Cybertill CEO, Ian Tomlinson, shares his insight into GDPR in a bid to debunk the myths surrounding one of the biggest pieces of legislation in the 21st century
Way back in 1998 a piece of legislation was passed in Europe called the Data Protection Act (DPA). According to the Office for National Statistics then, only 9% of UK households had access to the internet. Fast forward to 2017, 90% of households are now connected, and the way we consume has changed dramatically. To prove its rise, 300,000 people now shop on Amazon and more than 90,000 companies in the UK use Amazon Business. A lot has happened to shape the industry in 20 years and Amazon encapsulates it almost seamlessly.
Rapid advancements in technology, and changes in consumer behaviour means that DPA is no longer enough to protect consumers’ rights to privacy. This paradigm shift in behaviour driven by technology, indicates that the volume of personal data collected by companies has drastically increased. The rise of social media has normalised the transaction of personal data in exchange for a digital service, and even search engines such as Google require personal data to power connected services. We know how freely we give our information and so does the Information Commissioner’s Office (ICO).
Enter GDPR, General Data Protection Regulation, which will come into effect on 25th May 2018. GDPR is a response to safeguard personal data and give people more of say over if and how companies can use their data. The legislation will be the same across all EU states.
It offers tougher fines for non-compliant companies, or those that breach data protection rules. GDPR not only applies to organisations across Europe, but also those that deal with any EU national worldwide companies who are non-complaint or breach data protection rules.
How will GDPR effect retailers?
GDPR applies to any organisation, including profit making, non-profit, charities and
government who are controllers and processors of data.
The new GDPR legislation affects four key areas:
- Data breach notifications
- Subject access request (commonly known as a consumer’s ‘right to be forgotten’)
- Increased enforcement actions (fines) – it’ll be very expensive if you don’t comply!
People must give express consent before data can be processed. This consent must be given. In addition, only data that has been given expressly can be used to personalise marketing communications. Businesses can no longer pre-tick a newsletter subscription checkbox on a website. Instead, a customer must actively choose to tick that box.
Data Breach Notification
If you do breach one of the rules applied by GDPR than you must report and notify all breaches to your local data protection authority without undue delay and where feasible within 72 hours. It’s your responsibility to inform them of this breach and provide justification on failure to comply. In the UK, you would inform the Information Commissioner’s Office (ICO).
GDPR sees fines dramatically increase for non-compliance. Remember, you don’t have to be a profit-making organisation to be fined for misusing personal data. Under the DPA, fines tend to vary, and are comparatively low. The maximum fine is £500,000. To date the highest fine given out was £400,000 to Keurboom Communications Ltd for nuisance calls, and TalkTalk for security failings. If TalkTalk has a breach after 25th May 2018, the company will be fined approximately £59 million. That’s a hefty deterrent for any retailer, company or organisation. So, the real question retailers need to be asking themselves is, “Can you afford to get it wrong?”
Subject Access Request
People now have a right to obtain confirmation from an organisation as to what data the organisation is holding, how they got it, and whether or not their personal data is being processed. From that they must then provide the purpose of processing and any details around the information being used. Companies will no longer be able to charge for the first request for data, although a reasonable fee for further copies can be charged. This must be complied within 30 days, rather than 40 days under the DPA.
Another facet to the Subject Access Request compliance is the customer’s right to be forgotten. This requires retailers to have a truly joined up data strategy across all channels such as marketing, online, in-store, and after sales.
After addressing the GDPR changes, the unanswered question is still “What about Brexit”? Although the UK is set to leave the EU after Article 50 was triggered last March, it means that the legislation will come into effect before the UK leaves the EU – therefore it must be abided by.
What should you be doing now?
If businesses are complying properly with the current DPA then it should be used as a solid foundation for change.
Important new elements include:
- Developing and implementing a response plan
- Proving you can access all of your data from multiple channels
- Designating specific roles and responsibilities within your business
- Training employees and preparing a strategy for a quick response to any breaches
GDPR is a law that is a forward-looking response to protecting personal data as technology continues to advance. The new concepts introduced through this legislation will help to
protect us from our data being exploited and misused in the future. Think of it as it less of a burden and more of a breakthrough.
While the GDPR changes may seem overwhelming, it’s actually an opportunity for retailers to become a truly connected, omni-channel operation. The changes to Subject Access
Request and the right to be forgotten gives a really business case to investing in a single view of customer in your retail operation. Express consent actually provides an opportunity for
retailers to ensure that its marketing and personalised communications are fuelled by real customer requests. In reality, doing business in a compliant manner is only good for your business, your customers, and in the end, your bottom line.
Cybertill’s flagship product RetailStore is single cloud platform solution combining EPoS, ecommerce, mail order, supply chain and head-office software. To find out more visit www.retailstore.co.uk and www.charitystore.co.uk