GDPR: Playing the data game

GDPR. Four little letters that most convenience store retailers will have heard bandied about over the past few months, but may not - as yet - have paid proper heed to.

Well, with the 25 May deadline looming large, now really is the time to sit up and take action, because those four little letters are set to have a mighty big impact on the way in which all businesses, including convenience stores (regardless of size or number of staff), manage and protect all the personal data that they hold, even that of their employees.

In a nutshell, the General Data Protection Regulation (GDPR) will require you and your staff to adhere to a new set of regulatory principles designed to ensure that personal data is captured, used and protected to the highest possible standard. 

The European Commission defines personal data as “any information relating to an individual”, from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address. Under the GDPR this also includes CCTV stills and moving film, and more.

The impact of the regulations will vary greatly from store to store, depending on how much data a retailer has, or “processes”. Stores with customer loyalty schemes, large numbers of employees, newspaper delivery rounds, and CCTV systems will be harder hit than those without.

At its heart, the GDPR - which is the natural evolution of the Data Protection Act 1998 (DPA) - is all about accountability and transparency, meaning that solid record-keeping to demonstrate due diligence is now a must.

Simon Bishop, director of GDPR Systems, explains: “The DPA was to some degree a tick-box exercise - it was easy for businesses to declare that they understood and abided by the rules without having to think about it too much. The GDPR changes all of that,” he says.

Enforcing it all is the Information Commissioner’s Office, or ICO, which has compiled the following eight simple steps to help small businesses get GDPR ready.

Eight simple steps

Step one: Know the law is changing and make sure all your employees know the law is changing. You then need to understand how this change will affect your business, and identify anything you need to alter to comply. 

Step two: Make and keep a record of the personal data you hold and why you hold it.

Under the GDPR you need to keep records of all the personal data you hold and work with. You need to record all information including:

• What data you hold (names, emails, individuals’ financial information).
• How you got it (a customer form, bought-in marketing lists, staff application forms).
• Why you have it.
• How long you’ve had it.
• Whether you still need it - if not, this is an opportunity to delete it.
• Do you share this information with any other organisations? 

Step three: Identify why you have personal data and how you use it.

Under the new law you must have a valid “lawful basis” to process personal data and must be accountable for and transparent about it. Identifying your reason for collecting and handling personal data will help you identify your ‘lawful basis’. Once you have determined this you should document it and update your privacy notice to explain it.

There are six available lawful bases for processing personal data. According to the Association of Convenience Stores (ACS), the three that are most likely to apply to retailers are:

• Consent: If you are using consent as a basis for collecting and processing data, that consent will need to be explicit and specific about what consent is being given for. For example, pre-ticked boxes or ‘consent by default’ are not acceptable under the regulations.
• Contract: You can process personal data if you need to do so to fulfil your contractual obligations to them, or if they have asked you to do something before entering into a contract.
• Legitimate interest: Legitimate interest is the most flexible lawful basis for processing. It is likely to be most appropriate where you use people’s data in ways they would reasonably expect (such as direct mail for marketing purposes) and which have a minimal privacy impact, or where there is a compelling justification for the processing. 

Step four: Have a plan in case people ask about the rights they have regarding the personal data you hold about them. Information on individuals’ rights under GDPR is available at: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/.

Step five: Before collecting personal data, tell people why you need it and how you will use it.

At the point you collect personal data from people, you must provide them with certain information, including the identity of your business and how you plan to use their information. You also need to tell people about their rights and their ability to complain to the ICO if they are concerned about how you handle their information.

Your privacy notices must be easy to understand and given to individuals whenever you collect their personal data, both online and offline.

Step six: Security of data. 

The GDPR is much more specific than the DPA 1998 about what you have to do about the security of your data processing, how you should assess your information risk, and the appropriate security measures that you should put in place, such as password protecting and encrypting your electronic devices, installing anti-virus software and using securely locked storage for paper records.

Step seven: Develop a process to make sure you know what to do if you break data protection rules and record it.

Think about the possible breaches that could occur in your business, for example paperwork or IT devices are lost or stolen, malware is used to gain access to your computer systems, personal data is sent to the wrong person, or documents are not disposed of properly, eg not shredded.

Step eight: Don’t panic!

While the risks of non-compliance are severe, with fines of up to €20m, or 4% of turnover, the ICO told C-Store it would rather support businesses in their quest for compliance, than fine them.

“A common myth is that the ICO will be fining organisations large sums for every breach of data protection law. The ICO is here to uphold the information rights of the UK public. We can and do fine organisations, but we have other tools at our disposal to ensure that businesses comply with the law.

“Monetary penalties have been and will continue to be a last resort of our regulatory action - our primary aim is to support businesses to get things right and improve their practices where required.”

GDPR and CCTV

The GDPR also has a number of implications for the way convenience store retailers manage their CCTV systems and data, as Simon Bishop, director of GDPR Systems, explains. He says: “From 25 May CCTV images will need to be treated with the same respect as more traditional forms of personal data.

“Once GDPR comes into force, camera location and purpose will need to be scrutinised and documented in more detail than before, and the purpose of each camera should be very clear.

“Your staff must also be fully informed and trained on all the policies and procedures that the company has regarding the store’s use of CCTV.”

The use of CCTV must be a “reasonable response” to the issue that you are seeking to address: to prevent and record incidents of theft or crime.

The type of surveillance system you choose to use and the location it operates within must achieve the purposes for which you are using it.

Appropriate signage must be in place to inform people that CCTV is in operation and why you are using it.

Under the GDPR individuals whose information is recorded have a right to be provided with that information or, if they consent to it, view that information. Information must be provided promptly.

You should also ensure that the design of your surveillance system allows you to easily locate and extract personal data in response to subject access requests.

It should also be designed to allow for the redaction of third-party data where this is deemed necessary.

Recordings should not be retained for longer than necessary, or more than 30 days.