As tick follows tock the EU’s General Data Protection Regulation (GDPR) continues its remorseless progress to its release on 25th May 2018. Not sure about what GDPR is? Pop back to the overview my colleague Ben published on our blog last month. We know – thanks to the feedback we’ve had from customers and prospects – that this is a topic that a lot of you are interested in. So I’m back today to look at GDPR and how it will impact multichannel retailers.
GDPR: still fluid?
The first thing to highlight is that the situation is still very fluid. The Information Commissioners’ Office (ICO), which is responsible for monitoring and enforcing GDPR here in the UK, is yet to publish rules on consent. This was promised for early 2017, but is yet to appear.
As a Multichannel Retailer What do I Need to Worry About?
In terms of the risk you’re going to have to manage there are two clear elements:
The following data elements that your business holds are in scope for GDPR:
- Customers & Prospects
- Any data covered by the Data Protection Act of 1998 or the Privacy and Electronic Communications Regulations (PECR) of 2003.
Impacts on Multichannel Retailers
- You will need an explicit opt-in for all electronic / automated marketing. This includes email, SMS and automated calling.
- Offline marketing (catalogue mailings, direct mail and other, more traditional methods) may be covered by ‘Legitimate Interest’ (see section below). But this is to be confirmed by the ICO.
- No pre-ticked boxes. Assuming consent on your website / order form etc. will no longer by acceptable. If you wish to be able to market to a customer or prospect electronically – and potentially in any way – then they must take affirmative action.
- Children under the age of 16 will need parental / guardian consent.
- B2B customer and prospect data is no longer excluded for unincorporated companies. If you’re dealing with unincorporated companies then their data are to be treated as personal and in scope for GDPR. My assumption, at this point, is that customer and prospect data for incorporated companies will continue to be out of scope.
- £10 charge for subject access requests is to be dropped completely.
- All requests for data have to be serviced, free of charge, within 30 days of receipt and all data has to be made available digitally.
- Outsourced firms who process data on behalf of retailers will be held equally responsible under GDPR and will not be exempt. At the same time, it will not be possible for retailers to hand data processing off to a third party and exempt themselves from responsibility.
- Data breaches will have to be reported and will lead to fines. Until recently, the attitude of the ICO has been collaborative when it comes to data breaches. Over the last 12-18 months they have become much more hard-line and it seems likely that this will continue after GDPR comes into play.
- Fines for breaches have been publicised as starting at 20m Euros, or 4% of global revenue. Whichever is greater.
Legitimate Business Interest
One piece of good news that we’ve been able to distil from GDPR – and it’s dependent on the ICO clarifying how their rules on Consent will be implemented – is that direct mail and traditional mail order operations may be able to continue unhindered thanks to ‘Legitimate Business Interest’.
Recital 47 states that where there is a legitimate business interest between the data controller (you) and the customer / prospect, that you can continue to contact them by direct mail. Essentially it boils down to:
As a retailer and a consumer we have a mutual interest in a relationship. I want to sell you stuff, you, potentially, want to buy stuff from me. We can carry on this path until one of us objects.
It’s not carte blanche though. You need to bear in mind the following:
- You still have to run balancing tests between your interests and the consumers – there needs to be a 50/50 split to ensure mutual interest / benefit.
- You also still have to be clear about your intentions.
As we mentioned earlier, Legitimate Business Interest is only applicable in specific situations. If you’re doing anything via Email, Text, Automated Calls etc.., then it goes out of the window and you have to get your customers to opt in and give you consent.
What does my Multichannel Retail Business do Next?
There are a number of steps for you to take and we’ll be diving into each in turn, in the coming weeks, to provide you with more information and support on how to tackle these:
- Document what you’re doing now to ensure that you fully understand the data you hold and how it is handled.
- Review your Processes and Systems to ensure that your business can cope come 25th May, 2018.
- De-dupe your company data.
- Revisit and, potentially, re-write your Consent Statements. Potentially you’ll want to look at both Opt In and Opt Out.
- Run an Opt In / Opt Out campaign with your current customer and prospect data so that you can hit the ground running after the 2018 Spring Bank Holiday.
Integrated CRM Helps with GDPR
Khaos Control’s integrated CRM, existing data protection settings and powerful de-duping tools mean that you already have a system in place that enables you to comply with the coming GDPR legislation. Not yet using Khaos Control to power your multichannel business? Then get in touch today and learn how you and your business are missing out.