What Is GDPR, and How Does It Affect Retailers?
A major regulation went into effect this year to govern how organizations that do business in the European Union handle data. Here's what you need to know.
- by Mike Chapple
The global face of privacy regulation changed in May 2018 with the European Union’s implementation of the General Data Protection Regulation (GDPR). This sweeping regulation governs the privacy of personal information belonging to EU residents and applies to that information worldwide, not just within the boundaries of the EU.
The regulation sets specific requirements for how organizations, including retailers, handle personal information and imposes some daunting penalties for those that fail to comply. Retailers that haven’t already established a robust compliance program should plan to revise their business practices and implement appropriate controls.
What Does GDPR Require?
GDPR requires that organizations incorporate data protection and privacy controls in all of their activities. Article 25 of GDPR summarizes the philosophy behind GDPR when it calls for “data protection by design and by default.” While organizations may take cost and other contextual information into account, the bottom line is that they must implement technical and administrative controls that are designed to protect the privacy of personal information.
Organizations subject to GDPR may not process personal information unless they have an explicit lawful basis for doing so under one of the following six provisions:
- The data subject has provided explicit consent to the processing for a specific purpose.
- The processing is necessary to comply with a contract agreed to by the data subject or as part of entering into a contract at the request of the data subject.
- The processing is necessary to comply with a legal obligation of the processor.
- The processing is necessary to protect the vital interests of the data subject or another person.
- The processing is necessary for carrying out tasks in the public interest or in the exercise of official authority vested in the processor.
- The processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where those interests conflict with the interests, rights or freedoms of the data subject.
Many organizations choose to undertake data processing by exercising the first of these provisions: informed consent. It is important to note that this must be explicit consent, where the data subject affirmatively opted in to a specific use of data. Organizations cannot comply with GDPR while using opt-out approaches or asking subjects to agree to sweeping statements about data processing. GDPR also requires that organizations provide a process for individuals to revoke consent that they’ve already granted, access their own personal information and demand that organizations erase stored information, with some exceptions. This last provision is commonly known as the “right to be forgotten.”
Penalties for Noncompliance
The potential fines for organizations that fail to comply with GDPR can be quite steep and are the cause of significant concern for organizations of all sizes. The fines are progressive in nature, designed to have a substantial impact on any organization, regardless of its size.
Regulators have wide discretion when assigning penalties under GDPR, and have several important tools at their disposal. For minor, first-time offenses, they may opt to simply warn a business that its practices are out of compliance and that the business must remediate the situation to avoid facing penalties. They may also prescribe compliance audits on a one-time or recurring basis. The major sanctions of GDPR are its financial penalties, which are capped at €20 million (roughly $23 million U.S.) or up to 4 percent of a company’s total revenue, depending on the nature of the offense.
Regulatory agencies in each EU nation are outlining their enforcement priorities under the new regulation. For example, the French data protection authority acknowledged the difficulty of total compliance and said that it will take that into account in its enforcement actions. Dutch authorities have stated that fines will be imposed only when something is very wrong. The general opinion among compliance professionals is that retailers and other businesses that demonstrate good faith efforts at working toward compliance will likely avoid the most severe sanctions under GDPR, at least for the next year or two.
GDPR for Retailers
In addition to the obvious implications for information they store and collect themselves, retailers also face potential changes in their relationships with partners. For example, many retailers proactively collect a customer’s location, activity, payment type, time of purchase and other protected information. Under comarketing arrangements, they may currently share this information with vendors or even sell it to marketing firms. Those arrangements now fit squarely inside the scope of GDPR and may not continue without obtaining explicit customer consent.
Retailers should also remember that GDPR applies to information collected both offline and online, and that they might collect information in unexpected places. For example, a retailer’s transaction database will clearly contain personal information from electronic commerce and in-store purchases. Web servers, however, also may store logs that contain GDPR-protected data elements, such as IP addresses, page view histories and geolocation data. Retailers must carefully and thoroughly assess all of their data-collection practices, including those that might be inadvertent.
To learn how your retail organization can handle the challenges of GDPR, read the CDW white paper “How Retailers Can Deal with the New Reality of GDPR.”