What Must Convenience Retailers Do to Ensure their Customer Program is GDPR Compliant

This article was originally published in Global Convenience Store Focus.

The EU’s new General Data Protection Regulation (GDPR) legislation on data protection and privacy comes into force in less than 7 months in May 2018 and has a wide range of consequences for all retailers, especially concerning the customer data they collect. In this special feature, as Liquid Barcodes CFO & DPO Mads Mørk explains, retailers collecting data will be ‘data controllers’ under GDPR. And this means increased responsibilities for our industry.

By Mads Mørk, CFO & DPO, Liquid Barcodes

What must convenience retailers do to ensure their customer program is GDPR compliant? If you are a CEO, there are 9 questions on GDPR you should ask your marketing, legal, and IT team.

What personal data do we possess?

Getting an overview of what personal data is in your possession is probably the best place to start your work on GDPR compliance. In GDPR terminology, personal data is defined as any information relating to an identified or identifiable natural person. This is a broad definition. Hence, a wide range of customer data should be considered personal data. Identification of a person can be indirect. The GDPR lists a range of data that can identify persons. Of special interest to retailers are location data. For example, if customers leave a trail at the POS, your transaction data should be treated as personal data because the data can reveal the location of customers at specific times.

Can we avoid collecting sensitive personal data?

Sensitive personal data is treated more strictly under GDPR than personal data. Sensitive data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sexuality. If you can avoid having such data in your possession, it will be easier to be GDPR compliant.

How do we use pseudonymization and encryption to increase data security?

The trend of collecting and storing ever more customer data poses a challenge in the context of GDPR. The GDPR requires you to have full control of access to and integrity of your data. Pseudonymization and encryption are tools to alleviate these problems. Pseudonymization is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information. For example, replacing customers’ phone numbers on the above mentioned receipt data with a random user ID. Encryption renders data unreadable without the encryption key. We advise you to pseudonomize all customer data except for modules that handle direct communication with customers. For example, the part of your system sending SMS to customers needs phone numbers, but the module handling statistics most likely does not. Databases that contain data which can directly identify customers, for example member profile data with phone numbers, and databases with large amounts of data, such as an archive with pseudonymized data, should be encrypted.

What about our suppliers – are they on track with GDPR?

As data controller, you are responsible for data also in the possession of your suppliers, or Data processors in GDPR terminology. You need to list all suppliers in your privacy policy. You should review your data processor agreements. You must also approve your suppliers’ sub-suppliers before they can begin to process your data.

Do we have an efficient system for handling rights of data subjects?

The rights of Data subjects are more extensive under GDPR. The GDPR also requires you to answer requests from Data subjects within 1 month (extension possible in certain cases). Retailers should aim to give all necessary information to Data subjects through ‘My page’ solutions behind secure log in mechanisms.

Have we recorded active consents from all registered customers?

Consent is the primary legal basis for handling personal data for retailers. Under GDPR, consent must be active and consent texts must use clear and plain language. You must record consents so that you can prove that active consent has been given. Extra attention is placed on communication towards children (13-16 years, depending on member state). We advise to put age limits on signing up to avoid communicating towards children.

Be aware that activities involving automatic profiling of customers and geo location data require specific consents in addition to the main customer consent.

Does our privacy policy give the necessary flexibility in our marketing activities?

Since consent regulations have become stricter, it is more important than ever to ensure that your privacy policies cover the activities you are most likely to do. For example, make sure to collect consent to send marketing SMS and emails, with opt out option, even if you collect phone numbers or emails through your app.

Privacy policies will become an arena where you can demonstrate your seriousness in dealing with data protection and privacy, while using language in line with your brand image. Take that opportunity.

What is our process for handling data breach incidents?

Data breach is an incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. In case of data breach incidents, you may be required to inform your supervisory authority and your customers. There is a list of criteria specifying when you need to disclose data breach incidents.

However, your suppliers, the Data processors, should always inform you about data breach incidents.

How do we train our organisation on GDPR to ensure continuous compliance?

GDPR places great emphasis on data security and the legal basis for your communication towards customers. In practice, employees in many different departments, such as marketing and IT, will be responsible for implementing and complying with these regulations.

Therefore, it is vital that you establish training schemes to teach GDPR to the organisation. For example, the IT department must ensure that new development tasks are compliant with GDPR. Do we collect new information? Do we store data in a new way? The marketing team must know when to tread carefully when discussing new campaign ideas. Is this activity covered by our existing privacy policy? Do we need automatic profiling or geo location consent?

Disclaimer: this article is not meant as legal advice. You must seek advice from your legal advisors to ensure complete compliance with GDPR as this can vary from company to company.

Find here more information about GDPR and privacy protection.