Retailers need to brush up on fresh legislation over customer data protection as new rules over breaches prepare to swing into action.

As if retailers didn’t have enough on their plate, the EU General Data Protection Regulation (GDPR) was officially adopted last month, replacing all existing rules in member countries including the UK Data Protection Act (1998).

While there is a two-year period of grace for full implementation, the operational and regulatory implications for all retailers are significant – but are they fully aware of them?

As online retailing has grown – and customers increasingly engage with retailers via tablets and smartphones – the sheer volume of personal data (known as ‘big data’) held by retailers continues to grow exponentially, and the new GDPR rules place onerous new responsibilities on retailers when it comes to taking care of that data.

Last year, a survey of more than 400 UK business technology managers assessed how secure our personal data is.

Retailers came out worst in terms of both customer data losses and how they deal with breaches once they have occurred.

According to the study, 15% of surveyed retailers had lost important customer data more than four times, while 8% had lost data more than 10 times. More than a fifth of retailers had been hacked and 50% of those surveyed had personal experience of company computers being hacked.

Studies indicate that the most common cause of a data breach is simple human error, for example phishing attacks, but external cyber-attacks are becoming ever more sophisticated.

Increasingly, hackers do not attack businesses directly, but do so via their network of connected partners.

One of the largest retail data breaches in recent years was caused by hackers gaining access via a relatively small vendor.

The arrival of GDPR means that retailers need to take much greater care of their customers’ data and put in place watertight systems and security processes to prevent breaches.

Some of the new regulations include:

  • Businesses need to obtain active and affirmative consent from customers to store their data – which means no more of those little pre-ticked boxes on retailers’ websites.
  • Customers will now have a right of access to all the data retailers hold about them, in order to erase or rectify that data. They will also have the right to insist on data deletion under “right to be forgotten” obligations.
  • The definition of “personal data” has been significantly expanded. It now includes any data that could identify an individual, including IP address, cookies and any anonymised data which could be potentially re-linked to an individual.
  • The definition of a “breach” has also been expanded. Unauthorised access, such as accidental sharing between employees, or any loss, alteration, or destruction of data are all now seen as breaches, not just hacking attacks.

Any breach must now be reported to the appropriate authorities within 72 hours, and individual customers must be notified if any breach constitutes a risk to their personal rights or freedoms.

Fines for any violations are now far sterner. National data protection authorities can now levy fines as high as 4% of global turnover (per breach) or €20m, whichever is the higher, or half that for smaller breaches.

Are our retailers fully prepared?

  • Dan Murphy is a partner at management consultancy Kurt Salmon