What actually is GDPR

…and how does it affect my business?

The General Data Protection Regulation (GDPR) came into effect in the UK on 25th May 2018. It’s an acronym that has been covered widely in the media and discussed at length in company boardrooms and it has a major impact on the retail sector – but making sense of GDPR can be complicated. What actually is the ruling and what does it mean for your business?

This is the first of two blogs guiding you through. The second blog looks at the impact that the regulation has on your customers.

What is GDPR?

Since the birth of the Internet, our society has become increasingly digital-by-default. We buy goods, book services and generally organise our lives online. Almost without exception, these activities involve us sharing our personal information, such as names, email addresses and phone numbers, sometimes without even thinking.

This data has been collected and processed by companies on a vast scale for many years. It’s used in a variety of ways – for example, to build customer loyalty, promote goods and services to a wider audience. Due to the advent of technology such as artificial intelligence, the ability to use customer data for commercial advantage has become increasingly sophisticated.

Existing data? regulation, introduced in 1995, has quickly become irrelevant and out-of-step with the modern digital age. It therefore had to be updated. GDPR aims to take ownership and control of personal data away from business and put it back into the hands of the consumer.

Of course, good companies were already being careful to safeguard their customer data – but GDPR has sought to formalise and prescribe a set of boundaries to ensure that all businesses are on the same page.

Essentially, all organisations in the UK, regardless of sector or size, are affected by GDPR.

What does it mean for me?

Fancy paying up to 4% of your annual revenues in fines? What about €20 million? If you fail to comply with GDPR, these could be very real penalties.

There is, of course, a certain amount of scaremongering going on. The Federation of Small Businesses, for example, has called on the Independent Commissioner’s Office (ICO) – the body in charge of GDPR enforcement – to use a ‘light touch manner’ when dealing with noncompliance in smaller firms. This will focus on ‘education and support, not punishment’.

Nevertheless, Europe-wide stories of hefty fines are starting to filter through, the Central Hospital of Barreiro Montijo, in Portugal, was fined €400,000 simply for allowing too many employees to access patient records.

Moreover, the GDPR landscape can seem bewildering even for the largest organisations. American retailer Pottery Barn had to make an apologetic announcement to customers in the weeks following the introduction of GDPR, saying that ‘due to technical challenges caused by new regulations in Europe’ it couldn’t accept orders from the EU. And in Austria, a privacy campaign group has filed a complaint to the Data Protection Authority accusing behemoths Amazon and Apple of ‘failing to provide basic information like how their data is bought and sold on request, putting it in breach of GDPR rules’.

But there are equally companies that are getting it right and thriving in the post-GDPR world. Let’s look at some key ways that GDPR impacts your business so you’re ready to join them.

Do you have a website?

A basic marketing website which doesn’t capture any personal data can carry on as before. But any kind of e-commerce site – or any non-sales site which nevertheless encourages customers to sign up for a mailing list or similar – needs to be very upfront about getting active consent for that data collection.

GDPR demands a much higher level of consent than previously. This consent must be freely-given, specific and informed. It has also introduced the notion of ‘unambiguous consent’.

In the past, a business could use an individual’s data for marketing purposes without having to explicitly ask whether they agreed to it. This has now changed. Individuals must now give clear and explicit consent to their information being used for this purpose.

A statement or clear, affirmative action – for example, ticking a box which clearly says “I agree to my data being stored and processed” – must take place for unambiguous consent to be given. If, having left the boxed unticked, the customer is contacted, the company in question is acting illegally.

At any time, customers can check what information a business has on file on them and ask for it to be deleted. This must be done so immediately.

Do you use CCTV?

Yes, CCTV imagery counts as personal data under GDPR. You need to be able to justify your use of CCTV, and since data subjects are entitled to understand how their data is being processed, it’s a good idea to install signage indicating where CCTV is in use and how the customer can find out more. GDPR also dictates that you can only process data for as long as its purpose actively requires you to do so, and you need to protect stored footage with measures such as encryption (for digital footage) and locked premises (for physical footage).

Do you have a customer database?

This is a bit of a trick question. Almost every retailer has one, for sending out marketing materials, delivering repeat orders or managing loyalty schemes, for instance – or a mixture of all three. Such databases are full of personal information, and as such GDPR demands that you get positive consent (i.e. opt-in rather than opt-out) to add someone, and then protect said database properly.

Things get a bit more complicated when you start profiling customers, as in through a loyalty scheme or their online behaviour. If your profiling is deemed to have a ‘legal effect’ on the customer then, again, you need their active consent to do so (unless the profiling is essential for you to deliver your contract). ‘Legal effects’ are not defined and will be led by the regulator, so you need to be careful here. If you are using loyalty card data to tailor (and potentially restrict) deals to particular customers, then it is probably worth getting legal advice.

Do your suppliers have access to customer data?

One of the more difficult-to-manage aspects of GDPR is the way it travels up your supplier and partner chains. If any of your suppliers handle your customer data on your behalf – think delivery and logistics firms, or marketing companies – then they count as data processors. You still need a written agreement with them, but GDPR has made its content more prescriptive, covering elements like the security measures they have in place and their process in the event of a breach. If you haven’t already reviewed your existing arrangements with suppliers, then that should be an urgent task.

Do you plan on doing business with the EU?

Yes, as we are still in the European Union, this European-wide law applies without exception. Moreover, GDPR applies to any business that processes, stores or sends data belonging to any EU resident, so it’s worth bearing this in mind if your business has scope outside of the UK in future.

Do you have an EPoS system?

If you collect customer data at the electronic point-of-sale, whether as part of a marketing exercise, for aftersales care or for offering finance options, then you have a duty to explain exactly what you’re collecting and why. You need positive consent – that is an opt-in rather than opt-out – and you need to establish a process to follow if an EPoS terminal containing data is stolen.

We can help with this.

So…what are the positives?

GDPR is not all doom and gloom. It actually presents a number of key opportunities.

Although subscriber lists and marketing databases may have significantly dropped, those customers who remain are likely to be far more engaged and open to receiving information from your business. So, whereas you may have previously sent email marketing to longer lists, the likelihood is that conversion rates will now increase.

It also means that you can now be more personalised in your messaging and promotions to subscribers – leading to a higher quality of customer.

The GDPR landscape can seem overwhelming, but by looking at the different areas of your retail business in a logical way, you can break down its requirements and take a truly customer-centric approach to protecting personal data – which is, after all, what it’s all about.