GDPR for Retailers

GDPR will have a significant impact on retail merchants and their financial partners in the multi-channel retail chain. The legalisation introduces advantages such as retailers will no longer need to meet the compliance standards of multiple separate countries.

With an industry that has become accustomed to storing and accessing customers shopping habit data through customer profiles and schemes such as loyalty cards, the changes with GDPR will challenge these. Retailers will have to access whether they have legal access to collect customers personal data and if the data gathering process meets the consent standards of GDPR.

Security firm Thales reported in July 2017 that 43% of retailers have experienced a data breach in the past year. This has led to 75% of retailers increasing their spending on IT security so they are prepared for the GDPR compliance deadline.

GDPR reached across and beyond the EU and applies to all organisations that hold any data belonging to EU citizens. Regardless if your retail business is established in the EU, you must comply and follow the regulation and be able to demonstrate compliance to your lead supervisory authority.

How prepared is your retail organisation for GDPR?

Learn about GDPR and what is happening and changing. Start the process by creating a risk assessment and provide all employees of your organisation with training in data protection.

Who is in charge of your organisation GDPR compliance?

Establish who will take ownership within your organisation when it comes to GDPR.

What type of data do you process and where is it stored?

Within a retail organisation, it is highly likely that you will process and store a large amount of data. To be compliant you must know who you are sharing the data with and where it is stored.

Can you facilitate when being requested for information?

GDPR gives a person more control over their data and how it is used.

Do you and your organisation understand that the ePrivacy Regulation?

Along with the changes, all users must explicitly consent to the use of third-party such as Google Analytics and Email Newsletters.

What your organisation must do in the event of a data breach?

Every organisation has 72 hours to report a data breach to their lead supervisory authority.

How your organisation currently acquires personal data?

Collecting personal data through loyalty cards or customer profile logins will change you will have to explicit consent to legally require any data from people. So no more pre-ticked boxes on sign up forms.

Is it yourself who is accountable?

Make sure to carry out privacy impact assessments on all new projects and update any privacy notices, consents and rights for individuals.

Is your organisation PCI DSS compliant?

PCI DSS focuses on securing cardholders payment data, so compliance with one gets your closer to compliance with another.

Will you need to fill in any recruitment gaps?

If a company is regularly monitoring or processing sensitive personal data on a wider scale, they will need to appoint a Data Protection Officer (DPO) who will monitor compliance and will be the first point of contact with your lead supervisory authority.


Download and follow our new GDPR Guide here