By 25th May 2018, all companies must be compliant with the new GDPR (General Data Protection Regulation). That deadline is fast approaching, so make sure you are travelling in the right direction

Complete data audit

Retailers should complete an audit and document what data they hold, where it came from, how they use it and with whom they share it. You should only keep personal data that you need for lawful processing. You need to keep it up to date, keep it secure and delete it when you can. Retailers will need to be justified in sharing the data they have to third parties and cannot share it outside the European Economic Area (subject to some exemptions).

Secure customer consents

Your customers should be provided with a detailed “fair collection notice” when their data is first being collected. Consent needs to be a positive “opt-in” indication of agreement to personal data being processed.

You can only rely on consents given prior to 25 May 2018 if they were GDPR-compliant when received. If you didn’t get a positive opt-in for your current data, then you won’t be compliant. Your customers can request to receive a copy of all the information you hold on them (via a Subject Access Request). Make sure you have a system by which you can provide this within a month’s timeframe.

Your customers need to know they have a right to withdraw their consent and they have a right to rectify and restrict the data you have on them. If they are unhappy with how their data is handled, then they have a right to complain to the Information Commissioner’s Office (ICO).

Review policy and security

Review your current privacy policies. You will need to explain the legal basis for having the data you have and for how long you plan on keeping it for. Policies and procedures need to be kept up to date.

You need to have appropriate security to protect the personal data you hold, to ensure it isn’t lost or inappropriately accessed. Check your IT and physical security policies.

You are obligated to notify the ICO of a data breach within 72 hours, so make sure you have a policy in place for if this happens.

Train staff

Once you have your policies in place, ensure your staff understand their responsibilities to keep personal data secure. Personal data needs to be treated with care and only used in appropriate ways.

Ongoing things to remember

Changes apply to all UK businesses and the deadline for having your processes in place is 25 May 2018. Penalties for non-compliance will be introduced after this date and are going to be high with a maximum fine of up to £18m or 4% of an organisation’s global turnover.