Get ready for GDPR

The EU’s General Data Protection Regulation legislation will come into force in May 2018. Sean Farrell offers a guide to what retailers should do in order to be prepared

Data is crucial for retailers to understand, tailor offers to and keep in touch with customers. That’s why businesses need to be on top of big EU-driven changes to data laws that take effect in less than three months.

The General Data Protection Regulation (GDPR) will replace the 1988 Data Protection Act on 25 May 2018. It dictates how businesses collect, store and use personal information about anyone – not just consumers but employees too. GDPR’s main aims are to give control of personal data back to individuals and to simplify rules for international businesses by harmonising EU regulation.

These intentions sound reasonable enough but GDPR imposes big additional obligations on businesses, while getting it wrong can lead to fines of up to €20m or 4% of annual turnover.

Here are GDPR’s basic requirements:

• Companies with more than 250 employees must appoint an independent data protection officer to make sure the business collects and secures personal data

• GDPR applies to smaller businesses if they handle data that is likely to put rights and freedoms of the data subjects at risk or if data is used regularly

• Customers must give their active consent for businesses to use their data for marketing or profiling

• Data breaches must be reported immediately to the Information Commissioner’s Office (in the UK) – ideally within 24 hours and within 72 hours at the latest

• People (not just customers) have the “right to be forgotten” if they withdraw consent or data relating to them isn’t needed any longer

Retailers are likely to find GDPR particularly challenging. Data is the key to understanding customers and many retailers rely on large troves of information built up over time as customers have interacted with them. This, along with their high profile, makes retailers obvious prey for hackers and opportunistic claims, which are both likely to increase under GDPR.

All this means extra costs and management time, both in preparation for GDPR and in staying up-to-date with its demands. GDPR’s scope is wide. As well as emails and purchase histories, it also covers video, CCTV and eyetracking data as well as old-style paper forms. Any information a retailer holds on a customer is covered by the regulation.

Some customer-facing companies have changed their approach radically ahead of GDPR. Last year, JD Wetherspoon scrapped its customer newsletter by deleting data it held on almost 700,000 customers. Now the pub chain uses social media and its website to tell customers about curry nights and other promotions.

Most retailers won’t feel able to take such drastic action, since data holds the key to the personalised offers consumers increasingly expect. GDPR creates the challenge of holding onto the data businesses need in order to keep in touch with customers and compete with rivals while still complying with this tough new regime.

Everyday examples of considerations for retailers adapting to GDPR include:

• To send offers or promotions to a customer’s email address, businesses now need active consent. This means businesses spelling out how they intend to use the customer’s email and giving customers a clear opportunity to say no. The days of pre-ticked boxes are over

• Loyalty schemes are the most obvious examples of profiling – the automated collection of information about a customer’s behaviour and preferences. Profiling will require consent if it has a “legal effect” – this probably allows adverts based on habits but offers restricted by profiling may well fall foul of GDPR

• Stricter rules on security breaches don’t just mean bigger fines. There’s reputational risk, too. Customers don’t like their data being hacked and headlines can damage a business even if the hackers don’t get to the vital information. So are systems as secure as they should be and is your business ready to respond to a data breach?

Rules empowering individuals are almost certain to attract vexatious activity from consumers seeking compensation, disgruntled employees and claims handlers. This is more likely because the £10 fee companies can charge to provide someone with their data has been scrapped. Privacy campaigners may also try to make examples of companies that don’t comply fully with GDPR.

Companies have had two years to get ready for GDPR but many businesses remain unprepared for the looming deadline. A survey by the Institute of Direct and Digital Marketing in February found only half the companies surveyed had appointed a data protection officer and more than half hadn’t carried out GDPR training for employees.

If your business hasn’t done this already, here are some of the key actions to take to get ready for GDPR:

• Carry out a data audit. What data is held, where and in what form? What is it used for? Delete any data that’s not needed, making sure it’s gone forever

• Review systems and suppliers to make sure your company has a view of each consumer and can provide them with a clear, timely account of what data is held on them. Make sure your company has consent for using customers’ data and that customers’ consent is given actively

• Appoint a data protection officer if required. This person must be independent and report to the highest level at your company. They can be an existing employee as long as this doesn’t create a conflict of interest

• Train your staff and be sure to have the right people in place. The Information Commissioner’s Office says: “You must ensure that your organisation has sufficient staff and skills to discharge your obligations under the GDPR”

• Make sure your company can deal with a data breach. Do staff know what to do? Who else does your company need to involve, such as insurers and suppliers. Has your company got a communication strategy?

There’s no doubt GDPR creates an extra burden but there’s an opportunity here too. All too often data sits in silos with little coordination using outmoded technology. By forcing retailers to review how they handle data, GDPR is a wake-up call to think strategically about contact with customers to achieve better communication, earn trust and provide a better experience to the consumer.