With seven months to go until the General Data Protection Regulation comes into effect, retailers are starting to make preparations for an information sea change
Data is critical for fashion retailers and brands, enabling them to connect the offline and online shopping experiences, and stay ahead of the competition by tailoring their offer to their customers. However, the way companies collect and store this data is set to change.
On 25 May 2018, new European Union legislation in the form of the General Data Protection Regulation (GDPR) will bring about an overhaul of current data protection regulation in the UK. GDPR requires more transparency from companies on how they are using personal data, and retailers could face hefty fines if they fail to comply. The maximum fine under the regulations – €20m (£17.8m) or 4% of annual global turnover, whichever is greater – is significantly larger than the £500,000 maximum penalty for data breaches currently imposable by the Information Commissioner’s Office (ICO) under the Data Protection Act 1998.
With just seven months to go until GDPR comes into effect in the UK, fashion firms are beginning to treat compliance with the new rules as a high priority.
Menswear business Hawes & Curtis, owned by Touker Suleyman, is at the early stages of preparing for GDPR.
“We are aware of the importance of getting this right and staying within the regulations,” says head of ecommerce Antony Comyns. “We are in the process of detailing the steps required to become compliant and have formed a committee with our sister companies [owned by Suleyman] to ensure we cover everything.”
A chief executive of one pureplay etailer explains that it began by seeking “good advice about what to expect”: ”Second was to map all of our data and make sure the documentation is clear. Next is learning from the GDPR guidance, as it emerges, as to what communications to engage our customers in. Making sure that all of us have good controls over access to our data for customers and employees is at this point the most important thing.”
The most important factors to note are its reach and greater focus on protecting consumers
Jen Brown, Tealium
GDPR is a complex piece of legislation, and it has a range of implications for the fashion industry (box, below).
“The most important factors to note are its reach and greater focus on protecting consumers,” says Jen Brown, director of marketing, EMEA, at tag management firm Tealium. “Unlike the previous Data Protection Directive, GDPR applies to any company processing the data of EU citizens, regardless of location.
“Second, companies will need to gain individual consent to access their data via plainly worded requests that state exactly how it will be used. Consumers will have the right to revoke this permission, view data held about them, and ask for any redundant information to be deleted.”
One of the biggest barriers to compliance is likely be a lack of understanding of what data is being collected and processed, says Brown. She advises retailers to audit the data that flows through their business to understand what they have, what it is used for, how it is stored, and what data protection practices they already have in place.
Once they have a clearer overview of the data they hold, retailers can minimise risk by securely deleting data that is not deemed business critical, and putting in place clear processes and policies on data governance. The next priority is to ensure these policies are communicated clearly internally, as well as to customers.
Marks & Spencer has set up a working party with stakeholders from IT, legal and other teams to go through GDPR, and ensure everyone is 100% clear on their responsibilities within the new legislation.
“We’re audited, so many of the checks and balances are in place,” explains a spokeswoman. “It’s more about making sure every stakeholder in the business is aware of the requirements and that our internal processes are all in line.”
Similarly, at Hawes & Curtis the focus is on ensuring the whole business understands the regulation, says Comyns: “Often people talk about PCI [payment card industry standards] and GDPR, and think it only relates to online. Our stores need to know how to manage data.”
While GDPR may seem prohibitively strict, it could present an opportunity for retailers to improve customer relationships. By being transparent about data practices and clearly communicating how, when and why data is used, retailers can show their customers they are trustworthy.
However, with the clock ticking, the priority for fashion retailers and brands is to make sure they are compliant, and avoid the risk of those hefty fines.
What fashion retailers need to know about GDPR
Malcolm Gregory, partner at law firm Royds Withy King
What impact is the new General Data Protection Regulation (GDPR) likely to have on retailers?
GDPR will impact all organisations that process personal data, including customer, supplier and employee data. No matter the size of the business, it is likely fashion retailers will need to take steps to ensure they are prepared for the legislation. The more complex the retail structure, the longer it will take to change processes and behaviours.
Retailers will use a variety of suppliers and those handling personal data will be processing that data on behalf of their retailer client. For example, delivery or logistics providers and marketing agencies will be data processors. Under the GDPR there will be a legal obligation to have a written processing agreement in place with all data processors.
Will GDPR affect e-receipts?
An email address is considered personal data under GDPR, just as it is under the current Data Protection Act 1998. Under GDPR, personal data must be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”. Therefore, if an email address is given for the purpose of receiving an e-receipt, it must only be used for that purpose. You cannot use the email address for marketing or any other purpose. Once the receipt has been sent, the email address should be deleted so that you are not storing personal data unnecessarily.
Are retailers breaking the law if they go on to use an email address for marketing purchases?
The short answer is yes. If you wish to use the email that you are gathering at point of sale for subsequent direct marketing this must be “explicitly brought to the attention of the customer”. It is important that you clearly set out the purposes for which you are going to use the data and, where applicable, seek consent for each purpose. In this case you would need to get the customer to tick a box or make some other clear affirmative action that they are happy for their email address to be used for marketing purposes. It must be as easy for a person to withdraw their consent as it is to sign up in the first place.
Retailers could email customers before GDPR comes into effect asking if they would like to opt in to receive marketing updates. After 25 May, an unsolicited email of this nature would not be permitted.
What else do retailers need to know about GDPR?
GDPR introduces a new definition of “profiling”, which includes where data is collected in an automated form and used to predict or analyse personal preferences of a customer. Retailers profile customers in a number of ways, such as through the use of loyalty cards or online behavioural advertising.
Where a retailer chooses to profile an individual and that profiling has a “legal effect” on the individual, under GDPR this will only be possible with consent. “Legal effects” are not defined so to some extent will be guided by the regulator’s interpretation, but by way of example, first party behavioural advertising is unlikely to have a legal effect but profiling using loyalty card data and then restricting deals offered to a particular customer might.
The profiling requirements under GDPR are separate from the current e-privacy rules, which still require you to obtain consent for placing cookies on an individual’s device. If your profiling is achieved via cookies, consent may already be in place.
What powers will customers have over their data?
Customers will be entitled to have their data rectified if it is inaccurate or incomplete, and any such request must be responded to within one month (two if the request is complex). An individual will also have the right to request that their personal data be erased, known as the “right to be forgotten”. In such instances you will be obliged to delete the personal data where there is no compelling reason to keep it.
What happens if data is hacked?
Retailers need to ensure they have implemented appropriate procedures to ensure personal data breaches are detected, reported and investigated effectively. GDPR introduces mandatory data breach notifications to the regulator (the ICO in the UK) within 72 hours and in some cases to the individual(s) affected, too. Up to now, notifications have been voluntary.
What precautions should retailers take?
Retailers need to give very careful thought to breach prevention and ensuring breaches are handled in the right way. Different procedures might be in place if a complaint comes in via a customer service call or email than if the retailer discovered the breach internally through, say, its own IT system. Either way, retailers should consider who else might need to be involved – insurers, PR agencies, other suppliers. They should raise awareness among all their workforce, and train staff as to appropriate behaviour and procedures.