GDPR – the facts and what it means for the retail sector

We all know by now that, on 25 May 2018, the General Data Protection Regulation (GDPR) came into effect. With all the noise, however, it’s possible that the key facts haven’t been heard clearly, especially by those in smaller businesses where there isn’t always a defined person to take the lead for IT.

So, what are the key facts?

The GDPR is not an IT issue

Rather, it is a business issue: organisations in every sector collect, access and use personal data for many purposes – hiring, marketing, sales, customer service and so on. There has been a growing emphasis on taking a systematic approach to managing data, which can help organisations make decisions on the basis of accurate, meaningful data, as well as for improving how they personalise communications to customers (and potential customers). Despite the benefits of good data management, it was widely acknowledged that many organisations would not be GDPR-compliant on 25 May.

There are many opportunities within retail, leisure and hospitality for tailored offers and promotions to improve business. However, these opportunities rely on personal data, so it is essential that organisations start their compliance journeys now, if they haven’t already done so.


GDPR compliance is not a choice 

Any and all UK organisations that handle personal data (e.g. name, address, email address) must comply with the GDPR. It doesn’t matter if your organisation is a commercial business, charity or public authority – you must comply. The size of the organisation is also irrelevant – the same rules apply from independents to multiples, franchises to global giants, and everything in between.

The GDPR will continue to apply in the UK even after Brexit. Regardless of what our future relationship with the EU looks like, the entirety of the GDPR has already been passed into UK law through the Data Protection Act 2018 (DPA).  This means that the UK is committed to meeting the standards expected of every other organisation across the EU.

Looking more broadly, it is worth emphasising that the GDPR applies to all EU organisations that collect, store or process the personal data of individuals living within the EU – even if they’re not EU citizens. Furthermore, organisations based outside the EU that sell goods or services to EU residents, monitor their behaviour or process their personal data will also be subject to the GDPR. That is why, immediately after 25 May, some US websites blocked EU traffic – there was uncertainty about the systems, processes, cookie notifications and privacy policies, and some decided to block EU traffic rather than risk non-compliance.


But what does compliance look like?

There are six data processing principles against which personal data must be processed:

  1. Data must be processed lawfully, fairly and transparently.
  2. Data must be collected only for specific, legitimate purposes.
  3. Data must be adequate, relevant and limited to what is necessary.
  4. Data must be accurate and kept up to date.
  5. It must be stored only for as long as is necessary.
  6. You must ensure appropriate security, integrity and confidentiality.

Organisations should also be “responsible for and able to demonstrate compliance with” the above principles, which introduces accountability for organisations and data protection.

There is a lot of detailed information about what this all means on our site, but, in short, businesses must clearly explain what data they are collecting, why and how it will be used, and they must have a lawful reason for doing it. Their systems and processes must also be sufficiently robust to securely store and manage the data.

For those in the retail, leisure and hospitality sectors, this has implications for loyalty schemes, as well as for communicating offers, events and promotions.

For those working in the leisure and beauty sectors, there are even greater considerations around ‘special categories of personal data’ (also called ‘sensitive data’) as businesses in this sector will often need health information, such as allergy information or relevant medical histories.

If you’re not sure where to start with this, we can help you in a variety of ways, with options to suit every budget. A good starting point is our key steps to GDPR compliance page.


So, how can compliance be enforced? 

Some have asked how the Information Commissioner’s Office (ICO) will enforce GDPR compliance. There are two main ways the ICO will hunt down non-compliance: responding to customer reports of data mismanagement, and investigating reported data breaches. Organisations that have prepared for the GDPR can be more confident that the first of these won’t be a problem, but unprepared organisations can certainly be caught out. With the ICO doing good work to make sure people understand their rights around data protection, businesses in every sector should be doing whatever they can to make sure they don’t fall foul of their customers.


What do you need to do?

Hopefully, you have already started your GDPR journey and are feeling confident. However, if you aren’t as prepared as you need to be, visit our key steps to GDPR compliance page to see what you need to do. If you’d value a conversation, call the team on +44 (0)333 800 7000 or email our retail sector team for expert advice suited to your business.