Every organisation in the Retail Sector holds at least some of their customer’s personal data. However, certain organisations, particularly ones with a large online presence, absolutely rely on it. This data might be used to provide services, for marketing purposes, or simply to keep track of customer behaviour. Whatever reason it’s used for, the GDPR places duties on all organisations and customers expect complete compliance.
Here are some of the ways that the GDPR impacts on the Retail Sector.
A Privacy Notice is a statement explaining why an organisation needs a person’s data. These have always been necessary but the GDPR requires that they’re much more detailed than before. They need to be clear, concise, and easily understood by anyone. As well as detailing why data is needed they should also explain the effect this might have on the customer, how long the data will be used for and the decision process used to determine this, and provide details on the customer’s right to withdraw their consent.
In order to process a person’s data, an organisation must first have a lawful reason for doing so. Many organisations rely on customer consent as their lawful reason – especially for things like direct marketing. The GDPR significantly raises the standard for what is considered “consent” and this needs to be reflected in how an organisation obtains it.
There are two things to remember if relying on a customer’s consent. First, it must be freely given, specific to the particular purpose at hand, fully informed, and unambiguous. Secondly, to provide consent, a customer must give a clear, affirmative action. This means they need to actively tick a box, sign a form, or give positive verbal consent. The old days of assumed consent and “opt-out” boxes are long gone.
Accountability is a key concept throughout the GDPR and part of this means that organisations are required to keep detailed records of all their data processing activities. This includes:
- The name and details of the data controller or processor (depending on the organisation’s own role)
- The name and details of the Data Protection Officer
- The purpose for processing personal data
- A description of the categories of data being processed and the categories of data subjects
- The details of anyone the data will be processed by
- Any details of transfers to other countries
- Time limits for data retention
- A general description of technical and organisational security and safeguards, and
- Any other details like records of consent and signed privacy agreements
However, written records, though a good idea since they show a commitment to GDPR compliance, aren’t necessary for organisations with fewer than 250 employees unless the processing it carries out is likely to result in a risk to the rights and freedoms of customers, the processing is not occasional, or the processing includes special categories of sensitive data or criminal convictions.
Data Processing Agreements
Retailers often use third party organisations to carry out certain services like delivering packages, processing payments, or analysing data. If this is the case, the GDPR requires that every third-party organisation is subject to a written contract, known as a Data Processing Agreement. This contract should include requirements for implementing certain technical and organisational safeguards, for reporting data breaches, and for only processing data according to strict instructions.
Data Protection Officers
Organisations whose core activities involve the monitoring of data subjects on a large scale or the processing of special categories of sensitive data on a large scale must appoint an expert in data protection law to oversee the operation. This person, known as a Data Protection Officer, must be an expert in national and European data protection law and have an in-depth understanding of the GDPR.
Alongside creating a whole host of new duties and responsibilities for retailers, the GDPR also provides a number of new rights for individuals. These include, among others:
The right of access – A customer can request access to any and all data held by an organisation. The request must be dealt with within 30 days and a fee cannot be applied to the request (except in certain exceptional circumstances)
The right to be forgotten – Customers have the right to request that an organisation stops using and deletes any and all data an organisation holds on them. This means that third-parties currently processing the data need to be informed so they can also comply with the request.
Rights regarding Automated individual decision-making – If a decision is made about a customer by an automated process (i.e. not by a human) then a customer has the right to object to this and have the decision considered by a person instead
Organisations need to report any breaches within 72 hours of becoming aware of the breach. If a retailer is a data processor, they need to report to the data controller. If the retailer is a controller they need to make a judgement; if the breach is likely to result in a significant risk to their customers’ rights and freedoms regarding their data, then they need to report the breach to the Information Commissioner’s Office who will help them with the next steps.
It’s important that every retailer has a data breach response plan which will help them respond quickly and efficiently to any breaches. This will limit the damage caused by a breach and reduce the chances of receiving a fine from the ICO.
Online GDPR Essentials Training
Since enforcement of the GDPR, almost 100,000 complaints have been made to EU national data protection authorities. Therefore, it is essential that organisations that deal with personal/sensitive data must have a strong understanding of the regulation to avoid complaints.
Our Online GDPR Essentials Training course is for everyone who handles personal data. It helps employees to understand what counts as personal data, the principles of data protection, and who’s responsible for keeping personal information safe.
Claim your free no-obligation trial to the course today!