Last week, as part of Olswang’s GDPR readiness and Talking Retail webinar series’, lawyers from the firm’s data protection and retail sector teams hosted a webinar looking at the implications of the GDPR on the use of data by the retail industry during an online transaction. In this session our speakers looked at the following:
- Targeted and non-targeted advertising
- Privacy policies
- Processing customer payment details
- Post purchase analysis
- Data breaches
- GDPR implementation
The webinar was hosted by Katie Nagy de Nagybaczon, a partner in the Corporate Team, who focuses on the retail, eCommerce and technology sectors. The two speakers were:
- Sven Schonhofen, an associate in the Commercial Team of the Munich office. He specializes in advising clients in all areas of IT law, in particular on data protection law.
- Emily Dorotheou, an associate in the Commercial Team who has experience of working on procurement, technology and logistics contracts for a variety of retail and technology clients.
Please follow this link for the webinar recording. Please note that due to a technical error, there is a pause in the recording between 18:10 minutes and 19:50 minutes. Please use the slider to fast forward through this break in the audio.
See below for a transcript of the session.
*Disclaimer: like all posts on Datonomy we hope you find this useful, however, nothing on this site should be construed as legal advice.*
General introduction – applicable laws
Emily: In the UK, companies are currently subject to the Data Protection Act 1998, which implements the EU Data Protection Directive, and the Privacy and Electronic Communications Regulations (PEC Regs). The EU Data Protection Directive is due to be replaced by the General Data Protection Regulation (GDPR) with effect from 25 May 2018. The GDPR governs the use of data of European citizens. Now despite the result of the June referendum, the government has confirmed that the UK will be implementing the GDPR, as we will continue to be a member of the EU in 2018. A “Great Repeal Bill” has been promised, through which all European laws will be transposed into English law on the day of exit, and then some laws will be kept, amended or removed altogether. So there’s a question over how the GDPR will look post Brexit and if companies will need to stop complying with the GDPR altogether. The UK’s Information Commissioner has acknowledged this uncertainty but has said that these concerns should not distract from the task of complying with the GDPR by 2018.
What’s the message for retailers?
Emily: UK retailers will need to comply with the GDPR if they wish to continue trading with or conduct profiling of European based customers. The message seems to be to keep calm and carry on preparing for the GDPR. As we know, capturing and using customer data is of vital importance to businesses as data is used to make a variety of decisions. Specifically within the retail and e-commerce sectors, data underpins a product’s journey from seller to a consumer and influences the marketing of products, which, if done successfully, can greatly enhance the value of the company’s brand.
Sven: In order to identify what product to sell and how to sell it to customers, sellers may choose to track customers’ browsing habits, identify what items are bought, placed in shopping baskets and which adverts customers respond to well. Once they’ve done this, companies can gain an idea of an individual’s profiles, their behaviour and predict their personal preferences.
How will the law around targeted and non-targeted advertising change under the GDPR?
Under the GDPR, this level of data processing and automated customer profiling does present an elevated level of risk. Companies need to be clear from the outset about the benefits and aims of this level of profiling, as well as the impact on individuals’ privacy.
Sven: However, as if companies do not have enough to worry about with the GDPR, the European Directive (the ePrivacy Directive), which underpins the PEC Regs, is also undergoing reform. The reform has come about due to the need to align the ePrivacy Directive with the GDPR and to tackle developments in technology (such as instant messaging). Just by way of example, “consent” for direct marketing is one of the areas where we can expect change. The ePrivacy Directive requires a customer’s clear consent before a company can send them any direct marketing. However, the GDPR currently states that one of the ways in which data processing will be lawful is where it “is necessary for the purposes of the legitimate interests” of the data controller (i.e. the seller) except where such interests are overridden by the rights of the data subject. The GDPR recitals then give direct marketing as a potential example of pursuing legitimate interests.
So already there’s a slight disconnect between the GDPR (where you may not require consent) and the ePrivacy Directive where you very likely need consent. We’re therefore expecting “consent” to be one of the areas which changes, following the ePrivacy Directive’s reform.
When can we expect to know more about the ePrivacy Directive changes?
Sven: The European Commission’s public consultation ended in July 2016 and so we expect to hear further from the Commission about the changes in this space. In the meantime, the message to everyone is to not change your direct marketing processes just yet, but to remain on the lookout for future developments in this area.
Customer logs onto website
Sven: Online purchases have been a robust trend for some time now and so sellers will need to ensure that that their websites are suitably presented and operated to take advantage of our love for online shopping. Websites need adequate cookie banners and privacy policies, clarifying the use of any customer data by the seller. Their privacy policies should make clear what cookies are being used, how intrusive these cookies are and the nature of the data that is collected. Sellers should also make clear how they propose to use any personal data collected from customers.
Will this change under the GDPR?
Emily: Under the GDPR, privacy policies must contain the prescribed list of requirements set out at Articles 12, 13 and 14 of the GDPR (such as the period of data retention). Companies need to also provide customers with a clear and transparent explanation of how their data will be processed, and allow customers to give their consent. The ICO has recently suggested that businesses should first map out how information flows through their organisations to help them decide what needs to be included in their privacy policies.
Sven: Under the GDPR, “consent” must be a clear and unambiguous indication of the customer’s wishes, and can either be in the form of a statement or a clear affirmative action which indicates the customer’s agreement to their personal data being processed. There’s a higher “consent” threshold to achieve if you are processing sensitive data (such as religious beliefs, biometric data or political opinions) or are performing any form of customer profiling. Here “explicit” is required.
What will constitute a “clear and unambiguous indication” that a customer agrees to the privacy and cookies policies?.
(i) what constitutes an affirmative action, and
(ii) what will happen if customers give consent (i.e. scope and consequence of data processing).
Now “affirmative action” could be anything from ticking a box to clicking a button to engaging with the webpage.
How companies can best tackle this?
Emily: One way to tackle this is by providing an explanation of all the different types of processing which happens and allow users to simply indicate whether they agree to each type of processing or not. You can do this by using an un-ticked opt in box or a Yes/No button for each reason. A privacy dashboard is quite a good way of presenting these various processing options and can be used by users to alter their consent settings.
If privacy and cookie policies start becoming quite long in their explanations about how data is collected and used, is there a danger they could end up actually being more unclear than clear?
Emily: Yes, that is a danger! The ICO in its most recent consultation on privacy notices acknowledged that quite a few people flagged the potential conflict between providing the extra information but meeting the GDPR’s requirement for clarity.
What can companies do to try and best balance the need to provide information with the need to maintain clarity?
Alternatively companies can think about using “just in time” notices. These give a message when the user provides information, about how that information will be used. For example, if a customer provides her email address as part of an online transaction, a “just in time” notice could pop up explaining that the email address will be used to provide confirmation of the order, with a link to further information if the customer wants to know more.
Finally, companies need to consider how people will view the privacy notices from portable devices to ensure that the notices remain readable. The layered approach is likely to work best here, given the smaller space which companies have to display their information.
What will happen to consents that have been collected under the current legal regime once the GDPR enters into force?”
Sven: In Germany, we have received some guidance on the re-cycling of consents under the GDPR by the Düsseldorf Circle, which is a committee of German data protection authorities. The resolution states that “in principle” consent collected under the Data Protection Directive will remain valid if the manner in which the consent has been given is in line with the conditions of the GDPR. The resolution points out that it is not necessary that the extensive obligations on providing information to the data subject in Article 13 of the GDPR were fulfilled at the time the consent was obtained. It also highlights that consents do not remain valid if they were not freely given or if the age requirement was not met. The resolution is comforting for companies that have obtained German-style consents in the past. However, it also leaves questions open. We, therefore recommend that companies should now update their consent language to fully meet the requirements under the GDPR.
Customer purchases product
How do sellers currently process customer payment details in order to complete the transaction?
Emily: At the moment sellers can rely on the second condition for data processing which is that it is necessary for the performance of a contract (i.e. without the customer’s financial and personal data being processed, the customer will not be able to complete the transaction). Sellers can also rely on the reason that processing such data is pursuant to their necessary legitimate interests (i.e. for fraud prevention purposes). Therefore, customer consent is not required.
Will this change under the GDPR?
Emily: No, sellers can still rely on these reasons under the GDPR. However, as there are direct obligations on data processors under the GDPR, sellers will have to ensure that their agreements with payment processors are GDPR compliant. For example, Article 28 sets out a list of requirements that need to be included in a contract between a data controller and processor, such as the duration of the processing and the type of personal data.
Sven: As these obligations kick in where any processing is carried out on behalf of a controller, these requirements will affect not just payment processing providers but also other processors, for example hosting providers. It may therefore take a bit of time for sellers to work through their relevant supplier contracts to see if their payment processing agreements need to be updated, and so we’d suggest that companies start doing this as soon as possible.
Post purchase analysis
Emily: This is often referred to as “big data analysis” and involves processing large volumes of information and using algorithms to detect trends and correlations. Currently in the UK, to perform a “big data analysis”, the seller needs to make sure that the processing is fair and lawful. “Fairness” is partly about:
(1) how the data is obtained (and how transparent sellers are about its proposed use), and
(2) whether the use of the personal data is within the reasonable expectation of the individual.
Is the extent to which sellers are transparent about their proposed use of customer data is achieved by how clear their privacy policies are?
Emily: Yes, that’s correct. Sellers need to be transparent not just to comply with current legal requirements but also for reputational reasons. There are quite a few examples of how this can go terribly wrong for sellers, most notably the US retailer Target and its marketing of baby related items. It’s also been reported that many customers prefer not to give any personal data to retailers, believing that large scale data collection and analysis is “creepy”. Sellers therefore need to find the right balance between data collection and transparency.
How can sellers go about analysing customer data on a large scale in compliance with the current regulations?
Emily: Sellers have to make sure that customer consent is freely given, specific and informed for this analysis. People must be able to understand what the organisation is going to do with their data and there must be a clear indication that they consent to it. If a company collects personal data for one reason and then starts to analyse it for completely different reason, it needs to make its customers aware of this and maybe seek fresh consent. Companies should also give customers the opportunity to withdraw their consent for their data to be processed.
Does this change the GDPR?
Emily: Yes as the GDPR places a notable emphasis on transparency. In order to best prepare for, sellers need to be clear about how, when and why they use customer data. This may take time to do, as companies may not necessarily have all this information at their fingertips. In fact a study in September 2016 found that 71% of retailers surveyed did not always know where their customer data is located a. A privacy impact assessment is a good way to approach this issue, as it will help identify where data is located.
As mentioned, once companies have got a clear picture of how they use customer data, they would need to communicate this to customers through their privacy policies
What are the risks for sellers with regard to data breaches, and what action should they be taking?
Sven: The level of fines is definitely a risk for companies under the GDPR. I think everyone is probably aware of the terrifying prospect that a company could face fines of €20 million or up to 4% of worldwide turnover, whichever the greater, for certain breaches of the GDPR and €10 million or up to 2% of worldwide turnover, whichever the greater, for security breaches. It remains to be seen if the authorities will actually use the entire scope of fines that has been provided.
A Retail Week survey in 2015 found that 15% of surveyed retailers confessed that they had lost customer data more than four times, and more than a fifth of retailers had been hacked. Companies therefore need to have sufficiently robust systems in place to prevent data breaches. Once companies have a data breach plan in place, it is imperative that they continuously review and update it. It is also important that companies actually understand their security tactics and are prepared to implement their plans; not just viewing having a sufficient data breach plan as a part of a tick box exercise.
The GDPR also introduces rules around how companies must respond to data breaches (for example, breaches must be reported to the appropriate authorities within 72 hours and to the data subject without undue delay, where the breach is likely to result in a high risk to the rights and freedoms of the data subject in order to allow him or her to take the necessary precautions). Companies therefore need to properly brief and prepare their various internal teams, and not just rely on their PR teams and lawyers to handle actual, or potential, breaches.
Are there any other ways in which retailers need to be prepared for the GDPR?
Sven: Companies need to become comfortable with the new data subject rights that are introduced by the GDPR, such as the “right to be forgotten” , “right to restrict processing” and “right of data portability” . This means having processes in place to notify any third parties, that have received customer data, that the customer has exercised this right, and maintaining clear systems to capture and control customer data. If companies don’t have these sorts of systems in place, they may waste countless hours searching to locate the data of those customers who have exercised their new rights.
Emily: Companies should also embrace “privacy by design” as early as possible. If a company wants to launch a new initiative (such as a new promotional campaign), using “privacy by design” will help to identify any data risks, solutions and workarounds. A privacy impact assessment is a good place to start to embrace “privacy by design” as it will help identity the unforeseen uses of information, what steps you can take to mitigate these risks and whether the risks are then eliminated, reduced or accepted.
Sven: Companies need to also be able to demonstrate compliance with the GDPR requirements (known as the “accountability” principle). Therefore companies will need to keep records of their processing activities (purposes of processing, categories of data, details of international transfers) which will be quite time consuming to manage. Finally companies may also need to appoint a data protection officer if they are planning to carry out large scale systematic monitoring of individuals (e.g. online behaviour tracking).
Emily: Finally retailers should not be scared of the GDPR. Yes, digesting all of the new regulation may be overwhelming however, retailers should take this as a good opportunity to review their internal systems. Doing so may generate a daunting to-do list but retailers are strongly urged to start this process now and use it as a learning opportunity.
How should the process of companies getting ready for the GDPR look like?
Sven: We suggest a GDPR implementation process in four phases:
First, companies should capture the status quo. In this phase companies should assess their resources and determine a timeline for the implementation process. Companies should use questionnaires to identify all relevant data processing measures in the company and to obtain relevant documentation.
The second step is the gap analysis in which companies need to identify the gaps that need to be filled to become GDPR compliant and assess potential risks.
The fourth and final step is the validation phase. Companies should start getting ready for the GDPR now if they haven´t done so in the past. You only have 540 days left until the GDPR enters into force. However, if we get rid of all the weekends and holidays, there are only 367 days left until May 25, 2018 and that is not a lot of time! We run a series of webinars on the GDPR which offer further information and guidance on getting ready over this next year, so please do take a look.
Does harmonisation mean that multinational companies do not have to look at national data protection laws anymore?
Sven: Unfortunately the answer is “no”. While the GDPR will be binding for all for all member states, it does not really provide the full harmonization that everyone was hoping for. Various opening clauses provide member states with the option to introduce additional national provisions to further specify the application of the GDPR. The German Federal Ministry of the Interior has been among the first legislators to draft such an act to supplement the GDPR. This new German Data Protection Act includes additional provisions regarding data protection officers, the rights of data subjects, data processing in the context of employment and fines. We expect to see draft acts to become public in other member states soon. Companies that want to get ready for the new data protection regime should therefore not only focus on the GDPR, but on national laws that will be introduced in the next 18 months as well.