The EU data privacy landscape has already changed

The GDPR is legislation that effectively replaces the Data Protection Act 1998 in the UK

With less than a year to go before organisations which process, use or exchange consumers’ personal data within the EU need to comply with the new General Data Protection Regulation (GDPR), eCommerce systems integrator Tryzens has highlighted how this new directive will impact retailers, and what key steps brands will need to take to mitigate the impact when the regulation becomes enforced from 25th May 2018.

The GDPR is legislation that effectively replaces the Data Protection Act 1998 in the UK, and aims to harmonise the approach to the protection and privacy of all personal data collected for/or about citizens in the EU. Whilst upholding the values of the free flow of information across Member States, GDPR also gives individuals much more transparency and control over what companies can do with their data.

Andy Burton, CEO of Tryzens, has advised that all retail organisations with physical or online sales outlets operating in the EU, or those that promote or sell advertising or marketing to EU residents, need to be more aware that they have to comply with the new GDPR. It is already passed as law today and is enforceable from 25th May 2018. It is also relevant in regard to a retailer’s management of their employees’ data too.

Burton said: “With heavy fines that can be imposed via the ICO (Information Commissioners Office in the UK) of up to 4% of global group revenue, the risk of failure to comply by the time GDPR is enforced is far too significant to ignore. It’s crucial that the in retailers’ Boardrooms they start to look seriously at what data they capture, how consumer consent for its use is gained, and ensure the use is purely for what GDPR refers to as Lawful Processing. Equally, the complexity of the retail technology environment brings about a significant increase in the volume of potential Data Processors that the Retailer (as Data Controller) has to have appropriate back to back contracts, controls and security measures in place for.”

Burton continued: “The 25th May next year is not far away in regard to the scale of the review retailers need to undertake, and it’s worth stating too, that the myth that this may go away because of Brexit is simply not true, it is already applicable in UK law,”

“GDPR will significantly impact how retailers collect and process personal information, be they pureplay etailers or traditional bricks and mortar. We have less than 12 months before the deadline and with hyper sensitivity in the market to avoid adding any friction to a customer shopping experience (because of the potential impact to sales conversion), I cannot stress enough the importance of ensuring the ecommerce, store, marketing and trading teams fully understand what compliance to GDPR looks like so they can adapt to deliver a positive and seamless customer experience” warned Burton.

Ahead of GDPR, Tryzens has published a White Paper aimed specifically at the retail market to explain the major changes, and is running a series of seminars over the coming weeks to help retailers answer the practical questions around what does this mean for them, such as what do I have to do, where do I start, and, how can I do this and minimise any negative impact on my customers.

As well as having specific guidance for ecommerce operations, Tryzens has set out the top 10 generic steps all Retailers must take to mitigate risk in their business and implement effective GDPR disciplines to ensure compliance, as set out below:

1. Check you have notified the Information Commissioner’s Office that you are a Data Controller (i.e. organisation that owns the data) – this is simple to do online at www.ico.org.uk
2.  Share information with management and your board on GDP impact and obligations
3. Use a data self-assessment survey to identify risk and readiness for GDPR. A good one can be found at https://ico.org.uk/for-organisations/improve-your-practices/data-protection-self-assessment/getting-ready-for-the-gdpr
4. Update, or implement, both a formal data protection policy and privacy policy that covers the responsibility to secure data, with legitimate consent and for the sole purpose of lawful processing.
5. Appoint someone responsible for leading, managing and monitoring GDPR compliance across the business.
6. Prepare for the new law to be enforced by updating internal and relevant supplier processes, auditing personal data held by your business (for customers, prospects and employees) in order to ensure only relevant data is securely maintained.
7. Update your Employee handbooks and train all your staff on GDPR and their obligations and responsibilities to comply with it.
8. Check and/or update your data collection consent wording across your relevant channels
9. Check customer and supplier contracts, notably in regard to digital service suppliers that are part of your supply chain to provide service to your customers, as they may be Data Processors but the retailer remains the Data Controller and must be able to enforce their policies.
10. Check your insurance coverage for compliance with GDPR