Retailers that do business in the European Union are settling in to the new normal of operating under the privacy and security provisions of the General Data Protection Regulation. In the early days, retail IT teams paid significant attention to the structure of their back-end systems, trying to understand how to modify them to meet GDPR requirements.
With most of that work in the rear-view mirror, organizations are now shifting their attention to understanding the different consumer rights afforded under the regulation. Let’s take a look at four specific requirements: obtaining and tracking consumer consent; fulfilling requests to access information; complying with the right to be forgotten; and discarding unnecessary data.
Obtaining and Tracking Consent
One of the fundamental principles of GDPR is that organizations must obtain explicit consent from consumers before collecting, using or sharing personal information about them. While this sounds straightforward, the implementation details become tricky. Most retailers understand that they should obtain consent when a user creates a new account, but they might not know that this consent must be periodically renewed. GDPR doesn’t offer a prescriptive time period for these renewals, but the general idea is that consent must be renewed whenever there is a change in data handling practices or a break in the continuing relationship between a consumer and the retailer. To play it safe, retailers might consider implementing a standardized six-month consent renewal process.
Complying with the Right to Access Information
Under GDPR, consumers have the right to access any personal information that retailers maintain about them. In most cases, customer requests are satisfied by the existing systems that retailers use to provide customer information, such as the My Account section of a website. However, retailers must also provide access to the internal information they track about individual consumers, such as user activity on websites that’s used to build customer profiles.
Implementing the Right to be Forgotten
The right to access information has a companion right — the right to be forgotten. Retailers must provide consumers with a mechanism to instruct the retailer to remove any personal information about them from the retailer’s records. The key here is understanding that this affects only the personal information of consumers. Retailers may choose to implement this right by maintaining placeholder accounts that have the personal information redacted to a point where the individual consumer is no longer identifiable (a practice commonly known as pseudonymization). This approach offers a balance that protects consumer privacy while preserving the integrity of business records.
Discarding Unnecessary Data
Another big change under GDPR: Retailers may retain information only as long necessary to meet the purposes for which the consumer consented. When that original purpose is no longer relevant, the retailer must either obtain renewed consent or discard the information. Of particular note, retailers may not retain information for the sole purpose of being able to react to a potential future request. This is a departure from the past practices of retailers, who typically opted to preserve as much information as possible in the interests of customer service and business analytics.
This blog post brought to you by: