Despite that fact that the General Data Protection Regulation (GDPR) is coming in to force in less than 60 days, many retailers are still racing to make the changes to their data handling practices needed to comply with it. This is according to eCommerce retail systems integrator Tryzens who states that the retail community must deploy a risk-based approach to the GDPR if it is to achieve compliance by the deadline.
Coming into force on 25th May 2018, the GDPR is designed to better protect citizens’ data and harmonise legislation across Europe. The regulation brings about a number of new practices that organisations must be able to demonstrate in relation to Personally Identifiable Information (PII). GDPR also gives individuals much more transparency and control over what companies can do with their personal data, whilst also aiming to simplify the free flow of information across EU Member States.
Andy Burton, CEO of Tryzens, has advised that while there are materially larger fines that the ICO can impose for breaches of GDPR (to the sum of 4 per cent of annual turnover or €20 million), focusing solely on this punitive risk is the wrong basis for getting ready for it. Instead he suggests that retailers should adopt a practical, risked-based approach (RBA) to GDPR. In other words, identifying the extent and nature of personal data held by their business, its current relevance to their operations, the security measures in place to protect it, and the dependence upon third party data processors who also have to demonstrate compliance.
In understanding these areas of risk retailers can prepare their processes, manage and minimise their retention of personal data, and educate their staff to help ensure they operate in a compliant way and are able to address questions or requests that may arise from their customers and employees.
Burton explained: “GDPR is a principles-based regulation and this means that there is not a one-size-fits-all approach to achieving compliance. However, we believe that retailers can achieve operational readiness by undertaking a risked-based approach that examines the nature of the data being held and for what purpose. While the tactics for this may vary from one organisation to the next, this method should help retailers by exposing any potential risks. From this, retailers can then create and initiate a plan of action that is relevant to the level of the risks identified, while also determining how personal data will be captured, managed, protected and controlled to ensure fair and lawful processing.
“Ultimately, GDPR requires a fundamental review of personal data management by each retailer – be they traditional or a born-in-the-cloud etailer. To that end, considering the topic is so broad and the clarity of interpretation of the new regulation is still unproven in practice as it is not yet in force, we believe that a risk-based approach is essential to becoming compliant in an efficient, effective and timely manner,” Burton said.
Tryzens, in collaboration with specialist law firm, White & Black, has outlined the following approach to help retailers review internal operational procedures when it comes to managing personal data:
Hopefully by now, most retailers will have progressed to the Implementation phase, however, if they have not, Tryzens urge them to ensure they take the steps needed to enable them to demonstrate compliance before the May deadline.
For more detailed information on GDPR for retailers, please go to Tryzens GDPR Hub.