What You Need to Know About The General Data Protection Regulation

The General Data Protection Regulation, or the GDPR, is the European Union’s new regulation on data and cyber-security that will become law in the EU on May 25, 2018. It’s designed to legally strengthen data protection for everyone living in the European Union, and create a single data protection regime for businesses and consumers to rely on.

The GDPR will apply to anyone doing business in the EU that handles personal data, it doesn’t matter whether you’re based in the EU or not. If your company processes, stores or transmits personal data belonging to EU residents, you’ll have to comply as well as show evidence you want to comply.

The GDPR Advisory Board answered questions about training your workforce with the latest legal requirements, working to manage your data in a compliant way, and other ways to become legally compliant before the May 2018 deadline.

Q: What kind of information does the GDPR apply to?
The use and storage of personal data. Loyalty cards, purchasing information, e-shots and any personal data that you hold for your customers will all need to be handled in a GDPR compliant way. Currently, when you collect data, you have to provide individuals with certain information, such as your identity and how you plan to use their data. This is usually done via a privacy notice. 

Under the GDPR you will have to also outline your “lawful basis” for processing the data, detail your data retention periods and explain that the participating individual has certain rights. Such as ‘the right to be forgotten’ or, as is a concern for some major retailers ‘the right to data portability’.

Q: What are the penalties for non-compliance?
The penalties for failing to comply with GDPR will be severe: maximum fines of up to 4 percent of worldwide annual turnover or $23,500,000 (€20m), whichever figure is greater. As well as the financial implications, the detrimental PR a public penalty can bring in the already competitive retail sector could be huge.
Q: How does the GDPR affect policy surrounding data breaches?
Data breaches are going to happen, and the regulators know it. What matters is how well you respond; and the GDPR demands that breaches are reported within 72 hours. With this in mind, having a crisis plan in place to deal with data breaches is essential, as is testing it.

Q: What rights will individuals have under GDPR?
Rights for the consumer increase considerably under GDPR — retailers will need to be responsive and avoid dodgy small print. 

Article 12 of the GDPR says that you must communicate with individuals about their data and the way you process it “in a concise, transparent, intelligible and easily accessible form, using clear and plain language… in writing, or by other means, including, where appropriate, by electronic means.” 

You also need to respond to consumers who want to invoke their right to be forgotten within one month of the request.

Q: Explain the GDPR Advisory Board and the role it plays within the retail industry?
Industry leaders and academics have joined together to create The GDPR Advisory Board an easily-accessible, authoritative platform for organisations, including retailers, baffled by the implications of the forthcoming GDPR to access. Expert advice from the new ‘GDPR Advisory Board’ is available through a non-commercial website, www.gdpr-board.co.uk, where users can contact the GDPR Advisory Board with questions via a Q&A portal or by emailing info@gdpr-board.co.uk.

Professor David Stupples provides data protection advice for the UK government as well as lecturing at Cambridge University. Alfred Rolington was formerly CEO at Jane’s Information Group and is an expert in cyber-security, presenting at Oxford University from time to time. Piers Clayden is the Founder of IT and Data Security legal firm, Clayden Law whilst Nick Richards heads up the GDPR e-learning provider Me Learning.

Training provision is recommended by visiting www.melearning.co.uk/gdpr which provides cost-effective GDPR e-learning solutions written by legal experts. Legal advice can be sought by GDPR legal specialist Clayden Law. 

Q: What do retailers need to understand about GDPR and its implications on the business?
Piers Clayden, Founder of Clayden Law and legal expert for the GDPR Advisory Board comments: “GDPR is primarily about bolstering the rights of individuals (which in a retail environment means the consumer) to give them more control over how organisations use their personal data. 

It is clear that the direction of travel for the UK’s regulator will be very much focused on the B2C arena when it comes to enforcement. From the retailers’ point of view, where they are going to have to really change their mind set is around (a) being totally transparent with consumers over how they plan to use their personal data; and (b) moving away from a tick box environment to one where privacy is at the heart of what they do (and being able to demonstrate that this is the case). 

Those retailers who are successful in doing this should bolster their reputations and build consumer trust and loyalty. For those that fail to do so, the consequences are potentially severe, not just in the form of regulatory fines, but also damages claims, from individuals and loss of reputation.”

Alfred Rolington, also a member of the GDPR Advisory Board and former CEO of Jane’s Information Group adds, “At a basic level, GDPR means that the retail businesses will, like other organisations, need to be transparent concerning what client and personal data they are holding and where.

If this is not clearly done non-compliance could result in very large fines, $23,500,000 (€20million) or 4 percent of their worldwide turnover (whichever is the larger amount). Specifically, for retailers, there are other very crucial elements at risk.

There is a large PR problem for retailers when a brand that fails to comply with GDPR as it will probably be publically reported and the effect on its business could be devastating as trust in brands is crucial for the retail arena and it could bring down household brands.”

Q: How should retail organisations plan ahead for the introduction of the GDPR and understand their obligations under the new regulations?
Expert Alfred Rolington continues, “Over the next few weeks, retailers should focus on understanding their data, where it is stored and how and how much are they storing and who is managing this data.

Retail data, because of the way retailers operate is often held on a series of databases and a significant issue for many retailers will be that data is often held on multiple databases. These databases should be reviewed and analysed for content and security.

Retailers who are operating shops, stores or online sales cross-border should already be complying with the rules on international data transfers which remain similar under GDPR. However, some recent changes to the EU approved Model Clauses and the EU-US Privacy Shield and challenges means retailers will need to monitor these connections especially as the UK leaves the EU.

Overall an IT audit should take place and the senior management and directors should understand the compliant issues arising has been completed, businesses should develop a plan to ensure their operations are compliant and a Data Protection Officer must be appointed.

All staff and management who review and use customer data should be trained on GDPR and what the changes and security means for the business and customers. This applies across the company and cannot be left to IT and the legal management.”

For further information and to field questions on the forthcoming GDPR please visit www.gdpr-board.co.uk or alternatively email directly at info@gdpr-board.co.uk.

Retail Operations Insights

You Might Also Read:

The GDPR Advisory Board Offers Expert Advice:

Directors Who Conceal Cyber Attacks Could Face Prison:
 

« Russian Hackers Trying To Infiltrate US Senate
AI Powers VW’s New Electric Microbus »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Repository of Industrial Security Incidents (RISI)

Repository of Industrial Security Incidents (RISI)

RISI is a database of cyber security incidents that have (or could have) affected process control, industrial automation or SCADA systems.

Focal Point Data Risk

Focal Point Data Risk

Focal Point is a pure-play data risk management provider capable of offering end-to-end consulting, implementation, and training services.

Malomatia

Malomatia

Malomatia is a leading provider of technology services and solutions in Qatar including information security.

Sabasai

Sabasai

Sabasai specialises in all aspects of insider threat management from training and education to building security frameworks and insider threat programs to on-site risk & vulnerability assessments.

Maximus Consulting (MX)

Maximus Consulting (MX)

Maximus designs and delivers corporate-wide information security management system with our full-time IRCA Accredited consulting team.

Trustless Computing Association (TCA)

Trustless Computing Association (TCA)

TCA is is a non-profit organization promoting the creation and wide availability of IT and AI technologies that are radically more secure and accountable than today’s state of the art.

Cylus

Cylus

Cylus, a global leader in rail cybersecurity, helps rail and metro companies avoid safety incidents and service disruptions caused by cyber-attacks.

GrrCON

GrrCON

GrrCON is an information security and hacking conference that provides the Midwest InfoSec community with a fun atmosphere to come together and engage with like minded people.

Rizikon Assurance

Rizikon Assurance

Rizikon Assurance is an Online System that improves Third-Party Assurance and Risk Management, through efficiency, automation and better visibility.

Founder Shield

Founder Shield

Founder Shield is a data driven insurance brokerage focused excusively on rapidly evolving high-growth companies.

INE

INE

INE is a premier provider of Technical Training for the IT industry.

Nucleon Security

Nucleon Security

Nucleon Endpoint Detection and Response EDR is the most effective way to protect the value created by your organization against any threat.

Amidas Hong Kong

Amidas Hong Kong

Amidas is your trusted companion on the road to Digital Transformation. We provide a full range of Information Technology Solutions and Professional Services to Enterprise customers.

Quantropi

Quantropi

Quantropi is bound to be the standard for quantum-secure data communications – forever unbreakable, no matter what.

Blackpanda

Blackpanda

Blackpanda is Asia’s premier cyber security incident response group, hyper-focused on digital forensics and cyber crisis response.

Nukke

Nukke

Nukke offers advanced cybersecurity software and tailored solutions for your business.