GDPR

The GDPR is a regulation drawn up by the European Parliament, the Council of the European Union and the European Commission to give citizens more control over how their personal data is used online. 

According to the European Commission, "personal data is any information relating to an individual, whether it relates to her or his private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address." The GDPR applies in all EU member states from 25 May 2018. Because GDPR is a regulation, not a directive, the UK does not need to draw up new legislation - instead, it will apply automatically.

Individual's Rights Under GDPR

There are seven main principles governing the use of personal data in the new regulations, these are as follows:

  • The right to be informed: Companies must supply concise, transparent and easily accessible information about the way that it processes personal data. This must be written in clear and plain language, and be free of charge to access.
  • The right to access: Under the new regulations, individuals have the right to obtain access to their personal data.
  • The right to rectification: Where data is inaccurate or incomplete, individuals are entitled to have their personal data rectified. If this data has been disclosed to third parties, they must also be informed of the change.
  • The right to be forgotten: This part of the regulations does not provide an absolute right to be forgotten, but introduces a right for individuals to have personal data erased in specific circumstances, such as when there is no longer a legitimate interest in the data being used.
  • The right to restrict processing: Companies are required to restrict the processing of personal data when an individual has objected to that processing on the grounds of it being inaccurate or gained through illegitimate means
  • The right to data portability: Companies must make personal data available for individuals in a way that makes it easy for them to move, copy or transfer their data from one platform to another. An example of a format that this data could take is a CSV file (commonly used in Excel).
  • The right to object: Individuals have the right to object to direct marketing and processing for purposes of research and statistics gathering.

In many cases, the General Data Protection Regulations build upon the existing data protection laws that are already in place in the UK, but there are some additional things that retailers need to be aware of to ensure that they comply with the GDPR regulations primarily around the legitimate means for data processing. 

Collecting and Using Data

There are six available lawful bases for data processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose. Most lawful bases require that processing is ‘necessary’. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.  You must determine your lawful basis before you begin processing, and you should document it. Take care to get it right first time - you should not swap to a different lawful basis at a later date without good reason. Also, your privacy notice should include your lawful basis for processing as well as the purposes of the processing.

Of the six lawful bases for processing, the ones most likely to apply to retailers are: 

Consent: If you are using consent as a basis for collecting and processing data, that consent needs to be explicit and specific about what consent is being given for. For example, pre-ticked boxes or 'consent by default' are not acceptable under the regulations. More details about the specifics of consent as a means of processing data are available here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/

Contract: You can process personal data if you need to do so to fulfil your contractual obligations to them, or if they have asked you to do something before entering into a contract (for example providing a quote for a tender process).  More details about the specifics of using a contract as a means of processing data are available here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/contract/

Legitimate Interest: Legitimate interests is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate. It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits. You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.  More details about the specifics of using legitimate interest as a means of processing data are available here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/

Print Communications (Marketing)

The ICO published information in January this year relating to print communications or direct mail for marketing purposes. The statement from the ICO says: “You won’t need consent for postal marketing… you can rely on legitimate interests for marketing activities if you can show how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object." 

CCTV

The ICO is currently drafting specific guidance on the use of CCTV. However, they have advised that the regulations will closely reflect what is already in place in their CCTV Code of Practice. This Code of Practice is available here: https://ico.org.uk/media/for-organisations/documents/1542/cctv-code-of-practice.pdf. You do not need to get explicit consent from people that appear on your CCTV in store, as legitimate interests and rules around criminal offence data apply. 

With regard to subject access requests for CCTV data, if you do not have the software or the means available to be able to isolate the individual's data (images) being requested, you can refuse the request on the basis that complying will put other people's personal data at risk. 

Resources

GDPR Guide for Microbusinesses: The ICO has published a short guide with eight practical steps for retailers to take in advance of the GDPR regulations. This is available here: https://ico.org.uk/media/for-organisations/documents/2258293/eight-practical-steps-for-micro-business-owners.pdf

Frequently Asked Questions: The ICO has a list of Frequently Asked Questions from small retailers with concerns. The FAQs are available here: https://ico.org.uk/for-organisations/business/general-data-protection-regulation-gdpr-faqs-for-small-retailers/

In-Store Training: Bolt Learning have produced two modules for retailers on complying with the GDPR regulations (one general, one more detailed for designated Data Protection Officers). For more information about how to access the modules, please visit https://www.boltlearning.com

Further Information

If you have specific questions about the impact of GDPR on your business, you can find help in the following places: 

The ICO have set up a helpline for businesses, where questions can be asked about the specifics of the regulations. The helpline number is 0303 123 1113

If you would like legal advice on the specifics of the GDPR regulations and how they apply to your business, contact Fraser Brown Solicitors via ACS on 01252 515001.