This time next year theGeneral Data Protection Regulationwill be in force in the UK, bringing with it a strengthened data protection regime and significant penalties for non-compliance.
The GDPR is set to be the biggest shakeup of data protection laws for more than two decades and regardless of Brexit negotiations will become law in all 28 EU member states including the UK next May.
All data collected on individuals across the EU will fall within the scope of the new law, including email addresses and transaction history. Any company that processes personal data on EU citizens, whether or not they are based in the EU, will be liable.
Retailers and customer service providers must start preparing now to make sure they are compliant with the new regulation. Those who dont will not only face a heavy financial price, with non-compliance fines of up to 4 per cent of a companys global revenue, but also risk serious reputational damage and the loss of customer trust.
Here are some of the main considerations for retailers and customer service providers.
Consent will be a major part of the GDPR and it will no longer be enough for retailers or customer service providers to have general data clauses in their contracts.
Under the GDPR an individuals consent must be fully informed and actively and freely given. The GDPR calls for clear, affirmative action, so getting signed consent is highly advisable.
One example is retailers collecting customers email addresses in store, which are often used for a variety of purposes including direct marketing.
Under the GDPR, customers will have to be fully informed about exactly what purposes their data will be used for and their explicit consent will have to be obtained each time it is collected.
This consent aspect of the new regulation also extends to data provided by employees, so employment contracts will have to be reviewed.
The GDPR also contains a new definition of profiling, which includes automated data processing. So if a retailer collects individual customer data in an automated form to analyse behaviour, through loyalty or reward schemes for example, it has to notify the customer and give them the opportunity to object. All activity must cease upon an objection.
The GDPR will introduce a duty on all organisations to report data breaches to the relevant supervisory authority, and in some cases to the individuals affected, with 72 hours.
Failure to notify of a breach when required to do so could lead to a significant fine.
Retailers in particular should be aware of the risks of data breaches involving customers given recent incidents in the sector, and should have a detailed plan not only to prevent them but how to deal with any breaches that occur.
Its been said that the GDPR is essentially current best practice given legislative recognition. Therefore many retailers and customer service providers with existing strict data protection policies should not have a long way to go to meet the new regulation.
The GDPR should be seen as an opportunity to review current activity and improve processes. This action should be thorough, involving every department and aspect of the business, which is why early management buy in is essential.
Contrary to the beliefs of some, there is no truth that the GDPR will no longer be applicable after Brexit is completed and that organisations should therefore not implement it. GDPR will be enshrined in UK law, and as such, organisations that hold or process the data of EU citizens will very much be bound by it if they wish to continue trading with the EU.
For further advice on how your organisation can stay up-to-date with legislation affecting customer data, get in touch with us for a consultation.