Tryzens urges retailers to complete their GDPR compliance obligations within 60 days

The retail community is under pressure to demonstrate clear processes to mitigate the risk of data loss or misuse and to protect the digital records of customers and employees.

Despite that fact that the General Data Protection Regulation (GDPR) is coming in to force in less than 60 days, many retailers are still racing to make the changes to their data handling practices needed to comply with it. This is according to eCommerce retail systems integrator Tryzens who states that the retail community must deploy a risk-based approach to the GDPR if it is to achieve compliance by the deadline.

Coming into force on 25^th May 2018, the GDPR is designed to better protect citizens’ data and harmonise legislation across Europe. The regulation brings about a number of new practices that organisations must be able to demonstrate in relation to Personally Identifiable Information (PII). GDPR also gives individuals much more transparency and control over what companies can do with their personal data, whilst also aiming to simplify the free flow of information across EU Member States.

Andy Burton, CEO of Tryzens, has advised that while there are materially larger fines that the ICO can impose for breaches of GDPR (to the sum of 4 per cent of annual turnover or €20 million), focusing solely on this punitive risk is the wrong basis for getting ready for it. Instead he suggests that retailers should adopt a practical, risked-based approach (RBA) to GDPR. In other words, identifying the extent and nature of personal data held by their business, its current relevance to their operations, the security measures in place to protect it, and the dependence upon third party data processors who also have to demonstrate compliance.

In understanding these areas of risk retailers can prepare their processes, manage and minimise their retention of personal data, and educate their staff to help ensure they operate in a compliant way and are able to address questions or requests that may arise from their customers and employees.

Burton explained: “GDPR is a principles-based regulation and this means that there is not a one-size-fits-all approach to achieving compliance. However, we believe that retailers can achieve operational readiness by undertaking a risked-based approach that examines the nature of the data being held and for what purpose. While the tactics for this may vary from one organisation to the next, this method should help retailers by exposing any potential risks. From this, retailers can then create and initiate a plan of action that is relevant to the level of the risks identified, while also determining how personal data will be captured, managed, protected and controlled to ensure fair and lawful processing.

“Ultimately, GDPR requires a fundamental review of personal data management by each retailer – be they traditional or a born-in-the-cloud etailer. To that end, considering the topic is so broad and the clarity of interpretation of the new regulation is still unproven in practice as it is not yet in force, we believe that a risk-based approach is essential to becoming compliant in an efficient, effective and timely manner,” Burton said.

Tryzens, in collaboration with specialist law firm, White & Black, has outlined the following approach to help retailers review internal operational procedures when it comes to managing personal data:

1. Planning: This is very much a workshop activity of key stakeholders in the management of functions and technology. It would involve white board sessions to identify the core data captured, processing activities, scoping of the systems impacted and any third parties that may be involved as Data Processors. The aim being to scope out the activity needing further investigation, identifying and grading key potential risks and areas for audit focus. It is also essential to appoint an overall owner for the GDPR activity to manage the various stakeholders to deliver the overall plan.
2. Data Audit: Retailers will need to map out and track the data captured and systems impacted by the use of personal data. This may be best achieved by formulating structured interviews with functions and stakeholders to ensure all avenues are covered. A consensus should also be gained on the risk associated with current data held and practices followed in order to improve the protection for your customers and employees’ personal data. Formalise the outputs in a document where the risks can be ranked and reviewed and additional data records can be collated alongside such as current privacy notices, supplier contacts, and customer forms.  This will form the basis of a risk register from where the plans to mitigate can be based and monitored.
3. Analysis: Key stakeholders should actively review the risk register, the grading and prioritisation of risks and establish a regular mechanism for reviewing progress ahead of the 25^th May 2018 deadline and regularly thereafter to ensure policy and practice is being maintained. Retailers should report at Board/Executive management level on core risks identified; formulate key organisational recommendations and actively monitor the completion of tasks and the closing of risks.
4. Implementation: Some of the more obvious areas that will typically need to be addressed by Retailers will include: the appointment an overall owner within the business for the Data Protection responsibilities; updating the nature and access to the Privacy Policy/Fair Process Notices to simplify and transparently articulate the basis of processing personal data; amending supplier contractual clauses for Data Processors to ensure they are in line with the retailers contractual practices; regularly testing security and DP processes and systems; publishing processes to facilitate customers or employees who wish to exercise their rights over personal data under GDPR, and, not least, training employees on what GDPR means for them as representatives of the business and as individuals etc.)

Hopefully by now, most retailers will have progressed to the Implementation phase, however, if they have not, Tryzens urge them to ensure they take the steps needed to enable them to demonstrate compliance before the May deadline.

For more detailed information on GDPR for retailers, please go to Tryzens GDPR Hub.