From loyalty cards to home deliveries and CCTV, the retail sector uses the personal data of its customers on a daily basis. Alison Bryce, a partner at Dentons, looks at how the European Union’s sweeping new data protection laws will affect Scotland’s retailers
What is the GDPR and how does it affect retailers?
The General Data Protection Regulation (GDPR) comes into force on 25 May and will apply to any business that handles personal data. While access to this personal data is vital in enhancing the shopping experience, the new regulation places a greater responsibility on retailers when using data.
There are a number of lawful bases for processing personal data under GDPR; consent being one of them. Consent must be clearly and actively given by the customer and they must be informed as to how their data is being used. This is likely to impact on how customers can be dealt with. For example, consents should no longer be pre-checked and bundled with other legal terms.
The way that retailers deal with their loyalty schemes will be impacted, with tailored marketing campaigns requiring express consent. Operators of CCTV will be impacted as they will be legally obliged to undertake specific risk assessments of their procedures to help minimise and identify data risks.
What information can retailers hold?
Customer information held must have been collected for a specific purpose and the data must be adequate, relevant and necessary for this purpose. For example, the colour of a customer’s eyes would not be necessary or relevant for the purposes of delivering their groceries.
In what format should the data be held and for how long?
All data must be kept in a secure manner, and although there are no specific retention periods, personal data should not be held for longer than is necessary to achieve the purposes for which it was collected. For example, it would not be necessary to retain CCTV records for a year in order to monitor recent shop activity.
Do delivery addresses and emails for receipts fall under the GDPR?
Yes. Delivery providers process data on behalf of the retailer, and there are standard terms that must be included in contracts between retailers and data processors. These contracts should be reviewed to ensure compliance with GDPR.
If a customer provides an email address in order to receive an e-receipt, this email address must be used solely for this purpose and cannot be used for other purposes, (e.g. marketing), unless the customer explicitly consents.
What happens in the event of a data
If a retailer becomes aware of a data breach, it must notify the regulator within 72 hours of becoming aware of the breach.
The penalties for noncompliance are strict and can result in fines of up to €20,000,000 or 4% of global turnover, whichever is higher.
How can risks be mitigated?
Retailers must be able to demonstrate compliance. Keeping detailed written records on aspects such as location of data, third-party contracts, consents obtained is a good way to do this. Breach prevention will be also be important in managing risk. A robust data breach policy can help to minimise reputation issues and financial losses in the event of a breach.
Retailers should review current consent procedures. Consent obtained pre-GDPR may have to be re-obtained if it does not fulfil the new requirements. Similarly, all third party contracts involving data should be reviewed. It is likely that additional contracts will need to be drafted for third-party processors.
The Regulation also gives wider rights to customers (including the right to be forgotten and the right to rectify) and retailers will need to ensure that there are procedures in place so that customers can easily exercise these rights.
Do you have a business, property or legal question or issue that you would like to know more about?
Contact Scottish Grocer and we’ll put it to an expert. Call Matthew Lynas on 0141 567 6074 or email email@example.com.