With less than 2 months to go, the deadline for Europe’s new General Data Protection Regulation (GDPR) is fast approaching. Unfortunately, retailers who do not take action to get compliant in the next few weeks could face millions (or more) in fines.
If you’re still feeling confused or overwhelmed about the GDPR process, fear not.
We spoke with Will Marshall, Partner at UBM Law Group LLP, who explains not only the fundamentals of GDPR but more importantly – how this new data law will impact retailers. He also provides step by step guidance on how retail brands can get compliant and the good news is – it’s not too late to get started!
What is GDPR?
The General Data Protection Regulation (GDPR) is the European Union’s new data protection law. It was passed in the spring of 2016 and following a two year grace period, will be enforced starting on May 25, 2018. The GDPR replaces the current Data Protection Directive in effect since 1995.
The General Data Protection Regulation (GDPR) will:
1) Provide a Single Uniform Law
The purpose of the GDPR is to provide a single uniform law governing the protection of personal information across the European Economic Area (the EU plus three other European countries) replacing the individual national laws passed under the 1995 Directive.
2) Clarify Personal Data & Transparency
The GDPR was also intended to clarify, strengthen and modernize data protection, particularly given the profound changes since 1995 in how personal data is collected and processed on the Internet and otherwise.
3) Boost Valid Consent Requirements
The GDPR also boosts what is required to obtain valid consent. Whereas opt-out implied consent may have sufficed, now it must be clear, freely given, unambiguous, informed and easily withdrawn.
However, note that consent is only one basis for processing personal data under Article 6 of the GDPR. Performance of a contract with the data subject (e.g. using a customer’s shipping address to ship them their order) is another.
For these reasons, the GDPR will likely spur a movement away from reliance on consent as a basis for processing.
Which companies does GDPR affect?
The GDPR applies to any organization that is processing anyone’s personal data, if that processing is done in the context of the activities of an organization established in the EU (regardless of where the processing takes place).
For example, a company located in France that is processing personal data of an individual in South America on a server located in the US as part of its business would be subject to the GDPR because of where the company is established.
Of more relevance to US companies, if a company is offering goods or services to (regardless of payment) or monitoring the behavior of EU residents, then the company is subject to the GDPR.
There are fact-based analyses as to whether, for example, a company is offering goods or services to EU residents. Mere ability of an EU resident to access the company’s website is not sufficient, but a website offering goods payable in Euros very likely would be.
Finally, under the GDPR, the person or entity that decides the purpose and means of processing personal data is called the “controller” and has certain obligations. A party that merely assists a controller in processing that data on the controller’s instructions is call a “processor”.
A US-based processor for a controller that is subject to the GDPR is also directly subject to the GDPR and would almost certainly have contractual exposure to the controller for GDPR violations.
Who should handle compliance efforts?
Generally, those leading the compliance effort depends on the size and resources of the company, but it might include the Chief Technical Officer and in-house legal counsel if available, although c-level management and directors should always be involved.
A company may also be required to appoint a Data Protection Officer (think of this as an external or internal independent champion of the company’s data protection compliance) and a representative located in the EU who serves as the enforcement authorities’ point of contact.
A compliance effort depends to a significant degree on the extent and complexity of an organizations processing activities.
A company that is merely collecting the name and shipping address of its customers and using that information solely to ship the customer’s order to them will generally have a lesser compliance effort than a company that is not certain what personal data they have or where exactly it is, have poor security, collected the personal data from opaque third party sources and engage in varied uses of the personal data (e.g. selling it to third parties).
How much will GDPR cost a retailer?
Much of this effort will be internal presenting a resource allocation cost, but competent outside privacy counsel should be engaged and some companies may find external compliance tools and consultants helpful, which also present a tangible cost.
Also, revisions to privacy practices, security upgrades and other changes in operations necessary to comply can require significant time and resources.
What are the ramifications if a retailer is not in compliance by the deadline?
Historically, the EU’s approach to data protection has been marked by stringent requirements (even under the current Directive), but relatively low fines and a somewhat cooperative approach, particularly with those companies showing an effort to comply.
There are a variety of potential ramifications under the GDPR including private actions and regulatory actions.
However, the most significant one is that the GDPR permits much higher penalties for non-compliance than the Directive – up to the greater of 20 million euros and 4% of the corporate group’s annual global turnover (revenue) during the prior year for core violations.
This feature appears to be what is driving the intense compliance efforts being seen, particularly by large, multi-national companies with significant revenue.
That said, regulators and commentators have signaled that fines, particularly major fines, would occur at the end of an enforcement effort in which the company demonstrated a material lack of accountability and un-remediated violations.
“The worst thing a company could do when faced with an enforcement inquiry would be to say ‘GDPR? What is that?’ or otherwise be able to show no or only minimal compliance efforts.”
Any additional information that is relevant to retailers?
Many US companies, retailers and otherwise, may interface with the GDPR when their EU-based or multinational customer asks them to sign a data processing agreement (DPA) that perhaps has standard contractual clauses or so-called “model clauses”.
Agreements like this are required in some form under Article 28 of the GDPR to flow down compliance obligations. Or the US company may hear about “Privacy Shield” certification.
A key purpose of Privacy Shield or use of model clauses is to bless transfers of EU personal data outside of the EEA to a country deemed without adequate privacy protections (which includes the US).
It is important to know that properly handling the transfer of personal data out of the EU/EEA is only one aspect of compliance out of many. Simply certifying under Privacy Shield is not in itself a GDPR compliance plan.
For retailers in particular, it is important to assess what is being done with personal data.
- Is basic name and shipping address being used to provide customers goods or services?
- Or is the retailer also engaging (itself or using third party services) in sophisticated advertising and marketing based on personal data?
- Is the retailer tracking or monitoring even unnamed, but potentially identifiable individuals in the EU?
Such activities dramatically increase and complicate compliance efforts.
Programmatic online advertising, used by many retailers, in which rich data sets about even indirectly identifiable individuals is collected from varying sources and shared and blended with other data about the individual amongst various parties such as auctioneers and data brokers in the adtech ecosystem will be facing very complex challenges in complying with the transparency and consent requirements, data subject rights and use limitations presented by the GDPR.
Next Steps: 4 Ways Retailers Can Get Compliant
1) Perform an assessment.
Perform an assessment of what personal data you are processing (for yourself or for others) or having processed on your behalf. Think of personal data very broadly. Encrypted data, public data, and even a dynamic IP address or a set of personal attributes that can only point to a few individuals can potentially constitute personal data under the GDPR.
Is any of this data pertaining to European residents or is your company or any entity for which you process data established in the EU?
2) Start a data mapping exercise.
If so, begin a data mapping exercise, which can be low-tech, in which you pin down what personal data you handle, where it comes from, who you share it with, what you do with it, and what security measures (or risks) is the data subjected to.
3) Develop a plan of actions.
While data mapping, engage and work with competent outside data privacy counsel with knowledge of EU data protection laws to develop a plan of action. Keep in mind that the most experienced ones are extremely busy currently and may not be taking new clients.
Also, it may make sense to prioritize externally facing compliance indicators, i.e. those things that enforcement authorities would first see such as how you handle data subject rights requests (where failures could trigger a data subject complaints), public facing privacy policies or statements that are easily reviewed by enforcement authorities for non-compliance, and preparing the processing records required under Article 30 of the GDPR, which would be one of the first things requested by authorities in an inquiry.
4) Don’t panic!
Good faith compliance efforts, even ones that do not result in 100% compliance, can go a long way with enforcement authorities. To that point, this early in implementing the GDPR, there are many compliance questions where even experts are unclear, so “full compliance” may remain a somewhat theoretical state for the time being.
For more information on GDPR, email tara@cpcstrategy
The Main Takeaway:
“Don’t decide to do nothing simply because the enforcement deadline seems too close or because you want to pursue a wait-and-see approach.”
Many compliance measures can require relatively minimal effort or cost and will help demonstrate a good faith approach that will place you in better standing in the event of an enforcement investigation.