The deadline for General Data Protection Regulations (GDPR) compliance is fast approaching with implementation of the legislation set for 25 May 2018. Estimates vary but surveys by the DMA suggest that somewhere between a third and a quarter of UK businesses are not fully prepared for the deadline. Other surveys reflect even less optimistic figures.
Retailers are at the perfect intersection of collection and use of customer data and dealing directly with the customers whose data they hold. Compliance is therefore a major priority. There is still time to go yet, and there will of course be those who make it last minute on a wing and a prayer but others struggling should not give up hope. Help is at hand.
What are the priorities?
There is plenty of detail to get through in the GDPR but some of the major points retailers need to take on board can be boiled down to a few simple questions:
- Do you know how all your customer data has been collected?
- Can you explain how all the data you hold is processed, including data that is subject to automated processing?
- Do you have consent to use specific pieces of data for particular purposes?
- Can you remove data from your entire system upon request?
Since the GDPR is in part building on what has gone before under the Data Protection Act, the answer to these is hopefully at least a partial yes. The following steps will help get you to a full yes:
- Data audit - produce an inventory of the personal data you hold on file which shows where it came from, how it is stored, how it is processed, how it can be accessed (including by customers), how it can be downloaded and whether or not it can be kept.
- Review all of your consent procedures. Do these comply with the new rules under GDPR. In particular: are all uses to which the data will be put clear and unambiguous, are all consents affirmative (require positive action by the consumer to consent i.e. not unticking pre-ticked boxes, etc) and are all consents specific to the particular uses?
- Review how customers are going to be given access to their data, how they will be able to download it or transfer it and how data is to be purged from all the company systems if a customer makes that request.
- Review how third party contracts operate in relation to the personal data that you hold. Are they compliant with GDPR?
- Review your security procedures. Is the personal data adequately protected? How will you respond if there is a security breach? Are your procedures compliant with the new rules – can individuals be notified within 72 hours to explain the nature of the breach and the risks posed to them?
Time to act
It is never too late to start and if you are behind in preparing for the GDPR, it is essential that you get proper advice to help you meet your obligations and achieve full compliance. Potential fines of up to four percent of turnover or €20m mean that no one can afford to ignore what’s coming.