Retailers have access to a huge amount of consumer data thanks to digital technology, and consequently are exposed to the risk of breaching data protection regulations. Companies operating in the European Union (EU) need to comply with EU legislation on data protection. This report provides an overview of the latest EU legislation which will come into force in May 2018—the General Data Protection Regulation (GDPR)—and its implications for retailers, and suggest how retailers can prepare for the new regime. The report touches on these main points:
Retailers have access to a huge amount of consumer data thanks to the application of digital technology to their operations. For example, shoppers visiting online stores leave a digital footprint of their shopping behavior, and even those going to brick-and-mortar stores leave traces when retailers use technologies such as radio frequency identification (RFID) or near field communication (NFC) to engage with shoppers.
This access to valuable consumer data is a great opportunity for retailers to better understand their customer base and to provide better service. However, the flipside of this is the responsibility that comes with the handling of personal data.
In particular, retailers that deal with consumers based in the EU need to consider the implications of the EU provisions that regulate data protection. The matter is currently regulated by the 1995 EU Data Protection Directive, but a new regulation—the General Data Protection Regulation (GDPR)—that goes into effect on May 25, 2018, will introduce more stringent provisions for organizations processing consumer data.
This report provides an overview of the new legislation, its key changes compared to the current directive and the implications of the new data protection regulation for the retail industry, as well as shows how retailers can prepare and respond to the more stringent regulatory provisions.
In the EU, privacy and data protection are currently regulated by the Data Protection Directive (DPD), adopted in 1995. The Directive states that data processing is only lawful if the data subject—the individual whose data is collected—has unambiguously given consent. The EU Directive was implemented by national parliaments of the member states. In the UK, the DPD was implemented through the Data Protection Act 1998 (DPA).
For clarity, we briefly consider how retailers are subjected to the DPA’s provisions.
The DPA regulates the processing of personal data by two stakeholders, which are identified as:
Data controllers and data processors can be companies processing their own customers’ data. In most cases, data controllers and processors are part of the same organization—the two functions are often assigned to different departments within the same company. The data controller can be a retailer collecting customers’ data using RFID technology. The collected data could be processed by the retailer itself or by a third-party company to which the retailer has subcontracted the function.
Under the DPA, data controllers handle personal data according to a series of key principles. For example, they must process data fairly and lawfully, for specified purposes, and they are obliged to keep the data secure and only for the necessary period, and to not transfer the information outside the EU without adequate protection.
The DPA gives the entire responsibility for compliance to the controller, who must ensure that the processor complies with the principles. Failure to comply can result in penalties and even criminal prosecution for the controller.
RFID devices are used by retailers for customer engagement. The European Commission released the EU Regulatory Technical Standards in 2014 to help companies using RFID comply with EU data protection rules laid out in the 1995 Data Protection Directive.
According to the Regulatory Technical Standards, retailers should:
The new GDPR, adopted in 2016, will replace the EU Data Protection Directive (and the related national acts such as the UK DPA) when it comes into force on May 25, 2018. The GDPR introduces a stricter data protection compliance regime and puts direct obligations on processors for the first time. Moreover, the Directive enables consumers to enforce their rights against firms processing data and facilitates the application of tougher sanctions on noncompliant companies.
Businesses targeting European consumers will need to prepare to comply with the new regulation, even if they are based outside the EU, as the regulation applies to the treatment of data belonging to EU subjects, regardless of where the data controller and processor are based. Unlike the current DPD, the GDPR will be enforced directly in the EU member states, without the need for legislative intervention by national parliaments. In this way, the GDPR will limit the possibility of diverging interpretations of the regulation in different jurisdictions.
Brexit will not make British-based firms exempt from the GDPR, given that it will be enforced prior to the date when negotiations between the UK and the EU end (the most optimistic deadline is two years from March 2017, when Article 50 was triggered). Even after the UK exits the EU, British companies targeting EU consumers will still need to comply, given the extraterritoriality of the GDPR.
The text of the GDPR explicitly states its application to the processing of personal data of data subjects related to the offering of goods and services or the monitoring of their behavior. Moreover, the text mentions that online identifiers such as RFID tags can be used to profile a person, thereby creating the case for the application of data protection principles to the use of RFID technology.
The GDPR does not significantly change the data protection principles as listed in the previous Directive. According to the GDPR, personal data must be processed lawfully, fairly and transparently; collected accurately and safely; and stored with a specific purpose in mind. The controller is responsible for and must be able to demonstrate compliance with the data protection principles. The GDPR also requires processors to comply with certain obligations, such as maintaining adequate documentation, and will be directly liable to sanctions if they fail to meet these criteria.
However, the GDPR presents significant changes in the level of data protection and is a big step up from the provisions of the current DPD. Figure 1 summarizes the key changes and possible implications for retailers using RFID.
The GDPR entails a significant increase in accountability in terms of data protection and in administrative burden for retailers processing customers’ data. However, we do not think that the GDPR will put at stake retailers’ abilities to take advantage of consumer data, as long as companies take action to prepare for the new regulation.
In particular, retailers should:
Retailers have access to a huge amount of customer data thanks to the application of digital technology to their operations, but while this is an opportunity to better understand the customer base, the broader availability of personal data exposes companies to the risk of breaching data protection regulations.
In the EU, privacy and data protection are currently regulated by the Data Protection Directive, but the GDPR will replace the current legislation when it comes into force on May 25, 2018, and will introduce a stricter data protection compliance regime. The GDPR introduces significant changes in the level of data protection. For example, the new regulation makes it easier for individuals to bring claims against companies processing data.
Retailers targeting European consumers will need to prepare to comply with the new EU regulation, even if they are based outside the EU, for example by training staff on compliance and by setting up clear accountability procedures. We believe that companies that prepare well for the GDPR will not jeopardize their ability to take advantage of the insight provided by consumer data despite the more restrictive regime that they will face.