Part 5 of 10 in our Complete Guide to Secure Remote Access in Retail.
Established on May 25, 2018, the General Data Protection Regulation (GDPR) is a set of guidelines that govern how data is legally collected and processed from people within the European Union. Currently, the EU consists of 27 countries (United Kingdom recently left the EU), but GDPR affects any retailer or organization that manages and/or processes data from EU citizens. Thus, the GDPR global impact is quite extensive.
In a time where retailers are relying more and more on cloud computing, remote devices, and eCommerce, GDPR and other regulations have become an important issue for retailers to consider. GDPR is known for its extensive regulations that can lead to costly penalties for organizations of any size.
A few of the more recent and prominent violations from major organizations include:
- Google LLC: The Data Protection Authority (DPA) of Sweden found Google LLC to be in violation of GDPR Articles 5, 6, and 17, in which they failed to comply with obligations to remove data subjects from search results. They were fined €7 million.
- Eni Gas e Luce: The Italian Data Protection Authority of Italy found Eni Gas e Luce in violation of GDPR Articles 5,6,17, and 21, in which they unlawfully processed personal data in regard to advertising and activating unsolicited contracts. In total, between two separate filings, they were fined €11.5 million.
- 1&1 Telecom GmbH: The German Federal Data Protection Supervisory Authority (BfDI) fined the telecommunications company €9.55 million because they failed to adhere to proper authentication procedures on their customer helpline, violating GDPR Article 32.
No retailer wants to be hit with fines, especially such large ones, so it’s important that they not only know what GDPR in 2020 means, but how they can maintain high levels of security across their networks to protect themselves, their vendors, and their consumers.
GDPR Global Impact for the Retail Industry
The increase in eCommerce and mobile/device usage has changed the landscape of compliance drastically in recent years, necessitating more regulations to protect personal data and consumers. From GDPR and PCI DSS compliance to the recent implementation of the California Consumer Privacy Act (CCPA), regulators are finding that they need to tighten down on the way data is processed.
GDPR in retail is known for being particularly stringent compared to U.S. regulations, which don’t approach data privacy as a right. Yet, even U.S. retailers who process data in an EU nation are subject to GDPR compliance. This can certainly cause some confusion and frustration for retailers across the world.
In regard to how GDPR affects retailers, there are seven main principles outlined in Article 5 of GDPR to keep in mind:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality
- Accountability principle
In addition to these principles, there are 99 Articles that detail various regulations that apply to both data controllers and data processors. Understanding the roles of controllers and processors is important to data security and compliance as explained in the next section.
What’s the Difference Between a Controller and a Processor in GDPR?
Data controllers are responsible for ensuring that the necessary technical and organizational measures are in place to properly process data in accordance with GDPR regulations. They may implement certain policies to ensure compliance by both the retailer and third parties.
Data processors collect, store and process personal data based on a contractual agreement from the controller. Processors are commonly third parties who a retailer partners with for a variety of functions. Article 28 of the GDPR clearly states that processors have to be those who can provide “sufficient guarantees to implement appropriate technical and organization measures” that meet GDPR requirements.
In some cases, a retailer can be both a controller and a processor, yet the same adherence to regulations applies. Unfortunately, many violations occur due to insufficient communication, contracts, and security protocols between retailers and third parties, so it’s important to clearly delineate responsibilities ahead of any partnership.
4 Tips to Manage GDPR Compliance for Retailers
Retailers have much to think about when it comes to how GDPR affects their business. Compliance considerations can change depending on the type of retailer and where they operate.
Retailers that operate across multiple platforms and devices will have to make far more accommodations to avoid penalties, and also want to ensure that their vendors are equally compliant. Additionally, the large retailers need to assess the GDPR global impact regardless of where they are headquartered. Check out these four tips for ensuring compliance with GDPR in 2020.
1. Follow the Conditions for Consent
GDPR in 2020 is certainly focused on consent, which is an important part of protecting personal data and making sure customers feel secure. It’s also outlined clearly in GDPR regulations. The following four conditions for consent in the GDPR Article 7 are:
- If a retailer is processing customer data, it’s essential they get consent. The controller of the organization needs to show that a person consented to processing their personal data in order for it to be compliant.
- Request for consent needs to be easily accessible and distinguishable apart from other information. It needs to be “in an intelligible and easily accessible form, using clear and plain language.”
- A person can withdraw consent at any time, and it should be simple to do so. Notice shall be given to a person before they give consent.
- “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”
On February 27, 2020, Vodafone España, S.A.U., was fined €120,000 for not being able to prove that a person had given consent to process his personal data regarding a telephone contract. Additionally, they were fined for unlawfully disclosing this man’s personal data to credit agencies. In this case, controllers violated #1 above, which can snowball into other violations regarding consent.
2. Third Parties Must Follow Security Requirements
Retailers commonly work with third parties (“data processors”) to run successful operations. Third parties can be any vendor from an IT team to HVAC service. While they are a separate entity, when it comes to what GDPR compliance is for third parties, any security issues they have will reflect on the organization as well and may incur fines for both parties.
Retailers are required to create agreements with third parties, like a service level agreement (SLA), which lays out specific security requirements. Under GDPR, they must clearly state security requirements such as:
- What’s being processed and for how long
- The purpose for processing
- What type of personal data and/or categories of data are being processed
- Specify the controller’s rights
Failure to create such an agreement between the controller and the processor can result in a violation as it did for an unknown company in Germany in 2019 who was fined €50,000. It was discovered that there was never a written contract made for data processing between the controller and another company, which breached Article 28.
Part of agreements should ensure that third parties are using totally compliant security tools like superior encryption, authentication, and audit trails as data breaches are commonly the result of insufficient third-party security.
Choosing the right secure remote access tools that go beyond basic GDPR and other regulations will help organizations avoid costly penalties. Fines can reach up to 4 percent of annual global revenue or €20 million–some hefty penalties for retailers.
3. How a Retailer Processes Data Matters
Processing data isn’t just a credit card transaction, but the way a retailer collects, shares, and stores a customer’s personal data. Article 4 of the GDPR defines “processing” as:
“Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
Article 5 of the GDPR states that data needs to be processed “lawfully, fairly and in a transparent manner,” meaning that customers can feel assured that their data is being used responsibly.
When it comes to securing personal data for GDPR in retail, organizations are required to implement the necessary “technical or organizational measures” to make sure that all data processing is protected from misuse, loss, or damage.
Cyberthreats like malware are a common problem for retailers and their third-party partners, making it essential that they implement cybersecurity that goes the extra mile, such as using application whitelisting and secure remote access to prevent cybercriminals from infiltrating a network.
An example of a violation of Article 5 and 9 of the GDPR in The Netherlands cites that an unknown organization was fined €725,000 because they required staff to use fingerprints to record attendance. Unfortunately, it was found to be in violation of how data is processed and was not proven to have consent from the staff.
4. Retailers Need to Follow GDPR Notification Practices for Data Breaches
Notification isn’t the only thing retailers need to be cautious of–they also need to notify GDPR regulators of any breach within 72 hours, even if the breach was the result of a third party failure. Third parties are required to report data breaches to the controller in a timely manner, too.
Notification should include the following information:
- Nature of the breach that includes categories and the approximate number of subjects that could be affected. Additionally, it needs to include “the categories and approximate number of personal data records concerned.”
- The name and contact for the data protection officer or whomever is responsible for disseminating the information.
- Explain potential consequences of the personal data breach.
- Describe how the controller will address and resolves the data breach, including how they will mitigate any negative effects.
The effects of GDPR on notification have certainly caused retailers problems as evidenced by how many organizations fail to report data breaches. A very recent violation of Articles 33 and 34 in the GDPR showed that the National Government Service Centre (NGSC) in Sweden took nearly five months to notify data subjects of a breach, and nearly three months to inform the Data Protection Authority. As a result, the NGSC was fined €18,700.
Meet Compliance with Impero Connect
While GDPR regulations are extensive, one of the best ways for retailers to protect themselves is with secure remote access. The majority of data breaches, which are often the result of poor compliance, occur because of unsecured remote access.
Retailers, in particular, have to consider the various platforms and devices (like POS systems and card readers) that make up their network. Each of those becomes an attack surface when they aren’t secured. But it can be challenging to find tools that can integrate across networks, devices, and operating systems.
With Impero Connect, retailers get one solution that exceeds compliance requirements for PCI DSS, GDPR, AND HIPAA. Relying on one solution makes networks more secure by being able to manage authentication, encryption, user access, and logging in a single place. That means less stress, less money spent on other tools, and assurance that you’re compliant.
Ready to learn more about our tools for complying with GDPR in the retail industry? Get a free trial of Impero Connect today!