a retailers responsibility and liability under gdpr - home - tryzens · a retailers responsibility...
Post on 07-Jun-2020
2 Views
Preview:
TRANSCRIPT
A RETAILERS RESPONSIBILITYAND LIABILITY UNDER GDPR AN INTRODUCTION TO NEW DATA PRIVACY REGULATION FOR THE RETAIL SECTOR
ONLINE AND INSTORE
TH
E C
OUN
TDOWN TO ENFORCEM
EN
T 25th May 2018 • • • • • • • • • • • • • •
• •
• •
ContentsPART ONE What is GDPR and when does
it come in to force?
PART TWO Key points for review
PART THREE Considerations and conclusions
PART FOUR Getting ready for GDPR
2
PLA
N B
UIL
D R
UN
E
NH
AN
CE
3
What is GDPR? The GDPR (General Data Protection Regulation – EU 2016/679) is a Regulation adopted by the European Union which is designed to harmonise the approach to the protection and privacy of all personal data about EU citizens in connection with the offering of goods or services or monitoring their behaviour within the EU. Its aim is to improve accountability of those processing personal data and increase transparency in order to enhance consumer confidence in organisations that hold or process their personal data. GDPR will also standardise the approach to the free flow of information across European Union members although there are still some areas where member states can legislate.
Notably, GDPR encompasses all key elements from Article 8 of the European Convention on Human Rights, which states its intention to respect the rights of privacy in personal and family life, as well as in the home and in personal correspondence.
This is one of the most wide-ranging pieces of legislation passed by the EU in recent years, and irrespective of Brexit, will become law in the UK. Currently, in the UK the Data Protection Act 1998 governs the processing of personal data and this Act implemented the 1995 EU Data Protection Directive (Directive 95/46/EC), but this will be superseded by the new Regulation.
It cannot be overstated that GDPR introduces higher bars for compliance and significant fines for non-compliance and data privacy breaches, and it gives individuals much more control over what organisations can do with their data. It also makes data protection rules more or less identical throughout the EU, something the existing data protection legislation fails to achieve.
In practical terms, GDPR also introduces a wide range of new data subject rights that retailers must provide to consumers such as the ‘right to be forgotten’, right to object, the right of accountability and timelines for data breach notifications, data portability and the need for organisations to have formal processes and accountable people in place.
When does GDPR come in to force?The GDPR entered into force on 24 May 2016 although full enforcement will not begin until May 25th 2018. GDPR will apply to all personal data held by an organisation regardless of when it was originally created, stored or processed. Given that it is a EU Regulation, the GDPR will be directly effective across all Member States without the need for implementing national legislation.
What does this mean to my business?This Guide is intended to summarise the key changes that are coming in to force in May 2018 and to identify how they impact retail organisations across the EU. It includes a checklist of recommendations as to what action may need to be taken to ensure your business is compliant by default. This guide is not comprehensive guidance on the GDPR and does not constitute legal advice. Readers should not rely solely on this document but should take appropriate formal legal advice and guidance on the requirements of GDPR and their own compliance to ensure their organisation’s response to GDPR is appropriate, timely and relevant.
PART ONE
TH
E C
OUN
TDOWN TO ENFORCEM
EN
T 25th May 2018 • • • • • • • • • • • • • •
• •
• •
Background to GDPRThe drivers behind the GDPR are twofold:
1. The EU wants to give individuals more control and transparency over how their personal data is used. Since the current data protection legislation was enacted there have been significant technological advances which have resulted in an unprecedented global flow of data. The Internet and cloud technology has created new ways of capturing, tracking and exploiting data, and the GDPR seeks to address this through a broader inclusion on what constitutes personal data and by strengthening data protection legislation and introducing tougher enforcement measures. Through these changes the EU hopes to improve trust in the emerging digital economy, which is critical to the success of the online and omni-channel retail market.
2. The EU wants to give all businesses a simpler, clearer legal environment in which to operate, making data protection law identical throughout the single market. Whilst hard to relate costs to the retail sector specifically, the EU estimates this will save all businesses a collective ¤2.3 billion a year.
Scope of GDPRGDPR extends the reach of existing data protection law encompassing two critical areas:
1. Where personal data is processed by an EU based data controller and processor; or
2. Where no EU presence exists the GDPR will still apply when an EU citizens’ personal data is processed in connection with any goods or services offered to them – specifically relevant to non-EU online retailers; or
3. Where the behaviour of individuals is ‘monitored’ within the EU.
The GDPR will apply to retail organisations with physical or online sales outlets operating in the EU, or those, which promote or sell advertising or marketing to EU residents, the GDPR will apply. It will also apply in regard to retailers’ employee data.
A key part of the GDPR is how responsibility is assigned for data – and this has huge implications for eCommerce service providers and any other third party dealing with a customers’ data.
To understand this change, it’s worth reminding ourselves of key terminology:
■ Data controller/controller: This is the organisation that determines the purposes and means of processing personal data. In an arrangement where an end user works with a SaaS or other form of as-a-service operations for its IT infrastructure, this is the end user organisation.
■ Data processor/processor: This is any organisation that processes the data on behalf of the data controller, whether that be storing it, analysing it, segmenting it, or any other task. In the above arrangement, this may include a SaaS, Managed Service or cloud/hosting provider.
4
5
Up
to
£5
00
k in
UK
.
Req
uir
em
en
t to
no
tify
th
e r
ele
van
t A
uth
ori
ty b
efo
re
pro
cess
ing
.
Vari
ou
s ri
gh
ts, n
ota
bly
rig
ht
of
access
to
th
eir
data
, an
d r
igh
t
of
recti
ficati
on
an
d r
igh
t to
ob
ject
to d
irect
mark
eti
ng
.
Gen
era
lly, r
ely
on
im
plie
d c
on
sen
t.
Lim
ited
exp
osu
re t
o r
eg
ula
tor
for
pro
cess
ing
acti
vit
y.
Bro
ad
bu
t vag
ue r
eq
uir
em
en
t fo
r an
ad
eq
uate
level o
f se
cu
rity
.
Any d
ata
rela
tin
g t
o a
n id
en
tifi
ed
or
iden
tifi
ab
le n
atu
ral p
ers
on
.
Inclu
des
sen
siti
ve p
ers
on
al d
ata
lik
e e
thn
icit
y, r
elig
ion
, healt
h.
On
e w
ho
can
be id
en
tifi
ed
dir
ectl
y o
r in
dir
ectl
y, in
part
icu
lar
by r
efe
ren
ce t
o a
n id
en
tifi
cati
on
nu
mb
er
or
on
e o
r m
ore
facto
rs r
ela
tin
g t
o p
hysi
cal,
physi
olo
gic
al,
men
tal,
eco
no
mic
,
cu
ltu
ral o
r so
cia
l id
en
tity
.
Lim
ited
en
forc
em
en
t p
ow
ers
un
der
nati
on
al la
w.
Typ
ically
no
req
uir
em
en
t to
have a
DP
O.
No
ob
ligati
on
s to
rep
ort
bre
ach
es.
Th
e h
igh
er
of:
• L
evel 1
(typ
ically
bre
ach
es
of
a o
blig
ati
on
s b
y c
on
tro
llers
or
pro
cess
ors
) –
2%
of
glo
bal tu
rno
ver
(no
t p
rofi
t) o
r 10
m
Eu
ros.
• L
evel 2 (
typ
ically
bre
ach
es
of
the r
igh
ts o
r fr
eed
om
s o
f a
Data
Su
bje
ct)
– 4
% o
f g
lob
al tu
rno
ver
or
20
m E
uro
s.
Org
an
isati
on
s w
ill n
eed
to
keep
reco
rds
of
the c
on
tro
ller’
s
pro
cess
ing
acti
vit
ies,
bu
t th
ere
is
no
lo
ng
er
an
ob
ligati
on
to
no
tify
DPA
s.
New
Rig
ht
to b
e f
org
ott
en
(E
rasu
re)
an
d R
igh
t to
Po
rtab
ility
,
en
han
ced
rig
ht
of
access
to
th
eir
data
. Th
ese
rig
hts
are
no
t
ab
solu
te.
Req
uir
em
en
t is
to
dem
on
stra
te f
reely
giv
en
, sp
ecifi
c, i
nfo
rmed
an
d u
nam
big
uo
us
co
nse
nt
for
the p
rocess
ing
of
pers
on
al d
ata
.
Pro
cess
ors
are
incl
ud
ed
und
er
GD
PR
and
Contr
olle
rs m
ust
cond
uct
Due D
ilig
ence
into
a P
roce
sso
r’s
suitab
ility
and
ap
poin
t th
e
pro
cess
or
in t
he fo
rm o
f a b
ind
ing
writt
en a
gre
em
ent
that
com
plie
s
with G
DP
R. P
roce
sso
rs w
ill t
hen h
ave d
irect
ob
ligat
ions
such
as
keep
ing
a reco
rd o
f its
pro
cess
ing
act
ivitie
s and
an o
blig
atio
n t
o
no
tify
any d
ata b
reach
to
the c
ontr
olle
r w
ithout
und
ue d
ela
y.
Sp
ecifi
c r
eq
uir
em
en
ts in
tro
du
ced
aro
un
d m
on
ito
rin
g a
cti
vit
y,
data
en
cry
pti
on
an
d a
no
nym
isati
on
, on
-go
ing
revie
ws
of
secu
rity
measu
res,
reg
ula
r se
cu
rity
test
ing
, an
d r
ed
un
dan
cy
an
d b
ack-u
p f
acili
ties.
Exte
nd
ed
to
co
ver
ad
van
ces
such
as
bio
metr
ic, l
ocati
on
data
an
d g
en
eti
c d
ata
.
Inclu
des
an
id
en
tifi
er
such
as
a n
am
e, l
ocati
on
data
on
line
iden
tifi
er
or
gen
eti
c d
ata
.
Th
e u
se o
f A
no
nym
isati
on
an
d P
sued
onym
isati
on
tech
niq
ues
can
red
uce t
he b
urd
en
on
org
an
isati
on
s b
y in
cre
asi
ng
th
e
dif
ficu
lty f
or
any u
nin
ten
ded
pers
on
access
ing
data
to
id
en
tify
ind
ivid
uals
.
Wid
e-r
an
gin
g p
ow
ers
bein
g g
ran
ted
un
der
the G
DP
R.
DP
O n
ow
man
date
d in
Go
vern
men
t an
d o
rgan
isati
on
s.
Req
uirem
ent
to r
ep
ort
data
bre
aches
to t
he r
eg
ula
tor
(who
se c
ore
activitie
s in
volv
e r
eg
ula
r and
syst
em
atic m
onito
ring
of
ind
ivid
uals
on a
larg
e s
cale
or
larg
e s
cale
pro
cess
ing
of
sensi
tive
data
or
crim
inal r
eco
rds)
witho
ut
und
ue d
ela
y a
nd
within
72 h
ours
of
the
bre
ach u
nle
ss t
he b
reach is
unlik
ely
to
be a
ris
k to
the in
div
iduals
’
reco
rds.
Po
tential r
eq
uirem
ent
to n
otify
the D
ata
Sub
ject.
Th
e fi
ne is
no
t lim
ited
to
a B
ran
d o
r th
e U
K b
ut
can
rela
te t
o
an
un
dert
akin
g’s
wo
rld
wid
e t
urn
over.
Reta
ilers
sho
uld
pro
acti
vely
identi
fy a
ll P
ers
onal D
ata
held
,
inclu
din
g t
hat
pro
vid
ed
by t
hird
part
ies
that
is n
ot
ano
nym
ised
or
pse
ud
onym
ised
and
ensu
re t
hat
it is
rele
vant
and
secure
.
Reta
ilers
mu
st b
e a
ble
to
rem
ove a
nd
/or
gra
nt
revie
w a
ccess
to a
cu
sto
mer
pers
on
al d
ata
acro
ss a
ll ch
an
nels
an
d s
yst
em
s
it is
held
wit
hin
.
Co
nsu
mer
co
nse
nt
to s
tore
an
d u
se p
ers
on
al d
ata
may n
ot
be a
ssu
med
an
d h
as
to b
e p
osi
tively
veri
fied
.
Co
nsu
mers
mu
st b
e a
ble
to
revo
ke c
on
sen
t, a
s easi
ly a
s g
ive
it. D
ata
pro
cess
ing
no
tices
need
to
giv
e in
form
ati
on
at
the
tim
e o
f se
ekin
g c
on
sen
t. B
un
dle
d c
on
sen
ts a
re n
ot
suffi
cie
nt.
Rele
van
t th
ird
part
ies
need
to
be in
clu
ded
in
th
e r
eta
ilers
au
dit
of
GD
PR
co
mp
lian
ce, n
ota
bly
so
in
eC
om
merc
e a
nd
dig
ital o
pera
tio
ns.
Pro
acti
ve r
evie
w o
f in
tern
al a
nd
third
part
y s
ecuri
ty p
olic
ies
to
ensu
re a
deq
uate
pre
cauti
ons
in p
lace t
o p
rote
ct
pers
onal d
ata
.
In a
dd
itio
nal t
o s
tand
ard
info
rmatio
n t
he o
blig
atio
n e
xte
nd
s
to in
clu
de d
ata
cap
ture
d t
hro
ug
h t
racki
ng
a u
ser’s
dev
ice, I
P
ad
dre
ss(e
s), b
row
sing
his
tory
& c
oo
kies,
and
deliv
ery
ad
dre
sses.
On
line id
en
tifi
ers
, co
okie
s, B
GI (b
row
ser
gen
era
ted
info
rmati
on
) [f
or
sin
glin
g o
ut]
an
d m
ob
ile d
evic
es,
IP
ad
dre
sses
an
d M
AC
ad
dre
sses.
Th
e p
urs
uit
of
go
als
fo
r en
han
ced
Pers
on
alis
ati
on
to
an
d
targ
eti
ng
of
co
nsu
mers
do
es
cre
ate
a h
eig
hte
ned
ris
k
aro
un
d t
he level o
f d
ata
held
or
use
d t
o id
en
tify
an
in
div
idu
al
an
d in
cre
ase
s th
e s
co
pe o
f d
ata
to
be m
an
ag
ed
.
In t
he U
K is
the IC
O.
Reta
ilers
op
era
tin
g a
t si
gn
ifican
t sc
ale
sh
ou
ld c
on
sid
er
the
ap
po
intm
en
t o
f a D
PO
Mo
nit
ori
ng
of
syst
em
s an
d t
rackin
g o
f p
ers
on
al d
ata
an
d
bre
ach
es
of
secu
rity
are
ess
en
tial to
help
mit
igate
ris
k t
o
ind
ivid
uals
an
d t
o r
ed
uce t
he e
xp
osu
re t
o fi
nes
an
d n
eg
ati
ve
pu
blic
ity.
Leve
l of
fines
Reco
rd o
f p
roce
ssin
g a
ctiv
itie
s
Rig
hts
of
data
sub
ject
Co
nse
nt
Data
pro
cess
ors
Secu
rity
ob
ligati
ons
Sco
pe o
f p
ers
onal d
ata
Identi
fiab
le p
ers
on
Sup
erv
iso
ry a
uth
ori
ty
Dat
a p
rote
ctio
n o
ffice
r
Bre
ach
rep
ort
ing
Fo
cus
Curr
ent
DPA
/E
U D
irect
ive
New
GD
PR
po
siti
on
Imp
act
on R
eta
ilers
GD
PR
vs
exis
tin
g D
ata
Pro
tecti
on
Act
at
a g
lan
ce
6
Key points for review
1. Ensuring an individuals' consentRetailers operating in or selling into the EU need to be aware that consent will be subject to new conditions under the GDPR. New requirements include the prohibition of so-called ‘bundled’ consents and the offering of goods or services, which are contingent on consent to processing. The biggest change however, is that consent must be a freely given, specific, informed and unambiguous indication of data subject’s agreement to the processing and must be separate from other written agreements with an individual and clearly presented as such and as easily able for the individual to revoke consent as it is given.
RETAILER CHECKLIST
■ You will have to be clear about the lawful basis upon which you process personal data.
■ Where consent is the lawful basis you are relying on, check that consent already obtained meets the GDPR test and does not rely on pre-ticked boxes or simple silence.
■ Be clear on what constitutes personal data.
■ That consent is not ‘bundled’ with other written agreements.
■ The consumer is actively informed that they can withdraw consent to use data at any time and that this process is simple.
■ Consent must be verifiable.
2. Personal data for childrenUnder the GDPR children are now classed as ‘vulnerable individuals’ and require what the GDPR terms ‘specific protection’. Under the GDPR where consent is the lawful basis for the processing of personal data in relation to the offer of targeted online services to a child, consent is only lawful for any child under 16 where parental/guardian consent has been obtained. Member States can lower this age but not to below 13. This protection is significant where organisations use children’s data for marketing and creating online profiles.
RETAILER CHECKLIST
■ Ensure your controls to manage individuals that are designated as children are respected as vulnerable individuals and have appropriate processes to verify ages and gather, if appropriate, proper parental/guardian consent.
■ Remain vigilant to local legislation in each Member State on the issue of offline data processing relating to children.
PART TWO
7
3. Information noticesData controllers will have to provide information notices to deliver appropriate process transparency. While specific information will need to be provided, the GDPR places a general transparency obligation on the data controller.
RETAILER CHECKLIST
■ All existing information notices need to be reviewed and updated in light of GDPR to ensure they include all the relevant information.
■ You will also have to work closely with your partners /third-parties who may collect data on your behalf and ensure that they are assigned responsibility for the notice review, updates and approval.
■ Need to ensure that information notices are provided at the time of data capture not after.
4. Citizen rights, consumer accessConsumers will maintain their right of access under GDPR. Data subjects have the right to obtain from data controllers; confirmation of whether, and where, they process that person’s data; information about the purposes of the processing; information about the categories of data being processed; information about the period for which the data will be stored; information about the rights to erasure, to rectification, to restriction of processing and to object to the processing; information about the existence of the right to complain to the DPA; information about the source of the data; information about the existence of, and an explanation of the logic involved in automated processing; provide a copy and any supporting materials.
The consumer can also demand to receive a copy of their personal data in a commonly used, machine-readable format, and transfer their personal data from one controller to another.
RETAILER CHECKLIST
■ Assess your ability to provide data against this new backdrop.
■ Review all customer facing team’s processes and procedures to address any shortfall in these rules.
■ Develop template response letters and process controls to ensure timely responses.
5. The right to ‘object’EU citizens will now have rights to object to certain types of data processing not least for direct marketing purposes, on the grounds relating to their particular situation, where the basis for that processing is either: in the public interest; or the in the legitimate interests of the controller. Controllers must cease processing unless they can demonstrate compelling legitimate grounds for the processing, or they require that data to establish, exercise or defend legal rights.
RETAILER CHECKLIST
■ Conduct an audit of all data protection notices to ensure you are advising your customers that they have the right to object.
■ For online retailers specifically they must develop an automated way for this to be effective.
■ All marketing lists and processes must be reviewed to ensure that they are compliant.
8
6. Erasure – The right to be ‘forgotten’The GDPR introduces a new concept – erasure – or as it was commonly known, the right to be forgotten. EU citizens will be able to demand the erasure of data held on them if the legality of the processing is in question, if the data is no longer needed for their original purpose or if they exercise the right to object. This new wide-ranging requirement of the GDPR has the potential to impact businesses and organisations alike.
RETAILER CHECKLIST
■ Do your systems meet the requirement to mark data as restricted?
■ Do your staff and suppliers who receive data erasure requests know what they are and how to handle them?
■ How will you evidence that erasure has been achieved?
7. ProfilingThe GDPR contains a number of new restrictions on profiling based on sensitive data – some of which will need explicit consent by the consumer.
RETAILER CHECKLIST
■ For those who build consumer profiles based on sensitive data for direct marketing purposes, retailers will still need explicit consent from consumers to undertake this activity.
8. Data governanceIn one of the most wide-ranging changes being introduced by the GDPR, all organisations are going to have to implement a host of measures to reduce the risk of breaching the GDPR and to prove that they are taking the issue seriously. Amongst the new accountability measures enterprises will need to undertake Privacy Impact Assessments, audits, policy reviews and potentially appointing a dedicated Data Protection Officer.
RETAILER CHECKLIST
■ Responsibility needs to be internally assigned to either a dedicated Data Protection Officer or another identified function.
■ Budget will need to be identified and allocated accordingly to ensure data governance activity is completed.
■ A full compliance program will be required encompassing audits, HR policy, training and even awareness raising programs.
■ All existing supplier arrangements will also need to be audited in line with the GDPR data processing obligations.
■ Make sure you maintain processing activity reports and records.
9
9. Data breaches and finesBoth data controllers and processors are now subject to a greatly enhanced data breach regime. Any personal data breaches must now be reported by the data processor to the data controller, which in turn must report to the supervisory body in the UK.
Non-compliance can lead to one of two tiers of punitive fines: one of up to ¤10m or up to 2% of the total worldwide turnover of the preceding financial year, whichever is higher. Others will be subject to a fine of ¤20m or 4%
RETAILER CHECKLIST
■ Internal breach notification procedures and incident response plans need to be implemented, tested and reviewed regularly.
■ Your IT teams need to ensure that appropriate security measures are in place and that if there is a breach that as far as is possible that the data is unusable/untraceable to an individual. The use of anonymisation, encryption, pseudonymising techniques can all help reduce risk of compromising personal data.
■ Check your business insurance policies for obligations and coverage.
■ Run a GDPR compliance gap analysis and update risk registers.
■ Assess liability exposure under existing customer, supplier and partner arrangements.
10. Data transfersData transfers outside of the European Economic Area will continue to be restricted and highly regulated. This will therefore remain a major consideration for multinational organisations and even those using extended supply chains which process any personal data outside of the EEA.
RETAILER CHECKLIST
■ Map and understand data flows to clearly understand those that operate across the border of the EEA.
■ Review procurement policies and contracts to ensure that any data transfer for which you are responsible is understood and compliant.
11. Consumer rightsConsumers will get new protections and rights under the GDPR including:
■ The right to complain when their data is processed contrary to the GDPR.
■ The right to a legal remedy against a data processor or controller.
■ The right to compensation.
RETAILER CHECKLIST
■ Data controllers and their processors must ensure that all and any data processing agreements and contracts are clear in terms of dispute resolution and the respective liabilities to handle compensation.
Considerations and conclusionsRegulators like the Information Commissioner’s Office (ICO) with its new Commissioner are already expecting more from businesses in the UK. It will be demanding an increase in compliance standards, backed by an increasingly robust use of the current enforcement regime. GDPR gives the regulators even more power alongside the increased importance allocated under GDPR to individual rights to privacy, transparency and choice in relation to personal details. This could result in fines of up to, the greater of, 4% of the preceding years global annual turnover or ¤20 million.
Retailers need to develop a plan to assist key stakeholders in starting to dealing with the key risks identified and prioritise the tasks necessary to achieve GDPR compliance. Some of the first practical steps that retailers operating digital channels should look at include updating their standard contracts with digital service suppliers; review, inventory and audit of their personal data storage and processing; and review the relevance of privacy and standard of consent wording under which their marketing and targeting databases have been or continue to be collated.
The EU’s new data protection regulation is without doubt complicated, but there are 10 key facts businesses need to know:
1. It applies to all The GDPR applies to all companies worldwide that process personal data or
monitor the behaviour of European Union (EU) citizens. This means that any company that works with information relating to EU citizens will have to comply with the requirements of the GDPR, making it the first global data protection law.
2. It redefines personal data The GDPR considers any data that can be used to identify an individual as
personal data. It includes, for the first time, things such as genetic, mental, cultural, economic or social information, including associated data such as IP addresses and cookies that can trace back to an individual.
3. Consent cannot be assumed Having the ability to prove valid consent for using personal information is likely to be
one of the biggest challenges presented by the GDPR, as it requires all organisations collecting personal data to be able to prove clear, specific, informed unambiguous and affirmative consent to process that data.
4. DPO is mandatory for some The GDPR requires public authorities processing personal information to appoint
a data protection officer (DPO), as well as other entities, when “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data”. It is arguably not clear that this is yet directly relevant to Retailers, although the volume processing of personal information tied to browsing behaviour, payments and delivery addresses all feature a heightened responsibility for care and governance.
5. Introduction of mandatory Privacy Impact Assessments (PIA’s)
The GDPR requires data controllers to conduct Privacy Impact Assessments or PIAs where there is a high degree of risk for data subjects.
10
PART THREE
6. Common data breach notification requirements The GDPR harmonises the various data breach notification laws in Europe and is
aimed at ensuring organisations constantly monitor for breaches of personal data and report breaches quickly. Retailers need to ensure they have processes in place and flowed down to anyone engaged to carry out processing.
7. The consumers right to be forgotten Organisations have to ensure that they have the processes and technologies in
place to delete data in a timely response to specific requests from data subjects whether this relates to in-store activity or online, or both.
8. Extended liability across the supply chain includes data processors
In the past, only data controllers were considered responsible for data processing activities, but the GDPR extends liability to all organisations that touch personal data and that now includes the data processor. This is particularly relevant in eCommerce operations.
9. Privacy by design The GDPR requires that privacy is in-built by design in both systems and processes,
again placing a burden of validation when third parties are involved in the use of personal data on your behalf.
10. It's a Europe-wide control The ‘one-stop-shop’ theory means that if organisations have multiple
establishments across the EU, the Data Protection Authority for its main establishment will be its ‘lead authority’. This lead authority has the power to regulate that organisation across all Member States.
In addition, legal proceedings against a controller or processor can be brought in either the Member State where the controller or processor has an establishment; or the Member State in which the data subject resides. This means that under GDPR, an organisation may be subject to legal proceedings in unfamiliar jurisdictions, outside the Member State(s) in which is it established.
The UK Information Commissioner has made it clear that in terms of incident reporting, organisations that proactively report breaches will be given more credit than organisations who do not report a breach that is then subsequently discovered and reported by a third party.
It is therefore logical to assume that a retailer that demonstrates they have a proactive approach to relevant personal data capture and processing, is proactive in ensuring data security, and has a credible range of technical, management and operational controls in place will be better placed. This is to not only to avoid a breach, but in the unfortunate event of a breach, will be more likely to receive a lower fine than an organisation that takes no measures, or blatantly disregards its obligations under GDPR.
11
Getting ready for GDPR The General Data Protection Regulation will significantly impact how retailers collect and process personal information. The May 2018 enforcement date may seem far away, but the sector should not underestimate the amount of work involved and time needed to prepare for GDPR, and preparations should be underway now.
It will require a fundamental rethink by each retailer be they a traditional retailer or a born-in-the-cloud retailer operating online, about how it approaches data protection compliance, from what details are treated as ‘personal’ or ‘sensitive’ to how to handle the regulation and who is responsible for ensuring compliance.
The GDPR is now law – it is not going to go away because of Brexit – it is here to stay. And given the fact it is now in UK law the Board of your retail business is now accountable. Retailers need to be aware of the impact of GDPR throughout the business:
■ IT departments which have responsibility for the technology they use to secure data will be in the spotlight as well as their service providers in turn.
■ HR departments need to take the lead on training and educating employees on their responsibilities.
■ Marketing departments, in particular, will need to assess and think about the data it buys, collects, stores and uses for marketing purposes, including new data captured in the definition of personal data such as cookies and IP addresses.
■ Customer Services, Sales and Operational teams using a CRM, Order Management or ERP system will also have to fully comply with the GDPR and that will include the data held on delivery addresses and orders placed.
■ eCommerce and Merchandising departments are now going to have to audit suppliers regularly and failure to audit your supply chain could have severe consequences. Furthermore, sharing data up or down the supply chain which results in a data breach will put controllers and processors under scrutiny for how the data was shared and the diligence applied. Specific attention also needs to be given to what constitutes personal data under GDPR and the scenarios that involve the use of cookies or the tracking of IP addresses or personal devices.
■ And finally finance, which because of its role in storing financial data relating to and recorded on, individuals, means that they will also fall into the orbit of the GDPR. That includes any data stored on a customer and their purchasing history no matter where and when they bought a product.
12
PART FOUR
Specific considerations for eCommerce operationsAs a retailer in the new online and / or omni-channel era, you will know that at the heart of your operations, data is king. But with the GDPR you will need to ask a series of specific questions in relation to your data and any third-party suppliers you rely upon to deliver your services to market:
1. Which suppliers store or process customer personal data on your behalf to enable you to target consumers and sell products or services?
2. You will need to record what data is shared between which parties and ensure that is it consistent (e.g. from eCommerce to CRM to Marketing service provider)?
3. Are these suppliers compliant with GDPR and are your consumer commitments to GDPR backed up by agreements with these third parties where relevant?
4. Is the legal basis of Supplier Agreements written under appropriate legal jurisdiction (i.e. EU), or, if outside, how is the path of accountability maintained under contract?
5. Where will your data be physically stored?
6. Where will any secondary site/data be located?
7. If your data is stored outside of the EU what provision does your supplier have to protect it and comply with your obligations under GDPR?
8. If suppliers store any of your data in the USA do they comply with prevailing international standards, i.e. Privacy Shield?
9. If you cancel the service of a supplier of digital services at any point, do they contractually commit to delete all your customer personal data, if so, how quickly and how is this evidenced?
10. Have you got appropriate security measures in place?
13
14
11. Do your Supplier contracts included mandated provisions?
12. Do you have written records for processing?
13. What technical measures do you have in place to ensure appropriate security (i.e. encryption, pseudonymisation, etc)?
14. breaches and responding to data subject requests.
15. If transferring outside the EEA, do you comply with requirements under GDPR to ensure personal data is adequately protected?
In regard to interaction and communication with consumers it is essential that your digital channels:
1. Ensure consent is freely secured to store and process personal data. This may not be implied but must be unambiguous, explicitly provided by the consumer.
2. That you state which data you will capture and for what specific purposes.
3. That you publish consistent Privacy Policies containing all required information.
4. That you state how long data will be held for.
Love your
customers -
get ahead on
GDPR
Get started – a high level GDPR checklistThe following is an overview of key activities to help you further research and prepare for enforcement of GDPR:
1. Check you have notified the ICO that you are a Data Controller – this is simple to do online by visiting www.ico.org.uk.
2. Share information with Management and your Board on GDPR impact and obligations e.g. https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf and https://ico.org.uk/for-organisations/data-protection-reform/gdpr-messages-for-the-boardroom.
3. Use a data self-survey to assess risk and readiness for GDPR enforcement e.g. https://ico.org.uk/for-organisations/improve-your-practices/data-protection-self-assessment/getting-ready-for-the-gdpr.
4. Update or Implement and adhere to a formal data protection policy.
5. Update or Implement a privacy policy containing appropriate measures.
6. Appoint someone responsible for managing and monitoring GDPR compliance.
7. Prepare for the new law enforcement by updating processes, auditing personal data held in order to ensure only relevant data is maintained (securely).
8. Train your staff on GDPR and their obligations and responsibilities.
9. Check and/or update your data collection consent wording across your relevant channels.
10. Check customer and supplier contracts, notably in regard to digital service suppliers in your supply chain to provide service to your customers.
11. Check your insurance coverage for compliance to GDPR.
12. Check group companies located inside/outside the EU and their activities and carry out an international data flow mapping exercise.
13. Check transparency requirements and notifications of data subjects of any processing.
14. Check that all personal data is only used for purposes for which it was collected.
15. Check retention periods for holding personal data.
16. Check policies for monitoring/handling data subject rights.
17. Check security procedures and measures currently in place.
18. Check data breach processes and procedures.
15
Tick as appropiate
Call Tryzens today to discuss which support services options best fit your needs, +44 (0)20 7264 5900 or visit www.tryzens.com
Tryzens Limited 5th Floor, 101 Finsbury Pavement, London EC2A 1RS
+44 (0)20 7264 5900 www.tryzens.com
©Copyright Tryzens Limited 2017. All rights reserved. Tryzens and TradeState are registered trademarks.
top related