GDPR replaces the EU DPD in 2018: How retailers can get ready

Camilla Lichti
Camilla Lichti December 6, 2018
GDPR replaces the EU DPD in 2018: How retailers can get ready

A massive amount of customer information can be retrieved by companies as a result of the use of enhanced digital technology in their operations. For instance, consumers browsing eCommerces leave digital traces of their shopping behaviour, and even those going to physical stores leave their footprint when retailers make use of technologies such as RFID (Radio Frequency Identification) or NFC (Near Field Communication) to engage with purchasers.

Retailers can better comprehend their client base and offer an enhanced shopping experience thanks to the access to valuable customer data. Nevertheless, manipulating this much of personal information comes along with the liability for it.

Specifically, companies that sell their goods or services to purchasers located in the European Union have to contemplate the implications of the EU arrangements that regulate data protection. Nowadays, the issue is handled by the 1995 EU Data Protection Directive, yet a new Directive – the General Data Protection Regulation (GDPR) – that becomes effective on May 25, 2018, will present stricter measures for companies handling customer data.

Here you will find an outline of the new enactment, its key changes contrasted with the present Directive and the implications of the new data protection regulation for the retail industry, and, in addition, shows how merchants can get ready and react to the firmer regulatory provisions.

The EU Data Protection Directive

Adopted in 1995, the Data Protection Directive (DPD – also known as Directive 95/46/EC) presently manages privacy and data protection in the European Union. Implemented by national parliaments of the member states, the EU Directive says that data handling is only allowed by law if the individual whose data is collected (data subject) has unequivocally given consent.

The Directive 95/46/EC sets the essentials elements of data protection that member states must convert into national law. The ruling of data protection is managed by each state as well as its application within its jurisdiction, and data protection representatives from the EU states contribute in a working group at the community level, pursuant to Article 29 of the Directive.

In the Data Protection Directive, Personal data is stated as any material that relates to an “identified or identifiable natural person”. The DPD dictates that the data controller guarantee compliance with the doctrines concerning to information quality and delivers a list of valid purposes for data handling. The data controller has data obligations toward the data subject whenever personal data is collected straight from the individual concerned or acquired otherwise. The data controller is additionally required to implement proper technical and organisational procedures against illicit destruction, fortuitous loss or unauthorised modification, disclosure or access.

Data subjects’ individual rights, as stated in the Directive, are:

  • the right to know who is the data controller, the receiver of the information and the purpose of the handling;
  • the right to rectify erroneous data; a right of recourse in the event of unauthorised processing;
  • and the right to suppress consent of data usage in particular situations.

For instance, persons are entitled to opt-out free of charge from receiving direct promotional material. The Directive 95/46/EC has reinforced protections regarding the use of sensitive personal data concerning, for instance, to health, sex life or religious or philosophical beliefs.

The application of the regulatory framework on the handling of individual information can either be through administrative measures of the supervisory authority or legal proceedings. Member states’ supervisory authorities are endowed with investigative and effective powers of intervention, such as powers to order blocking, deletion and destruction of information or to force a transitory or definitive ban on handling.

Any individual who has experienced harm as a consequence of an unlawful processing operation is eligible to receive compensation from the liable controller. The Data Protection Directive provides a mechanism by which exchanges of individual data outside the territory of the EU need to meet a level of processing “adequate” to the one recommended by the Directive’s arrangements.

The General Data Protection Regulation – GDPR

All companies involved in the manipulation and processing of personal data of European Union citizens have to comply with new legal requirements, established in the Directive known by the abbreviation GDPR (General Data Protection Regulation). This regulation was promulgated in April 2016, giving organisations a period of two years to become compliant with the requirements imposed by the GDPR.

Retailers focusing European customers will need to prepare to adhere to the new act, even if they are based outside the EU, as the Directive applies to the conduct towards the data belonging to EU subjects, despite where the data controller and processor are located. Different from the current DPD, the GDPR will be imposed directly in the EU member states, without the necessity for legislative mediation by national parliaments. In such manner, the GDPR will restrict the chance of diverging interpretations of the regulation in different jurisdictions.

British companies will not be immune from the GDPR because of the Brexit, considering that it will be enforced earlier to the date when negotiations between the United Kingdom and the European Union conclude (the most auspicious deadline is two years from March 2017, when Article 50 was started). Also after the UK leaves the EU, British retailers targeting European shoppers will still have to comply, given the extraterritoriality of the GDPR.

The goal is to strengthen the citizens’ right to protect their data and to make processes around data simpler for companies. However, the transition of retailers to comply with GDPR is not so simple. The new regulation establishes a series of requirements that until then, were not considered in the daily life of organisations.

Due to the short time available for merchants to adapt to the new regulation, the subject has been seen as a priority in most companies in Europe and has demanded several projects. Among the most common demands are: the review of some applications, adjustments in architectures (data and processes) and mainly actions related to Master Data Management including factors related to Data Governance and Quality.

The GDPR wording clearly discloses its application to the processing of personal data of data subjects linked to the offering of goods and services or the monitoring of their behaviour. Additionally, the text states that online identifiers such as RFID tags can be used to draw the profile of a person, thus developing the case to apply the data protection principles to the use of RFID technology.

The GDPR does not radically change the data protection standards as expressed in the past Directive. As per the GDPR, individual data must be processed legitimately, fairly and transparently; collected accurately and safely; and stored for a specific reason in mind. The controller is in charge of and must have the capacity to demonstrate compliance with the data protection standards. The GDPR additionally expects processors to comply with specific commitments, such as maintaining adequate documentation and will be directly subject to sanctions if they neglect to meet these criteria.

Nevertheless, the GDPR introduces notable modifications in the level of data protection and is a major advance up from the provisions of the current DPD.

GDPR: Key changes and potential impact on retailers

Change Meaning Potential impact on retailers
Wider territorial scope The GDPR applies to companies based outside the EU that collect data inside the EU. The GDPR applies to all retailers with operations in the EU.
Tougher sanctions Sanctions for data protection breaches could be up to 4% of the company’s annual worldwide turnover. Retailers with international operations can incur much higher sanctions, calculated as a percentage of global turnover, even if a breach occurs within only a single division of the company.
Broader definition of personal data The GDPR expands the definition of personal data to include information such as identification numbers, location data, online identifiers and other factors that may identify a natural person. Online identifiers are listed as IP addresses, cookies and RFID tags. Retailers collecting data may be more likely to incur claims on data protection from individuals or groups of organised individuals.
More rights for individuals The GDPR makes it easier for individuals or groups of individuals to bring private claims against companies processing data. For instance, data subjects will be able to claim compensation for “non-material damages”, will have enhanced rights such as the right to greater transparency, and additional rights, including the right to be forgotten, which requires companies to remove an individual’s data from their databases if the firm has no legal ground for processing the information. Retailers collecting data may be more likely to incur claims on data protection from individuals or groups of organised individuals.
Processors are liable The GDPR also regulates processors, requiring that they maintain adequate documentation, implement appropriate security standards and appoint data protection officers, among other obligations. The GDPR increases the compliance burden by making the processor liable. Given that processors and controllers can be different departments within the same company, the provision might result in duplication of tasks within an organisation.
Valid consent harder to obtain Consent to have one’s data collected must be fully unbundled from other terms and conditions, and can be withdrawn at any time. The GDPR makes it harder for retailers to fall within the legal justification for the process of data gathering using RFID technology.
Data breach notification The GDPR requires companies (both controllers and processors) to notify authorities and affected individuals of data breaches. Data breaches due to cybercrime, lost or stolen devices and e-mails sent to wrong addresses are relatively common. Retailers need to adopt a coordinated approach to minimise their risk, including use of technology, br*each response procedures and staff training.
Enhanced data subject rights Controllers must provide data subjects with greater transparency in communications relating to the use of personal data. Data subjects have additional rights, such as the right to object and the right to be forgotten. Retailers will need to review their data collection procedures to ensure compliance.
Location of data An important thing to keep in mind is the location of servers, or a company’s cloud service provider. Retailers need to keep in mind that they must have the data stored in servers located the EU. If you use a third-party to process the data make sure they also comply with the Privacy Shield Framework principles.
Data protections officers (DPOs) In some cases, the GDPR requires companies to appoint a DPO, such as when the organisation processes data on a large scale. Retailers are unlikely to be subject to this obligation, but they should conduct an assessment to determine whether or not this provision is applicable to the kind of data they use.
Accountability Organisations need to demonstrate compliance with the GDPR’s data protection principles. Retailers will need to keep detailed records of data-processing operations.
Cross-borders enforcement A controller with a presence in multiple EU member states will be potentially subject to multiple countries’ regulators. Retailers carrying or processing customers’ data will have to determine which authorities have jurisdictions over their activities.

Source: Europa.eu / DLAPiper.com / FungGlobalRetailTech.com

How retailers can get ready for the GDPR

The GDPR requests a considerable increment in responsibility in terms of data protection and in administrative burden for merchants handling consumers’ information. Nevertheless, we don’t believe that the GDPR will put in question retailers’ capacities to exploit shopper information, as long as organizations make a move to get ready for the new regulation.

In particular, retailers should:

  1. Analyse the lawful premise on which information are used: Understand whether the utilization of the tracking technology falls under the requirements of the GDPR. For instance, some RFID usage can be considered as tracking product movements in-store, rather than shopper behaviour. In those events, the use of RFID could be exempted from the regulation.
  2. Review tactics for data handling and storing: Review and improve the techniques applied to track records of information-processing actions and guarantee suitable documentation is kept.
  3. Set up clear compliance accountability processes: Given that multiple divisions in a company will have more noteworthy responsibility, it is essential to set accurate procedures that delegate clear responsibilities inside the organisation.
  4. Instruct personnel on data protection: The increased accountability inside several divisions of an organization exposes more personnel to the responsibility of compliance and demands that employees not previously included be effectively instructed.
  5. Reassess the use of subcontractors: When selecting a data gatherer that is a third-party company, it is imperative to choose an organization that can ensure compliance.
  6. Get ready for data breaches: Establish a well-organized notification framework and put in place clear procedures to guarantee a quick response to data breaches.
  7. Prepare for data subjects’ claims: Avoid claims from clients by establishing clear and explicit data consent policies, and get ready for consumers to use their rights with actions that guarantee efficient responses.
  8. Be aware of which controllers have jurisdiction over international operations: It is essential for retailers that work internationally to figure out which authorities have jurisdiction over data-handling activities in various countries.