ProfilingRetailers will profile customers in a number of ways, whether through the use of loyalty cards, online behavioural advertising or using CCTV to record in-store images of known individuals ? all of which will fall under GDPR regulations. Consent will be needed from individual customers if that profiling has a ?legal effect?. Unhelpfully, these legal effects have yet to be defined, but we would expect loyalty schemes where special offers are made available to some but not all customers to fall under this label. If there is no legal effect then retailers are free to profile, provided that they have told customers about this and given them the opportunity to object.
EmployeesRetailers should also bear in mind that the potential changes to data capture language or customer facing documents won?t be the only consent they need to review. The data held on employees also falls into the new regulations. Retailers will need to consider whether they are currently relying on express consent from employees to process employee personal data, and consider the alternative grounds which can be relied on instead.
Data hacksRetailers need to ensure that they have implemented appropriate procedures to ensure personal data breaches are detected, reported and investigated effectively. If they do not already have them, they need to put mechanisms in place to assess and then report relevant breaches to the ICO where the individual is likely to suffer some form of damage, for example,through identity theft or confidentiality breach. They also need to ensure that there are mechanisms in place to notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms. The GDPR rules introduce mandatory data breach notifications to the ICO within 72 hours and in some cases to the data subjects too. Retailers should consider how an actual breach will be handled. Different procedures might be in place if a complaint comes in via a customer service call or email than if the retailer discovered the breach internally through, say, its own IT system. Either way, retailers should consider who else might need to be involved (insurers, PR agencies, other suppliers), and should raise awareness among all the workforce and train staff as to appropriate behaviour and procedures. Retailers should also implement a joined-up approach across multinationals, as a breach may concern more than one jurisdiction. A review of training and internal policies is therefore essential to ensure that you are able to comply.
FinesFailure to comply with the new rules is potentially harsh, with fines of up to ?20m or four per cent of global turnover, whatever is larger. This is a significant increase from the current maximum of ?500,000 under the Data Protection Act 1998. Such a fine could have a significant impact on both large and small retailers, so non-compliance really is not worth the risk. No matter the size of the business, it is likely that you will need to take some steps in order to ensure that you are prepared for the GDPR. The more complex the retail structure, the longer it will take to change processes and behaviours. Charlotte Ebbutt is a solicitor in the technology and media team and Malcolm Gregory is a partner in the corporate services group at law firm Royds Withy King. UK high streets begin critical trading period with best September in five years
Sign up to our newsletter to get the latest from Business Advice.