Getting to grips with GDPR – cutting to the chase

Brexit or no Brexit, the General Data Protection Regulation (GDPR) to protect consumers’ personal data for people living in the EU, and to help standardise practices for business operating across the EU, has already been adopted by all Member States and comes in to full force on 25th May 2018.

As with any new regulation, a lack of clarity can give rise to both confusion among those that are impacted and opportunism from people looking to make a quick buck. This Fear, Uncertainty and Doubt (FUD) gets in the way of understanding what it really means for businesses and the people charged to manage their way through it. With retailers operating at the very forefront of consumer interaction, we felt it essential to demystify the subject and provide guidance on what needs to be understood and what preparations need to be made.

I expect we have all seen the big GDPR headlines of new consumer powers and big potential fines from a more empowered regulator (the Information Commissioner’s Office, or ICO), and have experienced an increase in spam on the risks. However, we must not lose sight of common sense and the fact that this regulation is intended to protect individuals and support common business practices across the EU. It is not an attempt to stifle innovation, efficiency and great customer experience, which is at the heart of retail operations.

This led us to collaborate with White & Black, a law firm with expertise on a range of commercial law and regulation, and together we have created a series of free briefings to help the retail community get to grips with the subject. We hosted the first of these seminars on 25th July to set out the basic building blocks of the elements that impact how we prepare for GDPR.

First and foremost, it is important to understand that GDPR comes under the description of being ‘principles-based regulation’, meaning it is not 100% prescriptive and must be interpreted and applied with thought and relevance by each retailer. GDPR works on three core principles that aim to ensure that businesses operate both ‘fair’ (reasonable) and ‘legal’ processes, and that they operate with ‘transparency’ so that consumers know what will happen to their data held by a retailer, and how to interact with the retailer if they need more information or a change of action.

In our first seminar we explored:

  1. What personal data really means today and the fact it has grown in range to include the device ID (e.g. mobile or laptop) and the IP addresses we use to access the internet for shopping online. We also discussed the concepts of normal and special data and the rules that applied to each.
  2. What constitutes lawful processing of personal data, and what is the role of a third party system provider as a ‘data processor’ working for the retailer, who is the ‘data controller’. We learned that lawful processing must be based on at least one of the three principles of Performing a Contract, Legitimate Interest or Consumer Consent. With the exception of managing special data, or in regard to marketing communications, we learned that consent is possibly the least effective way to determine lawful processing for an eCommerce operation.
  3. We learned how Privacy Notices have evolved in to Fair Processing Notices and how these will now need to be raised in prominence from the traditional positioning on a footer of a website, to being reference/linked to in the customer journey. That said, it is not necessary to introduce additional steps, nor to require a consent or click through, but better to show a consumer when additional information is available on the retailer’s approach to fair and lawful processing.

The key take-aways from the first session were:

  1. Retailers must assign a clear internal owner for GDPR to work through the programme of activity needed to demonstrate readiness and compliance.
  2. Retailers must carry out a review of the ‘personal data’ held on consumers as soon as is possible to determine if it is valid, current and needed (as well as which third parties rely on it)
  3. Retailers should delete personal data not required for fair and lawful processing
  4. Retailers should validate their fair processing requirements and review how and where to introduce consumers to these notices without negatively impacting customer experience or activity or conversion.
  5. With the exception of marketing and /or capturing special classes of personal data (e.g. sexual orientation, medical data) retailers should avoid the need for consumer consent as a basis of processing personal data. If you do rely on consent, you should also evidence that you have legitimate consent – or request it if you cannot.

Actioning all of these steps will require new procedures to be implemented internally. In our second seminar, we will be sharing our thoughts on the practical steps to review internal operational procedures for managing personal data. For more information on this session, please go to our GDPR Hub