Retailers, review your data processor’s agreements now!

(as your GDPR compliance is also in their hands!)

With GDPR coming into force from a compliance perspective on 25th May 2018, retailers can no longer afford to put off the action to look at their new obligations towards their consumers and employees.

That said, we recognise that knowing where to start can be a challenge and so felt it essential to try to demystify GDPR for the retail community. With retailers operating at the forefront of the consumer market where personal data is used considerably, I expect that we have all seen the numerous headlines of new Data Subject (i.e. European citizens) powers that impact how you process their data, as well as huge potential fines that could be levied by a more empowered Regulator (the Information Commissions Office or ico). No doubt this relentless news has also been associated with an increase of SPAM to your inboxes on solutions promising to address the challenges!

However, all the noise (and opportunism by some) can cloud the real issue, and we must not lose sight of common sense and recognise that this new regulation is intended first and foremost to protect individuals in an era of explosive levels of data capture (whether Customers or Employees) as well as to theoretically simplify common business practices for businesses operating across the EU. It is absolutely not an attempt to stifle innovation, efficiency, customer experience or sales conversion which is obviously essential to the success of retail operations. As such I recommend that GDPR must be embraced to help your business demonstrate trust and transparency in the digital age.

Last week, we held our third and final (for now!) seminar with White and Black, our expert legal partners in our mission to demystify GDPR for retailers. Our focus this time was on the subject of managing your obligations relating to third party data processors. In eCommerce operations, there are typically a number of data processors in your overall digital commerce operations driving customer experience, this can range from distribution services to personalization tools, and from payment providers to hosting companies.

As a Retailer, you cannot escape being the accountable party as the ‘Data Controller’ to ensure your processing of personal data for customers and employees is both fair and lawful. However, under GDPR, the third parties that are operating as Data processors on your behalf also have explicit obligations that they must adhere to. In fact, it is essential that retailers recognise that they may already committed in agreements that currently have a term that goes beyond 25th May 2018 and as such may automatically place them in breach of GDPR compliance unless issues are identified and remedied before this date. Therefore, it is essential to take steps now to audit your use of Data Processors and ensure that they are able to operate in compliance to GDPR to enable you to be able to be confident that your business is also.

The following is a quick recap on the areas we covered in the seminar, which a recorded version can be watched here:

  1. GDPR comes under the description of being ‘principles based regulation’ meaning it is not 100% prescriptive and must be interpreted and applied with thought and relevance by each retailer as there is no explicit standard to follow. You must assess your own risks and take a proportionate response to mitigate any risks identified, documenting your findings and decisions, tracking achievement and training your staff.
  2. GDPR works on core principles that are aimed to ensure that businesses operate both ‘fair’ (reasonable) and ‘legal’ processes and that they operate with ‘transparency’ so that consumers know what will happen to their data held by a retailer and how to interact with the retailer if they need more information or a change of action. (Revisit our recorded GDPR webinar 1 for a recap).
  3. A data controller is defined as the organization that determines the purposes and means of processing personal data. In an eCommerce arrangement, this is the retailer.
  4. A Data processor is any organization that processes the data on behalf of the data controller- whether that be storing it, analyzing it, segmenting it or any other task. A retailer could, and usually does, use any number of third party data processors.
  5. For the first time under GDPR there are now direct responsibilities imposed on Data Processors to demonstrate compliance with GDPR.
  6. Both Data Processors and Data Controllers must be able to comply with the new rights of the Data Subject such as the right to be forgotten or the right to withdraw consent. (Revisit our recorded webinar 2 on GDPR for a recap on this)
  7. Data Processors have direct responsibilities under GDPR that they must achieve.
  8. Data controllers must audit the data they capture and process (including those of relevant Data Processors), taking appropriate steps to secure the data and to regularly minimise the amount of data held so it is only held for fair and lawful processes that your customers and employees have agreed to/are aware of.
  9. There are clear requirements for Retailers to ensure that they exercise diligence when selecting service providers (data processors) to ensure they are able to be compliant to GDPR before entering into contracts with them.
  10. Doing contractual reviews of your current Data Processors early is key! Many retailers will have contracts that do not expire before the deadline, it is essential to review, and renegotiate these contracts where applicable. On our GDPR hub we have shared a questionnaire you can use with the suppliers you rely on.
  11. When updating your Privacy Policy and adapting them to be more accessible Fair Process Notices in the customer journey, you need to ensure they accurately reflect or cover the responsibilities covered by third parties Data Processors so that your statements are accurate and valid, back to back, with your contractual position with data processors.

So, our message is simple, it is essential that Retailers have a clear plan to review all Data Processor Agreements asap and amend them where necessary in time for the 25th May 2018.  If a Data Processor cannot prove to be GDPR compliant and contract as such with the Retailer, then the Retailer is responsible to find and use only Data Processors that can commit to compliance if your current suppliers cannot.  Data Processors are also liable under GDPR and as such we would expect them to be aware of their obligations and taking steps to ensure compliance in order to support your business obligations.

For more detailed information on this subject, to play our recorded webinars, or, to access additional resources like our Supplier Questionnaire (to validate Data Processor capability in regard to GDPR) and a quick link to the ICO draft Guidelines for contracting with Data Processors, please go to our GDPR Hub where these resources can be found. If you have any questions on the matter, please do not hesitate to contact us.

want to see more?