What You Need to Know About The General Data Protection Regulation

The General Data Protection Regulation, or the GDPR, is the European Union’s new regulation on data and cyber-security that will become law in the EU on May 25, 2018. It’s designed to legally strengthen data protection for everyone living in the European Union, and create a single data protection regime for businesses and consumers to rely on.

The GDPR will apply to anyone doing business in the EU that handles personal data, it doesn’t matter whether you’re based in the EU or not. If your company processes, stores or transmits personal data belonging to EU residents, you’ll have to comply as well as show evidence you want to comply.

The GDPR Advisory Board answered questions about training your workforce with the latest legal requirements, working to manage your data in a compliant way, and other ways to become legally compliant before the May 2018 deadline.

Q: What kind of information does the GDPR apply to?
The use and storage of personal data. Loyalty cards, purchasing information, e-shots and any personal data that you hold for your customers will all need to be handled in a GDPR compliant way. Currently, when you collect data, you have to provide individuals with certain information, such as your identity and how you plan to use their data. This is usually done via a privacy notice. 

Under the GDPR you will have to also outline your “lawful basis” for processing the data, detail your data retention periods and explain that the participating individual has certain rights. Such as ‘the right to be forgotten’ or, as is a concern for some major retailers ‘the right to data portability’.

Q: What are the penalties for non-compliance?
The penalties for failing to comply with GDPR will be severe: maximum fines of up to 4 percent of worldwide annual turnover or $23,500,000 (€20m), whichever figure is greater. As well as the financial implications, the detrimental PR a public penalty can bring in the already competitive retail sector could be huge.
Q: How does the GDPR affect policy surrounding data breaches?
Data breaches are going to happen, and the regulators know it. What matters is how well you respond; and the GDPR demands that breaches are reported within 72 hours. With this in mind, having a crisis plan in place to deal with data breaches is essential, as is testing it.

Q: What rights will individuals have under GDPR?
Rights for the consumer increase considerably under GDPR — retailers will need to be responsive and avoid dodgy small print. 

Article 12 of the GDPR says that you must communicate with individuals about their data and the way you process it “in a concise, transparent, intelligible and easily accessible form, using clear and plain language… in writing, or by other means, including, where appropriate, by electronic means.” 

You also need to respond to consumers who want to invoke their right to be forgotten within one month of the request.

Q: Explain the GDPR Advisory Board and the role it plays within the retail industry?
Industry leaders and academics have joined together to create The GDPR Advisory Board an easily-accessible, authoritative platform for organisations, including retailers, baffled by the implications of the forthcoming GDPR to access. Expert advice from the new ‘GDPR Advisory Board’ is available through a non-commercial website, www.gdpr-board.co.uk, where users can contact the GDPR Advisory Board with questions via a Q&A portal or by emailing info@gdpr-board.co.uk.

Professor David Stupples provides data protection advice for the UK government as well as lecturing at Cambridge University. Alfred Rolington was formerly CEO at Jane’s Information Group and is an expert in cyber-security, presenting at Oxford University from time to time. Piers Clayden is the Founder of IT and Data Security legal firm, Clayden Law whilst Nick Richards heads up the GDPR e-learning provider Me Learning.

Training provision is recommended by visiting www.melearning.co.uk/gdpr which provides cost-effective GDPR e-learning solutions written by legal experts. Legal advice can be sought by GDPR legal specialist Clayden Law. 

Q: What do retailers need to understand about GDPR and its implications on the business?
Piers Clayden, Founder of Clayden Law and legal expert for the GDPR Advisory Board comments: “GDPR is primarily about bolstering the rights of individuals (which in a retail environment means the consumer) to give them more control over how organisations use their personal data. 

It is clear that the direction of travel for the UK’s regulator will be very much focused on the B2C arena when it comes to enforcement. From the retailers’ point of view, where they are going to have to really change their mind set is around (a) being totally transparent with consumers over how they plan to use their personal data; and (b) moving away from a tick box environment to one where privacy is at the heart of what they do (and being able to demonstrate that this is the case). 

Those retailers who are successful in doing this should bolster their reputations and build consumer trust and loyalty. For those that fail to do so, the consequences are potentially severe, not just in the form of regulatory fines, but also damages claims, from individuals and loss of reputation.”

Alfred Rolington, also a member of the GDPR Advisory Board and former CEO of Jane’s Information Group adds, “At a basic level, GDPR means that the retail businesses will, like other organisations, need to be transparent concerning what client and personal data they are holding and where.

If this is not clearly done non-compliance could result in very large fines, $23,500,000 (€20million) or 4 percent of their worldwide turnover (whichever is the larger amount). Specifically, for retailers, there are other very crucial elements at risk.

There is a large PR problem for retailers when a brand that fails to comply with GDPR as it will probably be publically reported and the effect on its business could be devastating as trust in brands is crucial for the retail arena and it could bring down household brands.”

Q: How should retail organisations plan ahead for the introduction of the GDPR and understand their obligations under the new regulations?
Expert Alfred Rolington continues, “Over the next few weeks, retailers should focus on understanding their data, where it is stored and how and how much are they storing and who is managing this data.

Retail data, because of the way retailers operate is often held on a series of databases and a significant issue for many retailers will be that data is often held on multiple databases. These databases should be reviewed and analysed for content and security.

Retailers who are operating shops, stores or online sales cross-border should already be complying with the rules on international data transfers which remain similar under GDPR. However, some recent changes to the EU approved Model Clauses and the EU-US Privacy Shield and challenges means retailers will need to monitor these connections especially as the UK leaves the EU.

Overall an IT audit should take place and the senior management and directors should understand the compliant issues arising has been completed, businesses should develop a plan to ensure their operations are compliant and a Data Protection Officer must be appointed.

All staff and management who review and use customer data should be trained on GDPR and what the changes and security means for the business and customers. This applies across the company and cannot be left to IT and the legal management.”

For further information and to field questions on the forthcoming GDPR please visit www.gdpr-board.co.uk or alternatively email directly at info@gdpr-board.co.uk.

Retail Operations Insights

You Might Also Read:

The GDPR Advisory Board Offers Expert Advice:

Directors Who Conceal Cyber Attacks Could Face Prison:
 

« Russian Hackers Trying To Infiltrate US Senate
AI Powers VW’s New Electric Microbus »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

National Trading Standards eCrime Team (NTSeCT)

National Trading Standards eCrime Team (NTSeCT)

The National Trading Standards eCrime Team tackles online consumer scams, rip-offs and fraud, as well as those committed by text or email.

Cloud Foundry Foundation (CFF)

Cloud Foundry Foundation (CFF)

Cloud Foundry supports the full application development lifecycle, from inception, through all testing stages, to deployment.

Careers in Cyber Security (CiCS)

Careers in Cyber Security (CiCS)

CareersinCyberSecurity is a leading global job board and career resource for Cyber Security, IT Audit, Technology Risk and Data Protection professionals.

Slovak Security Policy Institute (SSPI)

Slovak Security Policy Institute (SSPI)

Slovak Security Policy Institute is an independent non-governmental organization that focuses on research and analysis of security challenges including defence and cyber security.

CryptoTec

CryptoTec

CryptoTec is a provider of security concepts and encryption solutions for secure communication between decentralized computerized systems.

InFyra

InFyra

InFyra is an IoT & Telecoms specialist consultancy, with extensive global and local experience in business and technology strategy, networks and solutions development.

Cyolo

Cyolo

Cyolo’s Secure Access Service Edge (SASE) platform securely connects onsite and remote users to authorized assets, in the organizational network, cloud or IoT environments and even offline networks.

Enea

Enea

Enea is one of the world’s leading specialists in software for telecommunications and cybersecurity. Our products are used to enable services for mobile subscribers, enterprise customers and IoT.

Siege Technologies

Siege Technologies

Siege Technologies is a pioneer of multi-purpose cybersecurity products and services that enable customers to leverage both offensive and defensive technologies.

National Academy of Cyber Security (NACS)

National Academy of Cyber Security (NACS)

National Academy of Cyber Security provides Professional Training Courses and Programmes in Cyber Security.

Swissbit

Swissbit

Swissbit AG is the leading European manufacturer of storage, security and embedded IoT solutions for demanding applications.

Coretelligent

Coretelligent

Coretelligent is a leading providers of Managed and Co-Managed IT, cybersecurity and private cloud services.

First Focus

First Focus

First Focus is a managed service provider for medium-sized organisations.

Thoropass

Thoropass

Thoropass (formerly Laika) helps you get and stay compliant with smart software and expert services.

CyberGrape

CyberGrape

CyberGrape is a client centric managed services company, providing enterprise leading security solutions and helping companies through their IT risk and security challenges.

Argantic

Argantic

Argantic aims to help organisations thrive and reach their full potential in a modern cloud-centric era.