Gone are the days when retailers could just collect customer emails in bulk to be used at later date for a purpose that hasn’t been identified yet. Why? The GDPR makes it very clear that those who collect personal information for purposes they haven’t been given explicit consent for will face heavy consequences.
If you are a sales person in one of the shopping centres in London and you want to offer the next promotion to your customers by e-mail, you must inform your customer what your company will do with that email address.
From the customer perspective, GDPR constraints are effective and good because they put responsibility on the retailer to pursue the customer for consent, and also explain to them in plain terms what they plan to do with the data.
From the retailer perspective, this might seem as a daunting task. Not only because most of the today’s marketing strategies include e-mail marketing, promotions, and even targeted product advertisements to their pool of customers, but also because retailers themselves will most likely be data controllers, which make them responsible for actions, or lack of actions, of their supply chain. Not having full visibility of your supply chain is no longer an excuse. If a processor mishandles data, both controller and processor are on the hook. That is why it’s so important to ensure your supply chain is compliant and you make sure you have a complete visibility of it.
Here are the requirements on how personal data must be collected and handled according to GDPR:
- Lawfully, Fairly and Transparently
- Purpose Limitation: personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with these purposes
- Data Minimisation: personal data must be adequate, relevant, and limited to what is necessary for the purposes for which it is collected and processed
- Accuracy: the personal data processed must be accurate and, where necessary, kept up to date.
- Storage Limitation: personal data must be kept in a form which can be used for identification of the data subjects for no longer than it is necessary for the purposes for which the personal data is processed
- Rights of the Data Subject: personal data must be processed in accordance to the data subjects’ rights
Not all of these principles are new, since most of them are present in the Data Protection Act. However, there are some additions, particularly to the data subjects’ rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure (right to be forgotten)
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
Being compliant with any of these requirements means that retailers should first make sure whether customers have given informed consent to process their data, how this data is processed and where it is stored.
Retailers might be struggling to manage customer data due to the sheer amount of it which they operate. This means they may find it challenging to comply and have to start their journey as soon as possible.
Time is running out for retailers to take actions to prepare for the regulation to come into effect and retailers must be prepared for their customers requests, should they wish to exercise their rights.
Read our blog 7 steps to get ready for GDPR.
Ask how CyReg™ GDPR can help you to address the challenges that the regulation brings.