With less than 15 months to go until the new EU General Data Protection Regulation (GDPR) takes effect on 25 May 2018, Walker Morris’ Gwendoline Davies, a specialist in commercial dispute resolution in the retail sector, and Vikki Hoyle, a specialist in data protection regulation, explain what the changes mean for luxury retailers and why it’s important to implement a compliance strategy now.
A new regime for all
The existing data protection regime is now over 20 years old and the markets in which luxury brands operate have changed significantly since it came into force in the late 1990s. GDPR aims to harmonise data protection legislation by the creation of an EU-wide single legal framework, to recognise and embrace technological advances and to strengthen citizens’ fundamental data protection rights.
GDPR will have direct effect in all EU Member States (that is, it will apply directly in all Member States without the need for UK legislation to enact it) from 25 May 2018. Although GDPR is a piece of European legislation, the UK government has confirmed that, for data protection at least, Brexit doesn't mean Brexit and the UK will adopt the GDPR on 25 May 2018. Even after Brexit, GDPR's expanded territorial scope means that UK luxury brands which offer goods or services to EU data subjects or which monitor EU data subjects’ behaviour will be subject to GDPR
Crucially, there is no transitional period. When GDPR comes into force UK organisations must immediately comply with the new regime and that means that the countdown has started for the development and implementation of a compliance strategy.
What do the changes mean for luxury retailers?
All retailers are likely to hold and use a wide variety of personal data, relating to employees, customers and even potential customers (for consumer research and marketing purposes). Luxury retailers, in particular, commonly maintain a 'little black book' to keep a note of important details such as the birthdays, clothing sizes, family details, colour preferences, purchase histories and the like, of their discerning customers. All these records are a hugely important and valuable resource for retailers, whose customers often demand discretion and who will expect, as an absolute minimum, complete compliance with data protection legislation.
So, as responsible data controllers and processors, luxury retailers should be getting to grips with the new, more extensive data protection regime imposed by GDPR (and the draft ePrivacy Regulation), and implementing their compliance strategies, now.
Some of the key changes which are likely to be particularly relevant for luxury retailers are explained below.
Changes to the rules on consent
Many retailers rely on obtaining a consumer's consent to processing their data. GDPR significantly raises the standards which must be met for consent to be valid. Consent must be freely given, specific, informed and unambiguous. It also requires a clear affirmative action by a consumer. This means that the days of pre-ticked opt-in boxes and opt-out boxes consenting to marketing communications are numbered. Retailers will need to keep clear records of how and when consent was given and existing consents will need to be renewed if they don't meet the higher standards imposed by GDPR or retailers are unable to evidence that the consent was validly given.
Contracts with suppliers
Retailers often use other companies to deliver packages, send customer communications, analyse data, process payments and provide customer service. In order for these companies to provide such services, retailers will need to share personal information with them. Under GDPR, contracts between retailers and their suppliers must be in writing and must include certain mandatory provisions, including requiring suppliers to implement appropriate technical and organisational security measures to protect data, obliging suppliers to report data breaches, only processing data on documented instructions from the retailer and allowing and contributing to audits by the retailer.
Currently, there is no legal requirement to report a data breach to the Information Commissioner’s Office (ICO), although the ICO expects to be informed of any serious breaches. In light of the potentially huge damage to a brand arising from a data breach, however, many luxury brands choose not to report data breaches.
GDPR will introduce a new obligation on retailers and other organisations to notify data breaches without undue delay and where feasible within 72 hours of becoming aware of the breach. Luxury retailers will therefore need to have a data breach response plan in place to enable them to respond quickly and effectively in the event of a breach to ensure damage limitation to both the brand and its customers.
Other key changes
The GDPR also encompasses other key changes, including increased fines for data protection failings; more detailed record keeping requirements; the requirement for many organisations to appoint a data protection office (who must be an expert in data protection law); and significant enhanced data protection rights for individual customers. The latter include:
- Changes to Subject Access Requests (SARs). The information that individuals can request pursuant to a SAR has been expanded, whilst the time frame for complying has been reduced from 40 days to one month and in most cases it will no longer be possible to charge a fee for providing the requested information.
- Right to be forgotten. Individuals are entitled to have their personal data erased in certain circumstances (for example where the data is no longer necessary in relation to the purpose for which it was collected; where the individual withdraws consent; where the data has been unlawfully processed etc). Where an organisation removes data pursuant to this right ‘to be forgotten’, it must also inform others to whom they have passed the data of the erasure request.
- Right not to be subjected to wholly automated processing (known as 'profiling') for the purposes of evaluating personal aspects such as health, personal preferences, behaviour and movements.
These new rights have a number of practical implications for retailers. For example, there appears to be no requirement for individuals to make any of the above requests in writing, so retailers will need to ensure that their HR, customer-facing and marketing teams are able to recognise SARs and other requests and know how to deal with them appropriately. Retailers will also need to consider who will be responsible for responding to the requests and whether they have sufficient resources to deal them. Unless managed properly, responding to such requests could be costly in terms of staff and management time and, if mistakes are made, in terms of customer relations, brand reputation and potential fines from the ICO.
Whilst GDPR means greater consistency across the EU in data protection rules and regulation, which should be a good thing for both businesses and individuals, it is also likely to mean greater scrutiny and greater administrative pressures on retailers.
As easy as 1, 2, 3?
The key to compliance for luxury retailers is:
- ensure you understand in detail how you currently deal with personal data across every aspect of your business;
- ensure you understand how the new requirements will impact your business; and
- develop a comprehensive compliance strategy, including an implementation timetable, to ensure that you are ready for 25 May 2018.
Step 1: Full information audit
The best way to understand how you currently deal with personal data is to carry out a full information audit, which should include identifying what personal data is collected; how it is processed; where it is stored; the security measures which are in place to protect the data; how long data is retained etc. The report produced from the audit should also form the basis of the records that retailers are required to maintain in respect of their data processing activities.
Step 2: Gap analysis
The results of the audit should also enable retailers to perform a gap analysis to identify where changes are required to bring policies, procedures, processes and systems into line with the requirements of GDPR.
Step 3: Compliance strategy
The outcome of the information audit and the gap analysis should together form the building blocks of the retailer's GDPR compliance strategy. As changes to systems and processes can require a significant lead-in time, it is important that the strategy includes a timetable to ensure that the deadline of 25 May 2018 can be met.
Walker Morris comment
How much retailers will need to do to bring their existing practices into line with GDPR will depend, to a large extent, on how compliant they are with the current regime. Some will have more to do than others but following our 3-step process will set you off on the right foot. This article only provides a very brief overview of some of the key changes taking place under GDPR, so for further advice or assistance with undertaking an information audit or implementing a compliance strategy, please do not hesitate to contact Gwendoline Davies or Vikki Hoyle.