The countdown to GDPR: Many UK retailers are not ready yet
loading...
Business
On May 25, the new General Data Protection Regulation (GDPR) will replace the previous national data protection regulation within the European Union, thereby changing the rules of the game for every company dealing with personal data. However, studies show that most UK retailers are not prepared for it.
The GDPR isn't a law, it's a very complicated piece of new legislation which will come into effect across the EU and applies whenever personal data is processed by EU citizens, affecting companies within the EU as well as non-EU companies providing services and goods in the EU. Until Britain leaves the EU, it will continue to enforce laws and legislation which have been passed in Brussels, which includes the GDPR, that has been created to tackle privacy and security issues in the 21st century. The Information Commissioner’s Office (ICO) has been given the enormous task of informing and guiding UK businesses through the implementation of GDPR, as well as reprimanding any business which fails to comply with its guidelines in time.
High fines are imminent for those who do not comply with the GDPR
While some may think that penalties set for companies who do not comply with GDPR may not be that high, they are wrong. GDPR fines for noncompliant retailers can range between 10 million euros, or two percent of annual global turnover and 20 million euros, or four percent of annual global turnover, whichever amount is higher. This means that even online fashion giants, such as Asos, Net-A-Porter or Farfetch may stand to receive eye-watering penalties for any regulatory lapses. In turn, this presents another problem for the ICO, because the UK retail industry, one of the sectors to be hit the hardest by the GDPR due to the amount of customer data it processes, was found to be among the least prepared for it.
Research from data specialist W8Data found that nearly a third of retailers (29 percent) feel unprepared for GPDR - or a not even aware of it. With the deadline looming closer, this is a startling amount. What’s more, data from Sia Partners shows that 71 percent of UK retailers are struggling to meet the strict terms of GDPR, due to the complexities of modern IT services and the huge amount of data that needs to be handled. Only 38 percent of UK retailers say they are able to locate all of an individual’s personal data quickly, putting fashion retailers at the highest risk of being fined. On the flipside, the study from W8Data also found that the overall perception of GDPR in the UK has changed over the past six months from being predominately negatively to predominately positive, with a growing number of data controllers stating that compliance is not the beast they expected.
Nevertheless, experts are still convinced that fines will be imposed for those who fail to comply, as it’s not just public authorities like ICO that will monitor the implementation of GDPR, competitors and private individuals may also file complaints for noncompliance. Although it is within the ICO’s legal power to fine UK retailers, realistically it is unlikely it has the manpower or that it is in its best interest to fine thousands of retailer for noncompliance. On the other hand, failure to take any action would also undermine the entire legislation, and give UK retailers the idea that it is not something to worry about. At the moment there are approximately 200,000 registered retailers in the UK, which means more than 66,000 retailers may stand to receive a hefty fine from the ICO - a move which would require a task force of lawyers and IT specialists. At the moment one of the biggest issues linked to the widespread implementation of GDPR is the significant skills shortage of experts.
The most important changes UK retailers need to make for GDPR
UK retailers who are keen to avoid having to pay a fine are likely to be investing in updating their data policies. For example, in order to store and process personal data after GDPR, certain conditions must be met. Databases for CRM need to be updated to ensure customers have renewed their consent to receive newsletters or other relevant offers via email. This consent must be confirmed in the so-called "double-opt-in" procedure. After giving consent, the online form must inform the person concerned that he has the right to revoke his approval, for which purpose the data processing will take place and who is responsible. The affected person must actively agree, a checkbox that's already ticked wouldn't suffice. Processes must also be defined for the e-mail addresses of people who haven't consented yet.
Service providers such as IT agencies are liable to be fined as well. UK retailers must ensure that all their service providers are included in the procedures around governing the processing of data. In the future, there will also be a right to be forgotten, to the deletion and correction of data. The provision of information about data is also regulated. UK retailers will need to educate customers about the purposes for which their personal information is collected and many businesses will have to appoint a data protection officer. In addition, international retailers sending customers from one country site to another, such as H&M, Zara, and Mango, will need to review their interstitial messages and update all types of newsletters, as well as social media campaigns and contests to meet GDPR requests.
One of the biggest challenges UK retailers will face is GDPR-compliant profiling. For example, an existing customer profile held by a retailer may only be enriched without notifying the person concerned if the enrichment pursues statistical purposes and the notification would significantly jeopardize the business purposes of the responsible entity. An exception applies when the interested party's interest in the notification outweighs the risk. Essentially, the rules for the enrichment of customer profiles without notifying those affected have been tightened. In case of doubt, the affect customers should be informed immediately. If any violation of the customer’s data is detected, the affected persons must be notified straight as well.
Hompage photo: FashionUnitedPhotos 1 & 2: Via Pexels