GDPR is here: 3 things retailers should have in place

| May 21, 2018 | By

With GDPR having come into force on Friday 25 May, Yoyo’s compliance and data protection officer, Katarina Hartikainen, reveals the three key things all retailers should now have in place…

GDPR is here: 3 things retailers definitely need to have ready before Friday

1. Have you gained consent?

Royal Mail was recently fined £12,000 for sending over 300,000 nuisance emails to their customers, who had previously opted out of receiving direct marketing material. The company sent out emails outlining the price drop for parcels without their customers’ consent. The ICO investigated after receiving a complaint from a member of the public and concluded that Royal Mail was indeed breaking the law.

It’s not only important to ask your customer to consent to receiving marketing material, your customers should also be given an easy option to opt out from receiving marketing material at any point in time should they wish to do so.

In the case of Royal Mail, customers had been given a chance to opt out, but the postal service’s backend system had not been set up correctly and customer data had not been removed from mailing lists – resulting in Royal Mail breaking the law and being fined accordingly.

What can retailers learn from this case? Make sure your opt in / out options have been tested internally to ensure your system works as designed.

2. Is your customers’ data secure?

A key principle of GDPR is that personal data is processed securely by means of ‘appropriate technical and organisational measures’. This means that you must have appropriate security in place to prevent personal data you hold from being compromised.

Here are some examples of the harm caused by the loss or abuse of personal data you might face as a retailer:

  • Identity fraud
  • Fake credit card transactions
  • Targeting of individuals by fraudsters (potentially made more convincing by compromised personal data)

GDPR does not define the security measures you should have in place, which may be causing confusion. This means you need to take a risk-based approach – you should carry out an assessment investigating what data is ‘appropriate’ to hold based on the size and type of your business.

Example: A bank or hospital will need to put in place more rigorous protection than a local restaurant that offers a customer loyalty scheme.  

As well as undertaking an information risk assessment, your business will also need to take other measures – you should be aiming to build a general culture of security awareness within your company.

Further help can be found from The National Cyber Security Centre specifies, which outlines the following technical control themes:

  • Firewalls
  • Secure configuration
  • User access control
  • Malware protection
  • Patch management

Here are some of the measures your business could be putting in place when considering physical security:

  • Any documents containing personal information should be shredded when these are no longer needed
  • Create a clean desk policy for all staff
  • Keep laptops and mobile devices secure
  • Forms filled in during a loyalty registration process should be locked away in cabinets
  • Make sure there is appropriate supervision of visitors at your premises
  • Ensure doors and windows are secure and lockable

The Information Commissioner’s Office also recommends encryption or pseudonymisation of personal data.

3. Are you GDPR ready for subject access requests?

Every person has the right to file in a ‘subject access request’ to your company, meaning they can ask you for a copy of all the information you hold on them. At present organisations can charge £10 to provide the report. However, after 25th May this fee must be removed.

Until now, most people have not wished to pay the £10 fee, which is why companies have had few subject access requests.

Going forward, there will be nothing to stop users asking you to provide a copy of their information currently held on your records, meaning an increase in such requests should be expected.

Do you have a plan in place to process for a potential subject access request influx? Preparing a good template should give you a headstart, especially since you only have 30 days to respond to the request.

When creating your template, think about and interrogate your internal and external databases that hold customer information – and don’t forget to add a line explaining to the customer that they have the right to complain to the Information Commissioner’s Office if they believe the information they have received is not satisfactory.

A strong additional step would be to ask the customer if there is any particular information they are interested in. Perhaps they only want to see the amount of loyalty points they have built up or the payments they have made over the past 12 months – knowing this sort of thing will make your life a lot easier.

Knowing why and what data your customer wants to see should reduce the workload for you and your team as well as increase the likelihood of the user being satisfied with the information they receive in the report.

To find out some more information about how GDPR will affect retailers and their loyalty schemes, read my more detailed blog post here.