Why should we care about data protection and privacy compliance?
Businesses in the retail, leisure and hospitality sectors hold and use various types of personal data: This includes employee and HR data and customer data (such as CCTV data, loyalty card data, customer databases and marketing lists). These are all examples of personal data which has to be handled in accordance with data protection legislation.
Issues to look out for: We have identified a few areas which are likely to be relevant for businesses in the Retail, Leisure and Hospitality sectors. How do you deal with the following?
- Use of customer data: you should understand what data you have, why you have it, what you do with it and how you store it. Customers also have a right to be told what you do with their personal data.
- Direct marketing: there are additional rules that govern certain types of direct marketing, such as marketing by e-mail, text message and telephone calls, in addition to which GDPR has raised the bar for valid consent. Businesses should also understand how they can lawfully use marketing lists which may have been bought in or shared between groups or connected companies.
- Third party providers: this could include IT providers, contractors, agencies and other suppliers and service providers. If third parties store or handle personal data on your behalf, then there are specific requirements on how you choose and contract with such third parties. You will also have to tell individuals about third party providers who have access to their personal data.
- Data breaches: there are new obligations relating to data breaches, including specific requirements to notify the Information Commissioner’s Office (ICO) – the UK supervisory authority – within 72 hours of discovery of a data breach and individuals. Some data breaches (such as unauthorised disclosure of payment details) may result in a risk to data subjects which could trigger these notification requirements. It is essential to have a plan in place in case of a data breach.
Protect your profits: We have all heard about the potential (eye-watering) fines for non-compliance with the data protection laws: up to 4% of your annual worldwide turnover or € 20m, whichever is the higher!
Protect your reputation: More importantly we have seen the negative press coverage when organisations get it wrong which can be very damaging to an organisation’s reputation and goodwill (Data Analytics and British Airways come to mind!).
Compliance is a sell: Good data governance and compliance are easy sells to customers.
How can we help?
We can help businesses, both controllers and processors, in a number of ways to suit the needs of your business:
To work towards compliance you need to know where you currently stand. We perform data protection audits to identify any compliance gaps in your processes and recommending compliance solutions using a ‘traffic light’ coded action plan. As part of this process, we help clients to ‘map-out’ their data flows, which forms the basis of a business’s record of processing activities (which means from the assessment we undertake, you are already on your way to working towards compliance requirements).
Key to compliance is awareness.
Online training: We provide online training for employees and managers on a subscription basis. This is a useful tool for reaching large audiences quickly at a time and place that is convenient to them and to you.
Face-to-face training: We also provide interactive face-to-face training (on-site or off-site) to allow staff to ask questions and to work through practical examples. This training can either be a general overview of data protection or we can provide specific tailored workshops for your needs and on key issues such as, direct marketing, collecting customer data, employee data and responding to SARs, dealing with personal data breaches, drafting GDPR compliant contracts, etc.
3. Template & tailored documentation:
- Privacy Notices: We can assist with preparing internal privacy notices, aimed at employees and directors, and external facing privacy notices aimed at your customers.
- Privacy Notice Checklist: To help you draft your privacy notices in accordance with the detailed requirements of the GDPR.
- Direct Marketing Flowcharts: To assist you in determining whether or not you can contact individuals and businesses with direct marketing materials (this is an area that caused a lot of confusion in the lead up to May 2018!).
- Legal Basis Flowcharts: To allow you to easily work out when you can lawfully process the personal data you hold.
- Data Protection Policy and Privacy Standard: Let your staff and directors know what is expected of them when they process personal data as part of their role.
- Personal Data Breach Policy and Procedure: If you have a notifiable personal data breach, you only have 72 hours from becoming aware of the breach to let the ICO know. This means that your staff need to be able to act quickly, and a procedure outlining the process for dealing with a breach will assist with this.
- Guidance Tool – Determining Roles of Parties: Before appropriate contractual arrangements can be put in place, businesses need to know what role they play under data protection legislation (sole controller, joint controller, processor, sub-processor, all of the above…) and this guidance tool assists you in determining this.
- Data Processor GDPR Checklist: Before selecting a service provider, it is important that you are comfortable with their security measures (which should at least align with yours), their data protection compliance status, their location, and the sub-contractors they engage.
- Contracts: We provide template data processing and data sharing agreements (for use with partnering organisations) to suit your business, whether by formal contract, or a more informal FAQ/Protocol document. We can also review and update your existing contracts with IT service providers, suppliers, etc.
- Consent: Consent is more difficult to obtain under the GDPR and also brings with it new rights in favour of the individual, placing new requirements upon businesses. We can assist you with ensuring that your consent requests are valid, and advise you when consent is not the most appropriate legal basis to rely on and what other options are available to you.
- DPO Advice Note and Questionnaire: Understand if you need a Data Protection Officer (DPO) under the GDPR and document your assessment and decision making (data protection accountability is all about good record keeping).
- Template DPIA: If you are implementing a new procedure or project (e.g. new HR and payroll software, loyalty card scheme or CCTV system) that is likely to result in a high risk to the rights and freedoms of individuals, then you must carry out a Data Protection Impact Assessment (DPIA).
- Procedure for Data Subjects Rights: A request from an individual can go to anyone in your business, it can be made verbally, and the individual does not need to expressly state that he/she is making a request to exercise a data protection right. To ensure that all your staff know how to identify and deal with these requests, it is important that a clear procedure is in place.
4. Tailored advice and assistance
As well as assisting you to ensure that your documentation meets the requirements under data protection law, we can also provide advice and assistance on all matters related to data protection and privacy, and have assisted a number of clients in the Retail, Leisure and Hospitality sectors with tailored advice on many practical areas, including:
- direct marketing
- privacy notices
- monitoring and tracking employees
- intra-group data transfers
- personal data breaches
- data sharing arrangements
- international transfers
We provide advice and assistance on all matters relating to international data transfers; whether this is within a group structure or simply as part of provision of services. We can assist you to ensure that your international transfers are carried out lawfully and regularly advise on matters such as Standard Contractual Clauses and joining the EU-US Privacy Shield. If your business requires guidance on particular jurisdictions, we can assist you in getting that guidance through our worldwide network of data protection experts.