What are the implications of the GDPR for the retail sector?

In this era of personalised communication strategies and targeted online marketing, radical changes to data protection laws have huge implications for retailers. Matthew Williamson examines some of them.

The General Data Protection Regulation (GDPR) will come into effect on 25 May 2018. It’s a big deal for retailers and something they absolutely need to be on top of.

This is because data is the most valuable commodity retailers can have in relation to their consumers, whether that is business-to-business or business-to-consumer. What you know about your consumers shapes your proposition, your pricing and your supply chain.

In the UK we have a strong digital infrastructure and are good at selling things online, but the GDPR has very sharp teeth and will take a chunk out of any retailers who don’t comply. With a maximum fine of between €10 million (or two percent of annual global turnover) and €20 million (or four percent of annual global turnover), even online giants will receive eye-watering punishments for any regulatory lapses.

There are four key aspects of the GDPR that retailers should be aware of – and you cannot act soon enough to address all of them.

Firstly, privacy notices will be much more prescriptive than at present. These are the statements you put on your website telling consumers what you will do with their data. The familiar tick boxes will still feature prominently, but consumers will have to proactively opt in.

This means retailers must provide detailed information enabling consumers to make fully-informed decisions on whether they want to allow that retailer to hold and process their data. New privacy notices need to explain why data is needed; how this will affect the consumer; the criteria used to decide how long data is retained; and the consumer’s right to withdraw their consent.

Compliance will be one of the main burdens of privacy notices, but responding to consumers’ requests for information will be an equally formidable challenge. When this happens, retailers will be required to perform a similar processing task to that involved in a freedom of information request.

The second key area is accountability and record keeping. Again, compliance will be an issue but retailers will also have to demonstrate that they have kept their records up to date and in accordance with the GDPR.

Thirdly, you must have a written agreement with any third party that processes data for you. If a retailer outsources the collection of information – which a lot of large businesses do – then they need a robust written agreement that sets out the terms and conditions between them and the third party outsourcer. In addition, there are contractual clauses prescribed by the GDPR that means many agreements between retailers and the parties who collect and process their data will have to be torn up and drawn up from scratch – at significant cost.

Finally, retailers must address enhanced individual rights regarding information held on individuals. These include the right to be forgotten and a right to data portability, which ties in with data passports.

This is because data is the most valuable commodity retailers can have in relation to their consumers, whether that is business-to-business or business-to-consumer.

For example, logging onto a site using Facebook means the social media platform becomes your data controller. The issue for Facebook and other data controllers will arise when people say they aren’t happy and want you to switch to another data controller. The challenge for retailers is about making sure this is done properly.

The clock is ticking and retailers have until the 25 May this year to get their GDPR act together. If you already have rigorous data collection and processing systems in place, you are not going to be a million miles away from what is required. Even so, retailers need to move now to ensure they are geared up for these sweeping and far-reaching changes.