GDPR). If your business is among of the half of regulated businesses that is not yet compliant, it’s time to comply with the new regulations and avoid costly fines.
Who does it affect?
The GDPR is the European Union’s new data protection law, which expands the rights of individuals to control how their personal data is collected and processed and applies to any business, regardless of whether it’s based in the EU or anywhere else in the world, that either:
- Collects personal information from people in the EU
- Monitors behavior of people in the EU.
The implications of GDPR for retail don’t necessarily mean you are required to comply if people in the EU can simply access your company’s website. However, an e-commerce website that offers goods or services and accepts payment information would likely be subject to these regulations.
If these criteria apply to your retail business, set a course for GDPR compliance by:
1. Taking ownership
Complying with GDPR for retail businesses won’t happen on its own. It will take time and resource allocation from several different levels. The chief technical officer, in-house legal counsel and C-level management and directors should all be involved.
2. Training all company employees
All employees should be trained on data management best practices. Retailers should be prepared to put transparency and data ethics at the center of corporate culture. This means ongoing enterprise-wide training for all employees.
3. Clarifying personal data and creating transparency
You’ll want to inform users — in clear, layman’s terms — about the personal data you collect, how it’s collected, why it is collected, and how you are using it.
You should also detail how you are securing that data. For example, include how long it’s stored, who has access to it (including third parties), and if you use cookies.
GDPR, for retail, will also require you to inform users how they can control any aspects of data usage, for example, whether they can ask that their purchase histories can be erased, and how complaints can be submitted.
4. Communicating Your Privacy Policy
Send an email notifying users of Privacy Policy updates. You will also need to obtain consent before collecting basic personal information. Add Privacy Notices, or concise, informative phrases, in places where you’re asking for consent to collect data to help users understand what they are consenting to. Remember, transparency is the ultimate goal with GDPR for retail and any other business collection data in the EU.
5. Performing an assessment
Ask yourself, what personal data are you processing or having processed on your behalf. This may include encrypted data, public data, dynamic IP addresses — even social media posts. Then ask, if any of it belong to EU residents or is processed in the EU. If so, then you’ll need to move on to the next step of data mapping.
6. Mapping data
Track what data you handle. You’ll need to understand where it comes from, who it is shared with, what is done with it, and what risks the data is subjected to.
7. Developing your action plan
Once you have an understanding of the data your business manages, you’ll be able to develop a strategy for complete compliance with GDPR for retail activities. Working with an outside data privacy consultant may give you better insight into what steps to take to comply with the new regulation. If you are not in compliance now, it may be a good idea to prioritize externally facing compliance indicators, which are factors that enforcement authorities would see first. This includes things like how you handle data subject requests and public facing privacy policies or statements.
What if I don’t comply?
The impact of GDPR for retail is no small matter. Retailers that are not compliant could be subject to fines of up to 20 million euros (equivalent to nearly 24,000,000 USD) or 4% of the corporate group’s annual global revenue during the prior year, whichever is greater. So, if you haven’t established a strong action plan for GDPR compliance, it’s definitely time to begin.
