GDPR: What retailers need to know

Posted on

The General Data Protection Regulation (GDPR) deadline is fast approaching, with organisations that do business in the European Union (EU) required to be compliant by 25 May 2018.

What is GDPR?

GDPR is designed to give EU citizens greater control over what companies can do with their data. Currently, the UK relies on the Data Protection Act 1998, which was enacted following the 1995 EU Data Protection Directive, but this will be outdated by the new legislation. It introduces tougher fines for non-compliance and breaches. Potential fines of €20 million (£15.3 million) or 4% of turnover are threatened. 

When will the GDPR apply?

The GDPR will apply in all EU member states from 25 May 2018. Because GDPR is a regulation, not a directive, the UK does not need to draw up new legislation, instead, it will apply automatically. While it came into force on 24 May 2016, after all parts of the EU agreed to the final text, businesses and organisations have until 25 May 2018 until the law actually applies to them.

What should retailers know?

Any changes to data legislation need to be carefully considered by those in the industry, because the possibility of having to relinquish data due to non-compliance, let alone the big fines accompanying it, could have a serious commercial impact.

Research from software firm Compuware shows 77% of retailers don't yet have a comprehensive GDPR strategy plan in place and less than half of retailers are well briefed on the regulation and how it will impact the way customer data is handled.

The aim of the Data Protection Act (DPA) and now GDPR is to protect consumers, not hamper businesses with red tape. A sensible data security policy and a considerate approach to data collection and processing will go a long way to minimise retailer risk.

Companies will need to actively gain consumer consent to store and process personal data. They will need to ensure they use clear and transparent language when securing this consent, and that they understand the potential uses of the information. Going forward, opt-out and pre-ticked consent methods will no longer be considered sufficient.

A survey of 2,000 consumers by retail tech supplier SAS found that a third of people will exercise the right to have their data removed from retailers under the new rules, and the same will ask retailers to stop using their data for marketing purposes.

With 17% saying they will challenge automated decisions made by retailers and 24% indicating they want access to the data that retail companies hold about them, the new landscape is set to provide a number of challenges for the industry.

The UK government has confirmed that the country’s decision to leave the EU will not affect the commencement of GDPR – and that is because it impacts all organisations that do business within the union.

According to the Direct Marketing Association (DMA), GDPR will be “the gold standard of data protection law” and meeting these regulations will ensure businesses comply with the majority of global data protection laws. The fundamental importance to business of GDPR is clear.