The use of personal data in retail cannot be underestimated: it has become a valuable asset and can significantly contribute to a brand’s success, depending on the way it is used. As a result, many retailers are probably already feeling the burden of the GDPR (General Data Protection Regulation), a new EU law coming into force in May next year that will revamp the way the collection and use of personal data is regulated. The GDPR will be come into force in the UK regardless of Brexit and will affect organisations of all shapes and sizes across the globe that process EU personal data.
From the date the final text was released last year, the majority of press and commentary on the GDPR has been scaremongering to say the least, much of it focusing on the substantial increase in the cost of non-compliance: the greater of up to 4% of global annual turnover or €20 million.
The reality is not as stark as many commentators would suggest and the regulation may even present significant opportunities for those retailers willing, and able, to seize them.
The Good
Simplification – organisations will no longer be required to register with a data protection authority in each member state in which they are established, a formality that has become not much more than that. Instead, they will only have to interact with the data protection authority in the member state they select as their main establishment.
Consistency – through its very nature of being a regulation (i.e. directly applicable in all member states) instead of a directive (i.e. member states have flexibility when incorporating the law into their own national laws), the plan is that the principles underpinning the GDPR will be applied and enforced consistently throughout the EU.
The not so bad
Harmonisation – given that the EU consists of 28 member states (ignoring Brexit for now), the idea of harmonisation across them all is clearly attractive. In addition, the level of standardisation that the GDPR is intended to provide will, in theory, allow organisations to follow one set of rules no matter where they are. That said, in practice there may be still quite a few “local differences”, such as processing in the context of employment, which will still be regulated at individual member state level, either by local law and/or collective bargaining agreements.
Cross-Border Data Transfers – the implications of the GDPR on cross border transfers are broadly good. Firstly, binding corporate rules and codes of conduct are finally expressly confirmed as valid methods of legitimising otherwise invalid transfers of personal data outside the EEA (European Economic Area). There is also the availability of legitimate interests as a basis for smaller, ad hoc data transfers.
The opportunities
Clean house – the GDPR will require a wholesale review of data handling and processing procedures. This presents a great opportunity to review and map data flows - and restructure or reorganise them not only for compliance, but also for business efficiency.
Clarification- the GDPR has gone some way to clarifying certain key concepts such as anonymisation and pseudonymisation. The regulation confirms that the principles of data protection do not apply to anonymous information (i.e. information that does not relate to an identified or identifiable natural person or to personal data that does not identify an individual). Pseudonymisation (which means processing of personal data in such a manner that they can no longer be attributed to a specific data subject without the use of additional information - such as a code or a token) is encouraged by the GDPR and categorised as an “appropriate safeguard” (along with encryption) for processing personal data.
Innovation – for companies willing to think outside the box, new(ish) concepts such as privacy by design, profiling and data portability present the opportunity not only to innovate, but also to build customer trust. Further, organisations capable of taking advantage of pseudonymisation, encryption or even better, anonymising personal data will be able to reduce their risk of non-compliance. As well as its people, data is often now the most valuable asset that a company holds; the GDPR recognises this and is attempting to bring the law up to date with the real world as far as possible.
So, in a nutshell, the benefits of the GDPR are multiple for retailers. Yes, the penalties have ratcheted up to a far higher level but companies that “get their house in order” and comply won’t be affected by them. Nevertheless, there is no room for complacency; May 2018 is not far away and there will be considerable work to be done within many organisations.
Written by: Sarah Pearce and Ann Bevitt, partners, and Jane Elphick, associate, at law firm Cooley LLP