The collection and use of personal data is a daily occurrence for fashion businesses. Personal data is processed when, for example, a consumer logs in to their online account, makes a purchase online, or is sent promotional material by the retailer. Personal data can be, and is increasingly, used by brick and mortar and online retailers to try and stay ahead of their competitors by tailoring their offers and promotions to their customers.
The General Data Protection Regulation (“GDPR”), which has been designed to enable individuals to better control their personal data, will come into force on 25 May 2018. A key principle of the GDPR is greater transparency as to how businesses are using personal data, with substantial fines for failure to comply. The maximum fine under the GDPR is Euro 20 million or 4% of annual global turnover, whichever is greater.
However, despite the GDPR being on the horizon for the past two years, according to a recent survey conducted by the Federation of Small Businesses just 8% of small enterprises are ready for the GDPR. One in three respondents had not started preparing for the GDPR, and a further third said that they were in only the “early stages” of planning.
Whilst the requirements of the GDPR may seem insurmountable to some, the GDPR should be treated as an opportunity to step back and review all data processing practices. Furthermore, by being transparent about data practices and communicating to customers and potential customers how and why personal data is used, retailers can earn greater creditability.
What should retailers and brands therefore be doing as a priority?
Common areas which should be considered include:
The GDPR comes into force in eight weeks’ time – less than 40 working days! The GDPR may require significant changes for many businesses, some of which will require substantial lead time. With the threat of hefty fines, compliance should be treated as a high priority. However, the Information Commission has been at pains to emphasise that 25 May 2018 will not usher in an era of punitive action against small businesses, stating that “We have always preferred the carrot to the stick. We will use fines and serious sanctions only as a last resort. Our first resort is education and support”. In view of this, perhaps of greater immediate concern to fashion retailers and brands for a failure to comply with the GDPR should be the potential damage to brand reputation.