The retail and fashion business is rapidly changing. Most fashion companies have become publishers (creating new editorial content) and now also data managers (also processing a large number of personal data).
Within this context the EU General Data Protection Regulation, which recently entered into force, will no doubt play a key role, particularly for the retail and fashion companies operating in multiple jurisdictions or making use of new technologies.
The Regulation will finally provide the same set of rules for all EU Member States, thus mitigating the current fragmentation of national data protection laws. This means that there will be less headaches for reviewing the different information notices for the customers in the various European jurisdictions, albeit there will still be a lot of room for local regulations.
The Regulation will apply also to non-EU companies that target EU customers by profiling, or offering products, thus setting up some level playing field for global e-commerce operations. There will be an increased responsibility and accountability on how personal data are processed. Non-compliance could lead to heavier sanctions, up to 4% of the global turnover. Therefore non-EU companies actively selling to (or simply profiling) EU customers can be subject to the above heavy sanctions; such active sale can be identified, for instance, also through e-commerce website sections in local EU languages. Data processors (including non-EU data processors) will also be directly responsible if they fail to meet certain obligations.
There will be increased transparency obligations, with privacy notices including more detailed information. There will also be additional data management obligations (from data breaches notifications -in certain cases also to data subjects – to data portability). Retail and fashion companies will also have to appoint a Data Protection Officer when they are, for example, carrying out large scale profiling of the customer base, such DPO to report to the highest management level.
A privacy impact assessment will be required before processing personal data for operations that are likely to present higher privacy risks. Retail and fashion companies will also have to take the privacy risk into account throughout the process of designing new products or services, and adopt mechanisms to ensure that, by default, minimal personal data is collected, used and retained. An approved certification mechanism can be used to demonstrate compliance with the applicable requirements. This will obviously be very relevant for the wearable technologies projects, but also for most innovative CRM systems and IoT retail applications.
So, what do to? Among other things, retail and fashion companies should verify whether the current collection of consent and subsequent data processing is in compliance with the Regulation requirements, also taking into account the new data protection rights and principles (e.g. transparency, etc.), as well as review the service contracts with third party providers/data processors (including e-commerce platforms). Retail and fashion companies should also set up procedures for the management of the data subjects’ rights (also setting up data registries) as well for data breach and cybersecurity accidents. Policies for implementing the privacy by default and the privacy by design principles, as well as for the appointment of the DPO (with related governance models), should also be considered.
Albeit there is a transition period of two years to ensure compliance, all retailers’ data management decisions should consider the new scenario. For further information on the Regulation, you can also visit the Privacy Matters blog, or our dedicated EU GDPR microsite (see also here on actions to take).
Let us know if you want to further discuss!
Giangiacomo.olivi@dlapiper.com
#thefashionablelawyers
