The Data Protection Directive is so last year. 2017 is all about the GDPR…

The GDP what?

GDPR deals with updates to EU laws on data protection and the more stringent rules to be imposed on anyone processing data in European member states. This post explains the changes in more detail and why fashion businesses should take note.

I’m in fashion, why should I care?

So why should a fashion business care about changes to laws on data protection? Well, almost all fashion businesses will collect information, or “personal data”, from individuals, the most obvious example being consumer data collected through online sales. How many times have you personally made an online purchase requiring you to provide endless personal details such as your name, address, email address and possibly your date of birth? All of this is YOUR valuable personal data. How companies use that personal data is now even more strictly regulated than before.

Companies and individuals who do not handle this data in line with the new rules could be faced with a fine of up to 4% of its global annual turnover, or €20,000,000, whichever is more. Wow, and that’s not all…

Businesses that don’t get it together also risk legal action from the individuals whose personal data they are using, since the GDPR gives EU residents direct rights to lodge complaints, obtain court orders and compensation. Aside from this, if what is known as a “data breach” occurs (for example, huge amounts of customer data being lost or falling into the wrong hands) as a result of a failure to follow these rules, then the negative press that would likely follow could be detrimental to the business.

So now I have your attention, let’s talk about what you need to know and how to avoid these nasties.

What exactly is GDPR?

We lawyers love an acronym, so for anyone who isn’t a mind reader, the “GDPR” stands for the General Data Protection Regulation. Essentially, it’s an updated version of the old EU data protection system. The GDPR refreshes the rules that must be followed by any organisation that processes (that is to say, uses in any manner) EU residents’ personal data and is aimed at giving people more control over that personal data.

Need to Know

Here are some main points you need to consider to get your data protection swag on:

• Processors on the hook

To date, data controllers (those who have control over how data is stored, transferred or used) have been the party responsible for the safeguarding of individuals’ data, even where they instruct a third party to process data on their behalf. The changes ensure that not just controllers, but also processors (the third parties who are merely processing the data on behalf of the controller) share responsibility where appropriate.

This means that if for example you’re a data analytics company, reporting on certain data trends occurring among clientele of fashion royalty Chanel, then you, not just Chanel, could be on the hook. If by using Chanel’s data, containing personal information of Chanel customers residing within the EU, a data breach is committed through your failure to follow the GDPR then you will be responsible. This would be the case even where Chanel has ultimate control over how the data is processed.

So if you process personal data for customers, you need to start looking at your contracts with those customers. Equally, if you pass on any personal data of your individual customers, for example, for credit checking, then you should already have been making sure that your processors are aware of their obligations.

• A right to be forgotten

An individual will have the right to insist controllers delete data about them, to the point where it cannot be recovered. However, it’s important to note that his right only applies where the controllers have no conceivable need to retain the information.  The old regime did place an obligation on controllers to delete personal data no longer needed, but under the new rules individuals have more clout to ensure this is done.

This can be costly for a business if its software doesn’t currently have the ability to erase data to the point of no return. If you’re savvy and are already thinking about updates to your software, you might want to start enquiring about this with your developer now.

• Are you giving users enough information?

You will need to provide more detailed information about your data processing, for example, where it is going, what it’s used for and how long you intend to keep it. This information needs to be communicated clearly in an easy to read and easy access format that is written in a way that can be understood by those targeted by the organisation collecting and processing their data.

The practical effect of this is that privacy policies, as found on every website, will need to be drafted more carefully and often tailored to a specific audience.

• Obtaining consent

Under the GDPR, consent to the processing of personal data must be freely given, specific, informed, unambiguous and displayed by a statement or by a clear and positive action.

Under the old regime, an organisation could rely on what was known as an “opt out” mechanism, i.e. on the presumption that where an individual does not contact them informing of their wish to opt out of data processing, then a simple privacy policy displayed clearly on the organisation’s website would do. This is no longer the case. Consent now has to be explicit, so nothing short of an “opt-in” tick box will suffice. Individuals also have the right to withdraw consent or opt-out at any time.

Brexit

No legal update would be complete without a comment on the effects of Brexit…

You might think, “bingo! We’re leaving the EU, surely if I’m a UK company, then this doesn’t apply to me?” WRONG! Any business, regardless of whether they are based in the EU or not, will still be expected to comply with the GDPR if they process the data of an individual residing in an EU member state.

So nice try, but if your customer base includes EU nationals then these rules still need to be followed to the letter!

What’s Next?

You have until the 25th of May 2018 to comply with the GDPR. That might seem ages away, but in reality there’s heaps to do to get your data protection house in order. You’ll need to analyse your data flows, understand where there are gaps in the business that contravene the new rules and put systems and processes in place to overcome them.

The sooner you start the easier it’ll be, so what are you waiting for!?

This post highlights just a handful of the issues that need to be considered under the GDPR for fashion businesses. For more information or specific advice, don’t hesitate to get in touch via the contact me page above!