Appoint an internal owner and take a pragmatic risk-based approach
Designed to better protect EU citizens’ data and harmonise legislation across Europe, the General Data Protection Regulation (GDPR) brings in a raft of new guidelines and requirements that retailers need to be savvy to. That said, much is reinforcing the Data Protection Act already in place but with a greater emphasis on ensuring compliance.
At the heart of the initiative is the intent to support the increasingly digital economy, to build trust and to help protect consumers (data subjects) from exposure to risk that their personal data will be compromised and misused.
Yes, there are of course material fines that the ICO could impose from 25th May 2018, but to focus on that is the wrong basis for getting ready for GDPR, instead retailers should be looking to demonstrate that they take the fair and lawful processing of private data seriously and that they can be trusted.
Being a principles-based piece of regulation though means that every retailer needs to be able to demonstrate and evidence their own review, action and processes that were undertaken and put in place, there is no single approach that everyone can print out, copy and say, there you go, this is our position.
In our second instalment of our three-part seminar series – in collaboration with law firm White & Black – we set out to further demystify GDPR in order to help the retailer community establish a practical, best-practice approach to preparing themselves to demonstrate GDPR compliance.
Discussions were centred around how retailers can achieve operational readiness through a risked-based approach (RBA) that looked at the nature of data being held and the purposes for which it is being in order to identify and assess the significance of any potential risks that may be exposed. From this understanding a plan of action can be created that is relevant to the level of those risks and to show how relevant personal data will be captured, managed, protected and controlled to ensure fair and lawful processing.
White & Black outlined the following logical approach to help you review internal operational procedures when it comes to managing personal data:
- Planning: This is very much a workshop activity of key stakeholders in the management of functions and technology. It would involve white board sessions to identifying core data captured, processing activities, scoping of the systems impacted and any third parties that may be involved as Data Processors. The aim being to scope out the activity needing further investigation, identifying and grading key potential risks and areas for audit focus. It is also essential to appoint an overall owner for the GDPR activity to manage the various stakeholders to deliver the plan.
- Data Audit: Retailers will need to map out the data captured and systems impacted, and this may be best achieved by formulating structured interviews with functions and stakeholders to ensure all avenues are covered and that consensus can be gained on the risk associated with current data held and practices followed to improve the protection for your customers and employee’s personal data. Formalise the outputs in to a document where the risks can be ranked and reviewed and additional data records can be collated alongside such as current privacy notices, supplier contacts, and customer forms. This will form the basis of a risk register from where the plans to mitigate can be based and monitored.
- Analysis: Key stakeholders should actively review the risk register, the grading and prioritisation of risks and establish a regular mechanism for reviewing progress ahead of the 25th May 2018 deadline. Retailers should report at Board/Executive management level on core risks identified; formulate key organizational recommendations and actively monitor the completion of tasks and the closing of risks.
- Implementation: Key within this part of the plan is to redefine notices and prepare materials (privacy notices, amending supplier contractual clauses, validating security and DP processes and systems, breach notification etc.), but, it is also about preparing the business to handle the many rights of the consumer regarding their data such as the right of erasure (often called the right to be forgotten) as well as the rights of objection, access, portability of data etc. Arguably ensuring there are processes in place, manual or automated, could be a bigger hurdle for many retailers to implement and support. Which brings us on to the other key process in implementation, that of ensuring all staff are effectively trained in the importance of GDPR and what it means to them practically day-today.
GDPR will require a fundamental review by each retailer, be they traditional or a born-in-the-cloud retailer operating purely online. To that end as the topic is so broad and the clarity of interpretation still immature, we do believe that a risk-based approach is essential to becoming compliant in an efficient, effective and timely manner.
The following is a summary of the key messages from this session:
- GDPR and e-Privacy are parallel forces impacting ecommerce during the transition to common standards. Marketing and online purchasing have different obligations and constraints over the next couple of years as these two pieces of legislation evolve.
- Consideration needs to be given by retailers to clearly demonstrate compliance in the online user journey and data capture processes to ensure they are seen to be both fair and lawful processes. Of course, this needs to be as friction free as possible and we demonstrated some concepts as to how this could be achieved,
- The new (and strengthened) rights of consumers (data subjects) will require clear external and internal processes that can be followed. This arguably has the greatest administrative burden under the new regulations.
- Retailers need to take a risked-based approach to mitigate the risks of data loss or misuse to protect their customers and employees.
- Third parties are commonplace in eCommerce, but understanding their role as a Data Processor is critical to ensure appropriate contracting and processes to control risk. The retailer is ultimately liable for their actions when it comes to their own customers.
- A clear internal owner and a clear plan for achieving compliance should be a top priority for every retailer right now to ensure a viable and sustainable approach is implemented, well before the 25th May 2018.
Our next seminar will explore in some depth how retailers can practically and effectively manage the increasingly complex area relating to third party suppliers, and what data they process, where they process and store it and what terms and conditions are in their agreements.
For more information on this session, please go to our GDPR Hub.