The collection and use of personal data is a daily occurrence for fashion businesses. Personal data is processed when, for example, a consumer logs in to their online account, makes a purchase online, or is sent promotional material by the retailer. Personal data can be, and is increasingly, used by brick and mortar and online retailers to try and stay ahead of their competitors by tailoring their offers and promotions to their customers.
The General Data Protection Regulation (“GDPR”), which has been designed to enable individuals to better control their personal data, will come into force on 25 May 2018. A key principle of the GDPR is greater transparency as to how businesses are using personal data, with substantial fines for failure to comply. The maximum fine under the GDPR is Euro 20 million or 4% of annual global turnover, whichever is greater.
However, despite the GDPR being on the horizon for the past two years, according to a recent survey conducted by the Federation of Small Businesses just 8% of small enterprises are ready for the GDPR. One in three respondents had not started preparing for the GDPR, and a further third said that they were in only the “early stages” of planning.
Whilst the requirements of the GDPR may seem insurmountable to some, the GDPR should be treated as an opportunity to step back and review all data processing practices. Furthermore, by being transparent about data practices and communicating to customers and potential customers how and why personal data is used, retailers can earn greater creditability.
What should retailers and brands therefore be doing as a priority?
- Undertake a compliance audit to understand the data processes and procedures currently in place, including the way that personal data is used by the business, and how long personal data is retained.
- Conduct a gap analysis in order to work out what compliance steps are needed going forwards.
Common areas which should be considered include:
- Preparing, or updating, website privacy policies, to reflect the GDPR requirements in respect of personal data collected from customers or potential customers through a website. This is because the GDPR is prescriptive as to the information to be provided to an individual when their personal data is collected.
- Preparing, or updating, data protection clauses in employment contracts in respect of personal data collected from employees, as well as internal policies and procedures on data protection, communications monitory, privacy and data retention in respect of personal data handled by employees.
- Reviewing and updating contracts with third party data processors which process personal data on your behalf. For example, courier companies which process certain customer personal data in the fulfilment of orders, or payroll providers which process employee personal data. Again, the GDPR has specific requirements as to what needs to be included in such contracts.
- Considering international data transfer processes for international businesses.
- Determining whether to appoint a data protection officer.
The GDPR comes into force in eight weeks’ time – less than 40 working days! The GDPR may require significant changes for many businesses, some of which will require substantial lead time. With the threat of hefty fines, compliance should be treated as a high priority. However, the Information Commission has been at pains to emphasise that 25 May 2018 will not usher in an era of punitive action against small businesses, stating that “We have always preferred the carrot to the stick. We will use fines and serious sanctions only as a last resort. Our first resort is education and support”. In view of this, perhaps of greater immediate concern to fashion retailers and brands for a failure to comply with the GDPR should be the potential damage to brand reputation.