With GDPR coming into force from a compliance perspective on 25th May 2018, retailers can no longer afford to put off the action to look at their new obligations towards their consumers and employees.
That said, we recognise that knowing where to start can be a challenge and so felt it essential to try to demystify GDPR for the retail community. With retailers operating at the forefront of the consumer market where personal data is used considerably, I expect that we have all seen the numerous headlines of new Data Subject (i.e. European citizens) powers that impact how you process their data, as well as huge potential fines that could be levied by a more empowered Regulator (the Information Commissions Office or ico). No doubt this relentless news has also been associated with an increase of SPAM to your inboxes on solutions promising to address the challenges!
However, all the noise (and opportunism by some) can cloud the real issue, and we must not lose sight of common sense and recognise that this new regulation is intended first and foremost to protect individuals in an era of explosive levels of data capture (whether Customers or Employees) as well as to theoretically simplify common business practices for businesses operating across the EU. It is absolutely not an attempt to stifle innovation, efficiency, customer experience or sales conversion which is obviously essential to the success of retail operations. As such I recommend that GDPR must be embraced to help your business demonstrate trust and transparency in the digital age.
Last week, we held our third and final (for now!) seminar with White and Black, our expert legal partners in our mission to demystify GDPR for retailers. Our focus this time was on the subject of managing your obligations relating to third party data processors. In eCommerce operations, there are typically a number of data processors in your overall digital commerce operations driving customer experience, this can range from distribution services to personalization tools, and from payment providers to hosting companies.
As a Retailer, you cannot escape being the accountable party as the ‘Data Controller’ to ensure your processing of personal data for customers and employees is both fair and lawful. However, under GDPR, the third parties that are operating as Data processors on your behalf also have explicit obligations that they must adhere to. In fact, it is essential that retailers recognise that they may already committed in agreements that currently have a term that goes beyond 25th May 2018 and as such may automatically place them in breach of GDPR compliance unless issues are identified and remedied before this date. Therefore, it is essential to take steps now to audit your use of Data Processors and ensure that they are able to operate in compliance to GDPR to enable you to be able to be confident that your business is also.
The following is a quick recap on the areas we covered in the seminar, which a recorded version can be watched here:
So, our message is simple, it is essential that Retailers have a clear plan to review all Data Processor Agreements asap and amend them where necessary in time for the 25th May 2018. If a Data Processor cannot prove to be GDPR compliant and contract as such with the Retailer, then the Retailer is responsible to find and use only Data Processors that can commit to compliance if your current suppliers cannot. Data Processors are also liable under GDPR and as such we would expect them to be aware of their obligations and taking steps to ensure compliance in order to support your business obligations.
For more detailed information on this subject, to play our recorded webinars, or, to access additional resources like our Supplier Questionnaire (to validate Data Processor capability in regard to GDPR) and a quick link to the ICO draft Guidelines for contracting with Data Processors, please go to our GDPR Hub where these resources can be found. If you have any questions on the matter, please do not hesitate to contact us.