What You Need to Know About The General Data Protection Regulation

The General Data Protection Regulation, or the GDPR, is the European Union’s new regulation on data and cyber-security that will become law in the EU on May 25, 2018. It’s designed to legally strengthen data protection for everyone living in the European Union, and create a single data protection regime for businesses and consumers to rely on.

The GDPR will apply to anyone doing business in the EU that handles personal data, it doesn’t matter whether you’re based in the EU or not. If your company processes, stores or transmits personal data belonging to EU residents, you’ll have to comply as well as show evidence you want to comply.

The GDPR Advisory Board answered questions about training your workforce with the latest legal requirements, working to manage your data in a compliant way, and other ways to become legally compliant before the May 2018 deadline.

Q: What kind of information does the GDPR apply to?
The use and storage of personal data. Loyalty cards, purchasing information, e-shots and any personal data that you hold for your customers will all need to be handled in a GDPR compliant way. Currently, when you collect data, you have to provide individuals with certain information, such as your identity and how you plan to use their data. This is usually done via a privacy notice. 

Under the GDPR you will have to also outline your “lawful basis” for processing the data, detail your data retention periods and explain that the participating individual has certain rights. Such as ‘the right to be forgotten’ or, as is a concern for some major retailers ‘the right to data portability’.

Q: What are the penalties for non-compliance?
The penalties for failing to comply with GDPR will be severe: maximum fines of up to 4 percent of worldwide annual turnover or $23,500,000 (€20m), whichever figure is greater. As well as the financial implications, the detrimental PR a public penalty can bring in the already competitive retail sector could be huge.
Q: How does the GDPR affect policy surrounding data breaches?
Data breaches are going to happen, and the regulators know it. What matters is how well you respond; and the GDPR demands that breaches are reported within 72 hours. With this in mind, having a crisis plan in place to deal with data breaches is essential, as is testing it.

Q: What rights will individuals have under GDPR?
Rights for the consumer increase considerably under GDPR — retailers will need to be responsive and avoid dodgy small print. 

Article 12 of the GDPR says that you must communicate with individuals about their data and the way you process it “in a concise, transparent, intelligible and easily accessible form, using clear and plain language… in writing, or by other means, including, where appropriate, by electronic means.” 

You also need to respond to consumers who want to invoke their right to be forgotten within one month of the request.

Q: Explain the GDPR Advisory Board and the role it plays within the retail industry?
Industry leaders and academics have joined together to create The GDPR Advisory Board an easily-accessible, authoritative platform for organisations, including retailers, baffled by the implications of the forthcoming GDPR to access. Expert advice from the new ‘GDPR Advisory Board’ is available through a non-commercial website, www.gdpr-board.co.uk, where users can contact the GDPR Advisory Board with questions via a Q&A portal or by emailing info@gdpr-board.co.uk.

Professor David Stupples provides data protection advice for the UK government as well as lecturing at Cambridge University. Alfred Rolington was formerly CEO at Jane’s Information Group and is an expert in cyber-security, presenting at Oxford University from time to time. Piers Clayden is the Founder of IT and Data Security legal firm, Clayden Law whilst Nick Richards heads up the GDPR e-learning provider Me Learning.

Training provision is recommended by visiting www.melearning.co.uk/gdpr which provides cost-effective GDPR e-learning solutions written by legal experts. Legal advice can be sought by GDPR legal specialist Clayden Law. 

Q: What do retailers need to understand about GDPR and its implications on the business?
Piers Clayden, Founder of Clayden Law and legal expert for the GDPR Advisory Board comments: “GDPR is primarily about bolstering the rights of individuals (which in a retail environment means the consumer) to give them more control over how organisations use their personal data. 

It is clear that the direction of travel for the UK’s regulator will be very much focused on the B2C arena when it comes to enforcement. From the retailers’ point of view, where they are going to have to really change their mind set is around (a) being totally transparent with consumers over how they plan to use their personal data; and (b) moving away from a tick box environment to one where privacy is at the heart of what they do (and being able to demonstrate that this is the case). 

Those retailers who are successful in doing this should bolster their reputations and build consumer trust and loyalty. For those that fail to do so, the consequences are potentially severe, not just in the form of regulatory fines, but also damages claims, from individuals and loss of reputation.”

Alfred Rolington, also a member of the GDPR Advisory Board and former CEO of Jane’s Information Group adds, “At a basic level, GDPR means that the retail businesses will, like other organisations, need to be transparent concerning what client and personal data they are holding and where.

If this is not clearly done non-compliance could result in very large fines, $23,500,000 (€20million) or 4 percent of their worldwide turnover (whichever is the larger amount). Specifically, for retailers, there are other very crucial elements at risk.

There is a large PR problem for retailers when a brand that fails to comply with GDPR as it will probably be publically reported and the effect on its business could be devastating as trust in brands is crucial for the retail arena and it could bring down household brands.”

Q: How should retail organisations plan ahead for the introduction of the GDPR and understand their obligations under the new regulations?
Expert Alfred Rolington continues, “Over the next few weeks, retailers should focus on understanding their data, where it is stored and how and how much are they storing and who is managing this data.

Retail data, because of the way retailers operate is often held on a series of databases and a significant issue for many retailers will be that data is often held on multiple databases. These databases should be reviewed and analysed for content and security.

Retailers who are operating shops, stores or online sales cross-border should already be complying with the rules on international data transfers which remain similar under GDPR. However, some recent changes to the EU approved Model Clauses and the EU-US Privacy Shield and challenges means retailers will need to monitor these connections especially as the UK leaves the EU.

Overall an IT audit should take place and the senior management and directors should understand the compliant issues arising has been completed, businesses should develop a plan to ensure their operations are compliant and a Data Protection Officer must be appointed.

All staff and management who review and use customer data should be trained on GDPR and what the changes and security means for the business and customers. This applies across the company and cannot be left to IT and the legal management.”

For further information and to field questions on the forthcoming GDPR please visit www.gdpr-board.co.uk or alternatively email directly at info@gdpr-board.co.uk.

Retail Operations Insights

You Might Also Read:

The GDPR Advisory Board Offers Expert Advice:

Directors Who Conceal Cyber Attacks Could Face Prison:
 

« Russian Hackers Trying To Infiltrate US Senate
AI Powers VW’s New Electric Microbus »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

GFI Software

GFI Software

GFI Software works with System Administrators, IT Professionals and IT Executives to ensure that their IT infrastructures are monitored, managed, secured and compliant.

MobileIron

MobileIron

MobileIron provides EMM capabilities to IT organizations that need to secure mobile devices, applications and content.

ContentKeeper

ContentKeeper

ContentKeeper provides Web Threat Protection solutions to secure today’s Web 2.0 and mobile centric business environments.

Bit4id

Bit4id

Bit4id provides software and systems for security and identification based on PKI technology.

Exabeam

Exabeam

Exabeam is a global cybersecurity leader that delivers AI-driven security operations.

IdenTrust

IdenTrust

IdenTrust enables organizations to effectively manage the risks associated with identity authentication.

Buglab

Buglab

The Buglab contest and Vigilante Protocol help companies all over the world to discover and fix vulnerabilities on their digital solutions or assets.

Wizlynx PTE LTD

Wizlynx PTE LTD

Wizlynx PTE LTD is the Singapore branch of Wizlynx Group located in Singapore, offering Information and Cyber Security Services throughout the entire Asia Pacific (APAC) region.

Kippeo Technologies

Kippeo Technologies

Kippeo is a security systems integrator providing innovative solutions that look at all the parameters and connect all the dots.

IoT M2M Council (IMC)

IoT M2M Council (IMC)

The IMC is the largest and fastest-growing trade organisation in the IoT/M2M sector.

SecureThings

SecureThings

SecureThings focus is to provide guidance and technology to secure connected vehicles in order to build end-to-end security for the automotive industry.

Phakamo Tech

Phakamo Tech

Phakamo Tech offers a full set of governance, risk, compliance, cybersecurity and Microsoft Cloud services that include consulting, planning, implementation and cyber incident response.

Dynamic Quest

Dynamic Quest

Dynamic Quest is a managed IT, cloud and security services companies, providing a comprehensive range of technology services including cybersecurity, backup and disaster recovery.

Vali Cyber

Vali Cyber

Vali Cyber was founded in 2020 with the mission of addressing the specific cybersecurity needs of Linux.

Protos Labs

Protos Labs

Protos Labs enables insurers & enterprises to make better cyber risk decisions through holistic, real-time risk management tools.

12Port

12Port

12Port network security solutions help companies tackle modern cybersecurity threats cost-effectively while implementing zero-trust architectures.