A RETAILERS RESPONSIBILITYAND LIABILITY UNDER GDPR AN INTRODUCTION TO NEW DATA PRIVACY REGULATION FOR THE RETAIL SECTOR

ONLINE AND INSTORE

TH

E C

OUN

TDOWN TO ENFORCEM

EN

T 25th May 2018 • • • • • • • • • • • • • •

• •

• •

ContentsPART ONE What is GDPR and when does

it come in to force?

PART TWO Key points for review

PART THREE Considerations and conclusions

PART FOUR Getting ready for GDPR

2

PLA

N B

UIL

D R

UN

E

NH

AN

CE

3

What is GDPR? The GDPR (General Data Protection Regulation – EU 2016/679) is a Regulation adopted by the European Union which is designed to harmonise the approach to the protection and privacy of all personal data about EU citizens in connection with the offering of goods or services or monitoring their behaviour within the EU. Its aim is to improve accountability of those processing personal data and increase transparency in order to enhance consumer confidence in organisations that hold or process their personal data. GDPR will also standardise the approach to the free flow of information across European Union members although there are still some areas where member states can legislate.

Notably, GDPR encompasses all key elements from Article 8 of the European Convention on Human Rights, which states its intention to respect the rights of privacy in personal and family life, as well as in the home and in personal correspondence.

This is one of the most wide-ranging pieces of legislation passed by the EU in recent years, and irrespective of Brexit, will become law in the UK. Currently, in the UK the Data Protection Act 1998 governs the processing of personal data and this Act implemented the 1995 EU Data Protection Directive (Directive 95/46/EC), but this will be superseded by the new Regulation.

It cannot be overstated that GDPR introduces higher bars for compliance and significant fines for non-compliance and data privacy breaches, and it gives individuals much more control over what organisations can do with their data. It also makes data protection rules more or less identical throughout the EU, something the existing data protection legislation fails to achieve.

In practical terms, GDPR also introduces a wide range of new data subject rights that retailers must provide to consumers such as the ‘right to be forgotten’, right to object, the right of accountability and timelines for data breach notifications, data portability and the need for organisations to have formal processes and accountable people in place.

When does GDPR come in to force?The GDPR entered into force on 24 May 2016 although full enforcement will not begin until May 25th 2018. GDPR will apply to all personal data held by an organisation regardless of when it was originally created, stored or processed. Given that it is a EU Regulation, the GDPR will be directly effective across all Member States without the need for implementing national legislation.

What does this mean to my business?This Guide is intended to summarise the key changes that are coming in to force in May 2018 and to identify how they impact retail organisations across the EU. It includes a checklist of recommendations as to what action may need to be taken to ensure your business is compliant by default. This guide is not comprehensive guidance on the GDPR and does not constitute legal advice. Readers should not rely solely on this document but should take appropriate formal legal advice and guidance on the requirements of GDPR and their own compliance to ensure their organisation’s response to GDPR is appropriate, timely and relevant.

PART ONE

TH

E C

OUN

TDOWN TO ENFORCEM

EN

T 25th May 2018 • • • • • • • • • • • • • •

• •

• •

Background to GDPRThe drivers behind the GDPR are twofold:

1. The EU wants to give individuals more control and transparency over how their personal data is used. Since the current data protection legislation was enacted there have been significant technological advances which have resulted in an unprecedented global flow of data. The Internet and cloud technology has created new ways of capturing, tracking and exploiting data, and the GDPR seeks to address this through a broader inclusion on what constitutes personal data and by strengthening data protection legislation and introducing tougher enforcement measures. Through these changes the EU hopes to improve trust in the emerging digital economy, which is critical to the success of the online and omni-channel retail market.

2. The EU wants to give all businesses a simpler, clearer legal environment in which to operate, making data protection law identical throughout the single market. Whilst hard to relate costs to the retail sector specifically, the EU estimates this will save all businesses a collective ¤2.3 billion a year.

Scope of GDPRGDPR extends the reach of existing data protection law encompassing two critical areas:

1. Where personal data is processed by an EU based data controller and processor; or

2. Where no EU presence exists the GDPR will still apply when an EU citizens’ personal data is processed in connection with any goods or services offered to them – specifically relevant to non-EU online retailers; or

3. Where the behaviour of individuals is ‘monitored’ within the EU.

The GDPR will apply to retail organisations with physical or online sales outlets operating in the EU, or those, which promote or sell advertising or marketing to EU residents, the GDPR will apply. It will also apply in regard to retailers’ employee data.

A key part of the GDPR is how responsibility is assigned for data – and this has huge implications for eCommerce service providers and any other third party dealing with a customers’ data.

To understand this change, it’s worth reminding ourselves of key terminology:

■ Data controller/controller: This is the organisation that determines the purposes and means of processing personal data. In an arrangement where an end user works with a SaaS or other form of as-a-service operations for its IT infrastructure, this is the end user organisation.

■ Data processor/processor: This is any organisation that processes the data on behalf of the data controller, whether that be storing it, analysing it, segmenting it, or any other task. In the above arrangement, this may include a SaaS, Managed Service or cloud/hosting provider.

4

5

Up

to

£5

00

k in

UK

.

Req

uir

em

en

t to

no

tify

th

e r

ele

van

t A

uth

ori

ty b

efo

re

pro

cess

ing

.

Vari

ou

s ri

gh

ts, n

ota

bly

rig

ht

of

access

to

th

eir

data

, an

d r

igh

t

of

recti

ficati

on

an

d r

igh

t to

ob

ject

to d

irect

mark

eti

ng

.

Gen

era

lly, r

ely

on

im

plie

d c

on

sen

t.

Lim

ited

exp

osu

re t

o r

eg

ula

tor

for

pro

cess

ing

acti

vit

y.

Bro

ad

bu

t vag

ue r

eq

uir

em

en

t fo

r an

ad

eq

uate

level o

f se

cu

rity

.

Any d

ata

rela

tin

g t

o a

n id

en

tifi

ed

or

iden

tifi

ab

le n

atu

ral p

ers

on

.

Inclu

des

sen

siti

ve p

ers

on

al d

ata

lik

e e

thn

icit

y, r

elig

ion

, healt

h.

On

e w

ho

can

be id

en

tifi

ed

dir

ectl

y o

r in

dir

ectl

y, in

part

icu

lar

by r

efe

ren

ce t

o a

n id

en

tifi

cati

on

nu

mb

er

or

on

e o

r m

ore

facto

rs r

ela

tin

g t

o p

hysi

cal,

physi

olo

gic

al,

men

tal,

eco

no

mic

,

cu

ltu

ral o

r so

cia

l id

en

tity

.

Lim

ited

en

forc

em

en

t p

ow

ers

un

der

nati

on

al la

w.

Typ

ically

no

req

uir

em

en

t to

have a

DP

O.

No

ob

ligati

on

s to

rep

ort

bre

ach

es.

Th

e h

igh

er

of:

• L

evel 1

(typ

ically

bre

ach

es

of

a o

blig

ati

on

s b

y c

on

tro

llers

or

pro

cess

ors

) –

2%

of

glo

bal tu

rno

ver

(no

t p

rofi

t) o

r 10

m

Eu

ros.

• L

evel 2 (

typ

ically

bre

ach

es

of

the r

igh

ts o

r fr

eed

om

s o

f a

Data

Su

bje

ct)

– 4

% o

f g

lob

al tu

rno

ver

or

20

m E

uro

s.

Org

an

isati

on

s w

ill n

eed

to

keep

reco

rds

of

the c

on

tro

ller’

s

pro

cess

ing

acti

vit

ies,

bu

t th

ere

is

no

lo

ng

er

an

ob

ligati

on

to

no

tify

DPA

s.

New

Rig

ht

to b

e f

org

ott

en

(E

rasu

re)

an

d R

igh

t to

Po

rtab

ility

,

en

han

ced

rig

ht

of

access

to

th

eir

data

. Th

ese

rig

hts

are

no

t

ab

solu

te.

Req

uir

em

en

t is

to

dem

on

stra

te f

reely

giv

en

, sp

ecifi

c, i

nfo

rmed

an

d u

nam

big

uo

us

co

nse

nt

for

the p

rocess

ing

of

pers

on

al d

ata

.

Pro

cess

ors

are

incl

ud

ed

und

er

GD

PR

and

Contr

olle

rs m

ust

cond

uct

Due D

ilig

ence

into

a P

roce

sso

r’s

suitab

ility

and

ap

poin

t th

e

pro

cess

or

in t

he fo

rm o

f a b

ind

ing

writt

en a

gre

em

ent

that

com

plie

s

with G

DP

R. P

roce

sso

rs w

ill t

hen h

ave d

irect

ob

ligat

ions

such

as

keep

ing

a reco

rd o

f its

pro

cess

ing

act

ivitie

s and

an o

blig

atio

n t

o

no

tify

any d

ata b

reach

to

the c

ontr

olle

r w

ithout

und

ue d

ela

y.

Sp

ecifi

c r

eq

uir

em

en

ts in

tro

du

ced

aro

un

d m

on

ito

rin

g a

cti

vit

y,

data

en

cry

pti

on

an

d a

no

nym

isati

on

, on

-go

ing

revie

ws

of

secu

rity

measu

res,

reg

ula

r se

cu

rity

test

ing

, an

d r

ed

un

dan

cy

an

d b

ack-u

p f

acili

ties.

Exte

nd

ed

to

co

ver

ad

van

ces

such

as

bio

metr

ic, l

ocati

on

data

an

d g

en

eti

c d

ata

.

Inclu

des

an

id

en

tifi

er

such

as

a n

am

e, l

ocati

on

data

on

line

iden

tifi

er

or

gen

eti

c d

ata

.

Th

e u

se o

f A

no

nym

isati

on

an

d P

sued

onym

isati

on

tech

niq

ues

can

red

uce t

he b

urd

en

on

org

an

isati

on

s b

y in

cre

asi

ng

th

e

dif

ficu

lty f

or

any u

nin

ten

ded

pers

on

access

ing

data

to

id

en

tify

ind

ivid

uals

.

Wid

e-r

an

gin

g p

ow

ers

bein

g g

ran

ted

un

der

the G

DP

R.

DP

O n

ow

man

date

d in

Go

vern

men

t an

d o

rgan

isati

on

s.

Req

uirem

ent

to r

ep

ort

data

bre

aches

to t

he r

eg

ula

tor

(who

se c

ore

activitie

s in

volv

e r

eg

ula

r and

syst

em

atic m

onito

ring

of

ind

ivid

uals

on a

larg

e s

cale

or

larg

e s

cale

pro

cess

ing

of

sensi

tive

data

or

crim

inal r

eco

rds)

witho

ut

und

ue d

ela

y a

nd

within

72 h

ours

of

the

bre

ach u

nle

ss t

he b

reach is

unlik

ely

to

be a

ris

k to

the in

div

iduals

’

reco

rds.

Po

tential r

eq

uirem

ent

to n

otify

the D

ata

Sub

ject.

Th

e fi

ne is

no

t lim

ited

to

a B

ran

d o

r th

e U

K b

ut

can

rela

te t

o

an

un

dert

akin

g’s

wo

rld

wid

e t

urn

over.

Reta

ilers

sho

uld

pro

acti

vely

identi

fy a

ll P

ers

onal D

ata

held

,

inclu

din

g t

hat

pro

vid

ed

by t

hird

part

ies

that

is n

ot

ano

nym

ised

or

pse

ud

onym

ised

and

ensu

re t

hat

it is

rele

vant

and

secure

.

Reta

ilers

mu

st b

e a

ble

to

rem

ove a

nd

/or

gra

nt

revie

w a

ccess

to a

cu

sto

mer

pers

on

al d

ata

acro

ss a

ll ch

an

nels

an

d s

yst

em

s

it is

held

wit

hin

.

Co

nsu

mer

co

nse

nt

to s

tore

an

d u

se p

ers

on

al d

ata

may n

ot

be a

ssu

med

an

d h

as

to b

e p

osi

tively

veri

fied

.

Co

nsu

mers

mu

st b

e a

ble

to

revo

ke c

on

sen

t, a

s easi

ly a

s g

ive

it. D

ata

pro

cess

ing

no

tices

need

to

giv

e in

form

ati

on

at

the

tim

e o

f se

ekin

g c

on

sen

t. B

un

dle

d c

on

sen

ts a

re n

ot

suffi

cie

nt.

Rele

van

t th

ird

part

ies

need

to

be in

clu

ded

in

th

e r

eta

ilers

au

dit

of

GD

PR

co

mp

lian

ce, n

ota

bly

so

in

eC

om

merc

e a

nd

dig

ital o

pera

tio

ns.

Pro

acti

ve r

evie

w o

f in

tern

al a

nd

third

part

y s

ecuri

ty p

olic

ies

to

ensu

re a

deq

uate

pre

cauti

ons

in p

lace t

o p

rote

ct

pers

onal d

ata

.

In a

dd

itio

nal t

o s

tand

ard

info

rmatio

n t

he o

blig

atio

n e

xte

nd

s

to in

clu

de d

ata

cap

ture

d t

hro

ug

h t

racki

ng

a u

ser’s

dev

ice, I

P

ad

dre

ss(e

s), b

row

sing

his

tory

& c

oo

kies,

and

deliv

ery

ad

dre

sses.

On

line id

en

tifi

ers

, co

okie

s, B

GI (b

row

ser

gen

era

ted

info

rmati

on

) [f

or

sin

glin

g o

ut]

an

d m

ob

ile d

evic

es,

IP

ad

dre

sses

an

d M

AC

ad

dre

sses.

Th

e p

urs

uit

of

go

als

fo

r en

han

ced

Pers

on

alis

ati

on

to

an

d

targ

eti

ng

of

co

nsu

mers

do

es

cre

ate

a h

eig

hte

ned

ris

k

aro

un

d t

he level o

f d

ata

held

or

use

d t

o id

en

tify

an

in

div

idu

al

an

d in

cre

ase

s th

e s

co

pe o

f d

ata

to

be m

an

ag

ed

.

In t

he U

K is

the IC

O.

Reta

ilers

op

era

tin

g a

t si

gn

ifican

t sc

ale

sh

ou

ld c

on

sid

er

the

ap

po

intm

en

t o

f a D

PO

Mo

nit

ori

ng

of

syst

em

s an

d t

rackin

g o

f p

ers

on

al d

ata

an

d

bre

ach

es

of

secu

rity

are

ess

en

tial to

help

mit

igate

ris

k t

o

ind

ivid

uals

an

d t

o r

ed

uce t

he e

xp

osu

re t

o fi

nes

an

d n

eg

ati

ve

pu

blic

ity.

Leve

l of

fines

Reco

rd o

f p

roce

ssin

g a

ctiv

itie

s

Rig

hts

of

data

sub

ject

Co

nse

nt

Data

pro

cess

ors

Secu

rity

ob

ligati

ons

Sco

pe o

f p

ers

onal d

ata

Identi

fiab

le p

ers

on

Sup

erv

iso

ry a

uth

ori

ty

Dat

a p

rote

ctio

n o

ffice

r

Bre

ach

rep

ort

ing

Fo

cus

Curr

ent

DPA

/E

U D

irect

ive

New

GD

PR

po

siti

on

Imp

act

on R

eta

ilers

GD

PR

vs

exis

tin

g D

ata

Pro

tecti

on

Act

at

a g

lan

ce

6

Key points for review

1. Ensuring an individuals' consentRetailers operating in or selling into the EU need to be aware that consent will be subject to new conditions under the GDPR. New requirements include the prohibition of so-called ‘bundled’ consents and the offering of goods or services, which are contingent on consent to processing. The biggest change however, is that consent must be a freely given, specific, informed and unambiguous indication of data subject’s agreement to the processing and must be separate from other written agreements with an individual and clearly presented as such and as easily able for the individual to revoke consent as it is given.

RETAILER CHECKLIST

■ You will have to be clear about the lawful basis upon which you process personal data.

■ Where consent is the lawful basis you are relying on, check that consent already obtained meets the GDPR test and does not rely on pre-ticked boxes or simple silence.

■ Be clear on what constitutes personal data.

■ That consent is not ‘bundled’ with other written agreements.

■ The consumer is actively informed that they can withdraw consent to use data at any time and that this process is simple.

■ Consent must be verifiable.

2. Personal data for childrenUnder the GDPR children are now classed as ‘vulnerable individuals’ and require what the GDPR terms ‘specific protection’. Under the GDPR where consent is the lawful basis for the processing of personal data in relation to the offer of targeted online services to a child, consent is only lawful for any child under 16 where parental/guardian consent has been obtained. Member States can lower this age but not to below 13. This protection is significant where organisations use children’s data for marketing and creating online profiles.

RETAILER CHECKLIST

■ Ensure your controls to manage individuals that are designated as children are respected as vulnerable individuals and have appropriate processes to verify ages and gather, if appropriate, proper parental/guardian consent.

■ Remain vigilant to local legislation in each Member State on the issue of offline data processing relating to children.

PART TWO

7

3. Information noticesData controllers will have to provide information notices to deliver appropriate process transparency. While specific information will need to be provided, the GDPR places a general transparency obligation on the data controller.

RETAILER CHECKLIST

■ All existing information notices need to be reviewed and updated in light of GDPR to ensure they include all the relevant information.

■ You will also have to work closely with your partners /third-parties who may collect data on your behalf and ensure that they are assigned responsibility for the notice review, updates and approval.

■ Need to ensure that information notices are provided at the time of data capture not after.

4. Citizen rights, consumer accessConsumers will maintain their right of access under GDPR. Data subjects have the right to obtain from data controllers; confirmation of whether, and where, they process that person’s data; information about the purposes of the processing; information about the categories of data being processed; information about the period for which the data will be stored; information about the rights to erasure, to rectification, to restriction of processing and to object to the processing; information about the existence of the right to complain to the DPA; information about the source of the data; information about the existence of, and an explanation of the logic involved in automated processing; provide a copy and any supporting materials.

The consumer can also demand to receive a copy of their personal data in a commonly used, machine-readable format, and transfer their personal data from one controller to another.

RETAILER CHECKLIST

■ Assess your ability to provide data against this new backdrop.

■ Review all customer facing team’s processes and procedures to address any shortfall in these rules.

■ Develop template response letters and process controls to ensure timely responses.

5. The right to ‘object’EU citizens will now have rights to object to certain types of data processing not least for direct marketing purposes, on the grounds relating to their particular situation, where the basis for that processing is either: in the public interest; or the in the legitimate interests of the controller. Controllers must cease processing unless they can demonstrate compelling legitimate grounds for the processing, or they require that data to establish, exercise or defend legal rights.

RETAILER CHECKLIST

■ Conduct an audit of all data protection notices to ensure you are advising your customers that they have the right to object.

■ For online retailers specifically they must develop an automated way for this to be effective.

■ All marketing lists and processes must be reviewed to ensure that they are compliant.

8

6. Erasure – The right to be ‘forgotten’The GDPR introduces a new concept – erasure – or as it was commonly known, the right to be forgotten. EU citizens will be able to demand the erasure of data held on them if the legality of the processing is in question, if the data is no longer needed for their original purpose or if they exercise the right to object. This new wide-ranging requirement of the GDPR has the potential to impact businesses and organisations alike.

RETAILER CHECKLIST

■ Do your systems meet the requirement to mark data as restricted?

■ Do your staff and suppliers who receive data erasure requests know what they are and how to handle them?

■ How will you evidence that erasure has been achieved?

7. ProfilingThe GDPR contains a number of new restrictions on profiling based on sensitive data – some of which will need explicit consent by the consumer.

RETAILER CHECKLIST

■ For those who build consumer profiles based on sensitive data for direct marketing purposes, retailers will still need explicit consent from consumers to undertake this activity.

8. Data governanceIn one of the most wide-ranging changes being introduced by the GDPR, all organisations are going to have to implement a host of measures to reduce the risk of breaching the GDPR and to prove that they are taking the issue seriously. Amongst the new accountability measures enterprises will need to undertake Privacy Impact Assessments, audits, policy reviews and potentially appointing a dedicated Data Protection Officer.

RETAILER CHECKLIST

■ Responsibility needs to be internally assigned to either a dedicated Data Protection Officer or another identified function.

■ Budget will need to be identified and allocated accordingly to ensure data governance activity is completed.

■ A full compliance program will be required encompassing audits, HR policy, training and even awareness raising programs.

■ All existing supplier arrangements will also need to be audited in line with the GDPR data processing obligations.

■ Make sure you maintain processing activity reports and records.

9

9. Data breaches and finesBoth data controllers and processors are now subject to a greatly enhanced data breach regime. Any personal data breaches must now be reported by the data processor to the data controller, which in turn must report to the supervisory body in the UK.

Non-compliance can lead to one of two tiers of punitive fines: one of up to ¤10m or up to 2% of the total worldwide turnover of the preceding financial year, whichever is higher. Others will be subject to a fine of ¤20m or 4%

RETAILER CHECKLIST

■ Internal breach notification procedures and incident response plans need to be implemented, tested and reviewed regularly.

■ Your IT teams need to ensure that appropriate security measures are in place and that if there is a breach that as far as is possible that the data is unusable/untraceable to an individual. The use of anonymisation, encryption, pseudonymising techniques can all help reduce risk of compromising personal data.

■ Check your business insurance policies for obligations and coverage.

■ Run a GDPR compliance gap analysis and update risk registers.

■ Assess liability exposure under existing customer, supplier and partner arrangements.

10. Data transfersData transfers outside of the European Economic Area will continue to be restricted and highly regulated. This will therefore remain a major consideration for multinational organisations and even those using extended supply chains which process any personal data outside of the EEA.

RETAILER CHECKLIST

■ Map and understand data flows to clearly understand those that operate across the border of the EEA.

■ Review procurement policies and contracts to ensure that any data transfer for which you are responsible is understood and compliant.

11. Consumer rightsConsumers will get new protections and rights under the GDPR including:

■ The right to complain when their data is processed contrary to the GDPR.

■ The right to a legal remedy against a data processor or controller.

■ The right to compensation.

RETAILER CHECKLIST

■ Data controllers and their processors must ensure that all and any data processing agreements and contracts are clear in terms of dispute resolution and the respective liabilities to handle compensation.

Considerations and conclusionsRegulators like the Information Commissioner’s Office (ICO) with its new Commissioner are already expecting more from businesses in the UK. It will be demanding an increase in compliance standards, backed by an increasingly robust use of the current enforcement regime. GDPR gives the regulators even more power alongside the increased importance allocated under GDPR to individual rights to privacy, transparency and choice in relation to personal details. This could result in fines of up to, the greater of, 4% of the preceding years global annual turnover or ¤20 million.

Retailers need to develop a plan to assist key stakeholders in starting to dealing with the key risks identified and prioritise the tasks necessary to achieve GDPR compliance. Some of the first practical steps that retailers operating digital channels should look at include updating their standard contracts with digital service suppliers; review, inventory and audit of their personal data storage and processing; and review the relevance of privacy and standard of consent wording under which their marketing and targeting databases have been or continue to be collated.

The EU’s new data protection regulation is without doubt complicated, but there are 10 key facts businesses need to know:

1. It applies to all The GDPR applies to all companies worldwide that process personal data or

monitor the behaviour of European Union (EU) citizens. This means that any company that works with information relating to EU citizens will have to comply with the requirements of the GDPR, making it the first global data protection law.

2. It redefines personal data The GDPR considers any data that can be used to identify an individual as

personal data. It includes, for the first time, things such as genetic, mental, cultural, economic or social information, including associated data such as IP addresses and cookies that can trace back to an individual.

3. Consent cannot be assumed Having the ability to prove valid consent for using personal information is likely to be

one of the biggest challenges presented by the GDPR, as it requires all organisations collecting personal data to be able to prove clear, specific, informed unambiguous and affirmative consent to process that data.

4. DPO is mandatory for some The GDPR requires public authorities processing personal information to appoint

a data protection officer (DPO), as well as other entities, when “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data”. It is arguably not clear that this is yet directly relevant to Retailers, although the volume processing of personal information tied to browsing behaviour, payments and delivery addresses all feature a heightened responsibility for care and governance.

5. Introduction of mandatory Privacy Impact Assessments (PIA’s)

The GDPR requires data controllers to conduct Privacy Impact Assessments or PIAs where there is a high degree of risk for data subjects.

10

PART THREE

6. Common data breach notification requirements The GDPR harmonises the various data breach notification laws in Europe and is

aimed at ensuring organisations constantly monitor for breaches of personal data and report breaches quickly. Retailers need to ensure they have processes in place and flowed down to anyone engaged to carry out processing.

7. The consumers right to be forgotten Organisations have to ensure that they have the processes and technologies in

place to delete data in a timely response to specific requests from data subjects whether this relates to in-store activity or online, or both.

8. Extended liability across the supply chain includes data processors

In the past, only data controllers were considered responsible for data processing activities, but the GDPR extends liability to all organisations that touch personal data and that now includes the data processor. This is particularly relevant in eCommerce operations.

9. Privacy by design The GDPR requires that privacy is in-built by design in both systems and processes,

again placing a burden of validation when third parties are involved in the use of personal data on your behalf.

10. It's a Europe-wide control The ‘one-stop-shop’ theory means that if organisations have multiple

establishments across the EU, the Data Protection Authority for its main establishment will be its ‘lead authority’. This lead authority has the power to regulate that organisation across all Member States.

In addition, legal proceedings against a controller or processor can be brought in either the Member State where the controller or processor has an establishment; or the Member State in which the data subject resides. This means that under GDPR, an organisation may be subject to legal proceedings in unfamiliar jurisdictions, outside the Member State(s) in which is it established.

The UK Information Commissioner has made it clear that in terms of incident reporting, organisations that proactively report breaches will be given more credit than organisations who do not report a breach that is then subsequently discovered and reported by a third party.

It is therefore logical to assume that a retailer that demonstrates they have a proactive approach to relevant personal data capture and processing, is proactive in ensuring data security, and has a credible range of technical, management and operational controls in place will be better placed. This is to not only to avoid a breach, but in the unfortunate event of a breach, will be more likely to receive a lower fine than an organisation that takes no measures, or blatantly disregards its obligations under GDPR.

11

Getting ready for GDPR The General Data Protection Regulation will significantly impact how retailers collect and process personal information. The May 2018 enforcement date may seem far away, but the sector should not underestimate the amount of work involved and time needed to prepare for GDPR, and preparations should be underway now.

It will require a fundamental rethink by each retailer be they a traditional retailer or a born-in-the-cloud retailer operating online, about how it approaches data protection compliance, from what details are treated as ‘personal’ or ‘sensitive’ to how to handle the regulation and who is responsible for ensuring compliance.

The GDPR is now law – it is not going to go away because of Brexit – it is here to stay. And given the fact it is now in UK law the Board of your retail business is now accountable. Retailers need to be aware of the impact of GDPR throughout the business:

■ IT departments which have responsibility for the technology they use to secure data will be in the spotlight as well as their service providers in turn.

■ HR departments need to take the lead on training and educating employees on their responsibilities.

■ Marketing departments, in particular, will need to assess and think about the data it buys, collects, stores and uses for marketing purposes, including new data captured in the definition of personal data such as cookies and IP addresses.

■ Customer Services, Sales and Operational teams using a CRM, Order Management or ERP system will also have to fully comply with the GDPR and that will include the data held on delivery addresses and orders placed.

■ eCommerce and Merchandising departments are now going to have to audit suppliers regularly and failure to audit your supply chain could have severe consequences. Furthermore, sharing data up or down the supply chain which results in a data breach will put controllers and processors under scrutiny for how the data was shared and the diligence applied. Specific attention also needs to be given to what constitutes personal data under GDPR and the scenarios that involve the use of cookies or the tracking of IP addresses or personal devices.

■ And finally finance, which because of its role in storing financial data relating to and recorded on, individuals, means that they will also fall into the orbit of the GDPR. That includes any data stored on a customer and their purchasing history no matter where and when they bought a product.

12

PART FOUR

Specific considerations for eCommerce operationsAs a retailer in the new online and / or omni-channel era, you will know that at the heart of your operations, data is king. But with the GDPR you will need to ask a series of specific questions in relation to your data and any third-party suppliers you rely upon to deliver your services to market:

1. Which suppliers store or process customer personal data on your behalf to enable you to target consumers and sell products or services?

2. You will need to record what data is shared between which parties and ensure that is it consistent (e.g. from eCommerce to CRM to Marketing service provider)?

3. Are these suppliers compliant with GDPR and are your consumer commitments to GDPR backed up by agreements with these third parties where relevant?

4. Is the legal basis of Supplier Agreements written under appropriate legal jurisdiction (i.e. EU), or, if outside, how is the path of accountability maintained under contract?

5. Where will your data be physically stored?

6. Where will any secondary site/data be located?

7. If your data is stored outside of the EU what provision does your supplier have to protect it and comply with your obligations under GDPR?

8. If suppliers store any of your data in the USA do they comply with prevailing international standards, i.e. Privacy Shield?

9. If you cancel the service of a supplier of digital services at any point, do they contractually commit to delete all your customer personal data, if so, how quickly and how is this evidenced?

10. Have you got appropriate security measures in place?

13

14

11. Do your Supplier contracts included mandated provisions?

12. Do you have written records for processing?

13. What technical measures do you have in place to ensure appropriate security (i.e. encryption, pseudonymisation, etc)?

14. breaches and responding to data subject requests.

15. If transferring outside the EEA, do you comply with requirements under GDPR to ensure personal data is adequately protected?

In regard to interaction and communication with consumers it is essential that your digital channels:

1. Ensure consent is freely secured to store and process personal data. This may not be implied but must be unambiguous, explicitly provided by the consumer.

2. That you state which data you will capture and for what specific purposes.

3. That you publish consistent Privacy Policies containing all required information.

4. That you state how long data will be held for.

Love your

customers -

get ahead on

GDPR

Get started – a high level GDPR checklistThe following is an overview of key activities to help you further research and prepare for enforcement of GDPR:

1. Check you have notified the ICO that you are a Data Controller – this is simple to do online by visiting www.ico.org.uk.

2. Share information with Management and your Board on GDPR impact and obligations e.g. https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf and https://ico.org.uk/for-organisations/data-protection-reform/gdpr-messages-for-the-boardroom.

3. Use a data self-survey to assess risk and readiness for GDPR enforcement e.g. https://ico.org.uk/for-organisations/improve-your-practices/data-protection-self-assessment/getting-ready-for-the-gdpr.

4. Update or Implement and adhere to a formal data protection policy.

5. Update or Implement a privacy policy containing appropriate measures.

6. Appoint someone responsible for managing and monitoring GDPR compliance.

7. Prepare for the new law enforcement by updating processes, auditing personal data held in order to ensure only relevant data is maintained (securely).

8. Train your staff on GDPR and their obligations and responsibilities.

9. Check and/or update your data collection consent wording across your relevant channels.

10. Check customer and supplier contracts, notably in regard to digital service suppliers in your supply chain to provide service to your customers.

11. Check your insurance coverage for compliance to GDPR.

12. Check group companies located inside/outside the EU and their activities and carry out an international data flow mapping exercise.

13. Check transparency requirements and notifications of data subjects of any processing.

14. Check that all personal data is only used for purposes for which it was collected.

15. Check retention periods for holding personal data.

16. Check policies for monitoring/handling data subject rights.

17. Check security procedures and measures currently in place.

18. Check data breach processes and procedures.

15

Tick as appropiate

Call Tryzens today to discuss which support services options best fit your needs, +44 (0)20 7264 5900 or visit www.tryzens.com

Tryzens Limited 5th Floor, 101 Finsbury Pavement, London EC2A 1RS

+44 (0)20 7264 5900 www.tryzens.com

©Copyright Tryzens Limited 2017. All rights reserved. Tryzens and TradeState are registered trademarks.