The rules and regulations relating to how merchants and retailers capture, store, share and process customer and staff data are about to change. It will apply to all EU member states without a need for local legislation. At the start of this year the European Commission unveiled a draft of its European Data Protection Regulation which is planned to take the place of its previous Data Protection Directive. The purpose of the change is to align and update data protection across the EU. One continent, one law. It impacts not only those businesses within the EU, but also businesses that targets goods or services at EU consumers too.
The regulation is expected to be implemented and enforceable by 2018 and when this happens, all businesses will have to be ready for key changes to how personal data is collected, stored and processed. In addition there are changes to how data breaches are reported. The consequences of non-compliance will increase greatly too. The current draft outlines that fines could be as significant as four per cent of global annual turnover. This in itself is enough of an incentive for merchants, retailers and their financial services partners to sit up and pay attention.
So, could GDPR also stand for a ‘Good Deal of Protection and Rights’ or will it be a ‘Great Deal of Pain for Retailing’? The answer to this lies in where you fit in the multichannel commerce chain:
GDPR and the consumer
Everyone has a right to the protection of their personal data. When businesses don’t protect their customer’s data then not only are the financial implications but trust is lost.
However, consumers from different countries across Europe currently experience widely varying standards over how well policed their personal data is. Some countries like Germany and Spain already have tight data protection regulations, but others less so. A recent survey quoted by the European Commission outlines that more than 90 per cent of Europeans say they want the same data protection rights right across the EU. GDPR is nothing but good for anyone that shares their personal data with an organisation and is an essential step to strengthen the rights of citizens and consumers in the digital age.
Not only should consumers have the right to have their personal details kept safe, but they should also have the right to complain and obtain redress if their data is misused. GDPR will give consumers more control over their personal data. It will make it far easier for them to access and manage it, delete it ‘the right to be forgotten’ and to know when their data has been hacked. I don’t think you’ll find many people that would argue that GDPR isn’t good news all round for the consumer.
GDPR, multichannel retail and payment processing
Similarly, I think you’d struggle to find a retailer who would not welcome simplification of rules and regulations applying to their business. For any business operating across EU country boarders, it will be far easier to comply with one set of rules instead of 28. However, this alignment comes at a cost to business. Attitudes, processes and IT policies need to change. Data protection needs to be ingrained into a business by design and default. That’s easier said than done retrospectively when dealing with legacy systems and data.
Systems and products must be built from the bottom up around privacy and the default position must only be to collect sufficient data for the precise processing involved. Privacy Impact Assessments must be carried out and evidenced where new technologies are being deployed. This all amounts to increased effort and costs for the industry.
Companies with over 250 employees are expected to have to appoint a data protection officer and start developing metrics to measure the status of privacy efforts. They are required to create reports of compliance that will be required as part of the business’ annual report.
Payment service providers are already strongly regulated by PCI and other data protection measures, however, even then they will still need to evaluate whether they comply with the new laws. Many are already investigating introducing value added services to protect data accordingly and reduce the investment effort for merchants. In addition to the steps above, the payments industry can support customers by having joint obligations and liabilities for data controllers and data processors, preparing and implementing mandatory policies and procedures and testing data breach plans.
Key steps to help prepare for GDPR
The current bill is still in its draft stages. However, those are very late draft stages and the bill being passed and ultimately enforceable is not far away. There are some practical steps that merchants, retailers and payment partners can be preparing for now:
- Put GDPR on the boardroom agenda - Make GDPR a board level task, give it the right attention
- Investment – Don’t underestimate the investment needed to implement these new rules – build it into business plans now
- Policy and procedure - Prepare privacy policies, procedures and documentation and keep them up to date. Data protection authorities will be able to ask for these during audits
- Process – Implement a notification process to report possible breaches and review incident detection, management and response process and capabilities
- Training - Implement regular training for all staff to generate awareness and understanding
- Recruit or cross skill now – If your business employs over 250 employees, think now about who will fulfil the role of the data protection officer. Do you need to hire or cross skill staff?
- Tackle ‘Rights’ head on – Develop a strategy and process to fulfil the consumer’s ‘right to be forgotten’, ‘right to erasure’ and ‘right to data portability’
- Privacy by design – ensure that privacy by design requirements are included in all make and buy strategies going forward
By Andre Malinowski, head of international business at Computop
Find out how to ensure that your company is fully prepared for the implementation of GDPR by attending the GDPR Summit Series, designed to help businesses prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.
Further information and conference details are available at www.gdprsummit.london