Many U.S. companies view GDPR as a strictly European regulation, but the rule is very clear: Any company that does business with and manages the data of a European citizen falls under GDPR. Companies that fail to comply face fines of 20 million euros (about $23.4 million) or 4 percent of annual turnover, whichever is greater.
Major retailers are taking note. Amazon has been held up as the most prolific U.S.-based example. Once it acquired Whole Foods in 2017, Amazon became America’s fifth-largest grocery retailer. It now operates 477 stores in North America and the United Kingdom. In writing for Corporate Compliance Insights, Greg Sparrow, senior vice president and general manager at CompliancePoint, reports that for companies such as Amazon with a net revenue of around $178 billion in 2017, failure to comply could mean fines as high as $7.1 billion.
A company’s responsibility for personal data doesn’t end when it gets passed to others for processing, writes Cindy Compert, distinguished engineer and security CTO at IBM, in a blog published earlier this year. Consider her example: A marketing team may use an email automation supplier to communicate with customers, and use a customer relationship management vendor to track engagement. Under GDPR, the team must take steps to ensure that those third-party processors handle their customer data in accordance with GDPR, Compert says.
“GDPR obliges the controller [the marketing team] to demonstrate that the appropriate measures are in place to protect individuals’ personal data rights,” Compert writes. “The good news is that processors [the third-party vendors] must submit to audits to make sure this is the case.”
5 GDPR Tips for Retailers
- Create concise consent forms. Under GDPR, retailers looking to send customers emails containing future offers or other promotions will require customer consent. That consent must be fully informed and freely given. European regulators will not recognize consent if a retailer buries a consent agreement under a long list of legal disclosures. Retailers must call out a consent agreement as a stand-alone feature and develop consent forms to handle their employees’ personal data.
- Notify regulators rapidly when a breach occurs. GDPR changes notification requirements in two important ways. First, third parties may be held directly liable for a breach. Second, companies must notify regulators of a breach within 72 hours. Create a response plan that includes insurers, the company’s PR agency and all relevant suppliers. Assign a task force that will act as a response team in the event of a breach and train staff members to recognize breaches and report them to the proper authorities and/or the IT department. Employees from customer relations, marketing and PR, legal, security operations, IT and HR are all needed to address employee data, Splunk advises.
- Notify suppliers of their responsibilities. Retailers have always been required to enter data processing agreements with suppliers, but those requirements are more stringent under GDPR. For example, retailers must clearly spell out security requirements to third parties and stress that they must assist the retailer in the event of a breach. Companies should ensure that partners apply added encryption and audit trail capabilities to minimize data exposure, Splunk adds. Companies must also ensure those measures meet updated GDPR standards spelling out data confidentiality, integrity, availability and processing system resilience.
- Establish a common vocabulary. As part of their employee training, companies should develop a set of principles and FAQs with standardized terminology that drive home key concepts to employees. For example, use one term for “personally identifiable information” versus “personal data” in other countries.
- Keep abreast of ongoing, international compliance efforts. The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were set up by the U.S. Department of Commerce and the European Commission to create a valid legal mechanism for all parties to conduct cross-border data transfers legally. Such efforts have hit significant roadblocks. On July 5, the European Parliament passed a nonbinding resolution asking the EU to suspend the Privacy Shield. The U.K.’s pending withdrawal from the EU has also created uncertainty.
Bottom line: Consult legal counsel to stay up to speed as policy events continue to evolve. Retailers can begin to ensure GDPR compliance by spelling out specific security requirements for suppliers and creating a response team in the event of a breach.