How should retailers be preparing for the GDPR?

With just over six months to go until the General Data Protection Regulation is implemented, we’re sure you’ll agree that it’s getting a bit too close for comfort! And at this stage, no one can really afford to be putting off preparations any longer.

Luckily, there is time for change, so don’t start panicking just yet! To help you along the road to compliance, we’ve collated the three key impact areas that retailers need to consider:

1. ConsentDeceptive tick-boxes and misleading T&Cs will no longer cut it under the new regulations. Whether you’re collecting customer information in-store or online, you’ll need to ensure that you are clear about how long you intend to hold this data for and how you will specifically be using it. Keeping a record of this is essential, as proving consent will be required by the Information Commissioner’s Office in the event of a complaint.

   Consent from the data subject is only valid if it is freely given, specific, informed and unambiguous. It must show that they agree to their personal information being captured and processed, and can be withdrawn at any time without penalty. This doesn’t mean you need a full written contract every time someone signs up to receive your newsletters though, don’t worry – as long as they’re clear on what they’re signing up for and how they can opt-out, tick-boxes do still count.

   In line with the withdrawal of consent is the right to be forgotten. At any point, unless required by a contract, a customer can request that their personal data is erased from all company systems. So you need to ensure that you have processes in place – not to mention the capacity, if you receive multiple requests – to fulfil these demands.

2. AutomationWhen it comes to the GDPR, technology is both a help and a hindrance. In terms of efficiency and the ability to sort through copious amounts of data, it can make administration far more straightforward. Plus, when it comes to opting in or out of targeted communications – email marketing, for example – most platforms take care of unsubscribing individuals from the list, so you don’t have to.

   However, when it comes to automated processes, things get a little trickier. Every time data is used or tracked by an algorithm, this counts as processing. And under the GDPR, you must document every single procedure personal data goes through. So, within your current and future marketing campaigns, you’ll need to be able to pull apart the automation trail and show precisely how each customer’s record is being processed.

3. SecurityPrivacy and data security are at the hub of the new regulations. The principles are designed around protecting personal information – which is anything that could be used to identify an individual – including name, address, email, phone number, username and even genetic and biometric data.
   Worryingly, recent research revealed that retailers are facing an average of two cyber-attacks per week. And, if such a high instance of potential data breaches continues once the GDPR comes into full force, the effects on the sector could be devastating.

   You’ll need to ensure that your systems and data processes are safeguarded effectively, to prevent any accidental loss, destruction, amendment or disclosure of personal data that counts as a breach. Being able to prove that adequate measures have been taken is absolutely essential, so ensure that you record all your efforts.

Transparency is key to compliance, so as long as you’re open about how you intend to use customer data and can trace all instances where you process it, you’re already on the right track!

If you’re looking for more advice about how to prepare for the GDPR, we’re here to help! We provide compliance support to businesses across all sectors, and offer a tailored workshop for retailers to learn about how to get ready for the new legislation. Get in touch to find out more!