Welcome to the July edition of the Retail and Consumer newsletter

In the last year, the retail and consumer sector has been in the eye of the GDPR storm with customers and employees having a greater awareness of their data protection rights. 

This "consumerisation" of data has brought a renewed emphasis of data subject rights and increased obligations for businesses handling their obligations – ever more challenging at a time when knowledge gained from customer buying habits helps identify future trends, particularly in a world spent online. 

In this month's R&C newsletter, AG's Data Protection team have gathered their experiences of working in the sector to give an update on themes they are seeing and actions needed in 2019 to keep on top of data protection compliance.


Handling data breaches

The busiest area clients have needed support since the GDPR came into force has been handling personal data breaches and the fallout from breaches. This is unsurprising given the reputational risk and pressure of meeting the 72 hour deadline for reporting breaches to the ICO (the regulator of data protection law). 

There has been a trend in "over-reporting" to the ICO following the introduction of the mandatory requirement to report. This is understandable in the retail and consumer sector when faced with breaches that impact your customer base. Businesses look to ensure that they are "ahead of the story" to minimise reputational impact. 

The ICO has stressed that they only want to hear about breaches that have a risk to people’s rights and freedoms, following the breach. This bar has been set quite high in our experience. Examples of breaches that we have found not to be reportable include breaches that are purely internal, e.g. data accessed by an employee who shouldn't have had access, or internal system glitches. Even data shared to third parties may not be reportable where the third party has acted in a responsible manner in returning the data. Clearly breaches involving sensitive / special category data will likely be reportable.  Each breach needs to be considered on its own merits. The ICO has issued a helpful questionnaire accessible from here which is worth checking to determine if a report is needed. 

Don't forget that notifying affected customers or employees is only needed in "high risk" situations – however, this higher threshold we have found to be generally irrelevant when it comes to managing the impact on customers. Typically an honest and upfront approach has been taken to date with the decision taken to let customers or employees know about a breach ahead of a report to the ICO.

One difficult area is gathering the right information to determine whether or not to report coupled with ensuring data breaches are recorded and monitored centrally by a DPO / management team – especially across multiple sites.  

That's why we have developed AG Capture – an online reporting tool with the aim to streamline data breach management. The tool, hosted on our secure cloud-based server, asks users to complete an online questionnaire, which is fed back to management. It automatically creates management reports, notification forms for the ICO and records the breach in your register (a requirement in the GDPR). The tool is available 24/7 via any device connected online. 

If you are interested in trialling AG Capture – please contact Ross McKenzie, Data Partner. 

New challenging guidance on cookies results in action needed

The ICO released updated guidance on use of cookies and similar technology this month. The new guidance reflects changes that come from the GDPR and will need action because of the threat from the ICO that enforcement in this area will be a priority.

The guidance focusses on the requirement for "opt in" consent for use of cookies (rather than implied consent) from those who access your website or app. The guidance effectively prohibits techniques we see used in practice and results in challenging times ahead for continued use of technology relied on in websites– especially data analytics and third party marketing.

The guidance specifically flags that pre-ticked boxes and slider options defaulted to "on" are prohibited. Use of non-essential cookies used on landing pages before consent is given is also prohibited. Statements around "continuing to use the website" will be unlikely to meet the standard either.

Opt in consent is not needed for cookies that are "strictly necessary" for the operation of your website, e.g. those used to remember what items are in a customer's shopping basket, or those needed for website security.

Audits are needed of existing cookie use and a hard decision taken around what cookies will be used moving forward together with how to secure user opt in consent.

The full guidance is accessible from here and is worth close examination.

Don't forget to update your privacy notices

Whilst checking your cookie policy, it is probably worth taking another look at your privacy notices used with customers. We found that during the build up to the GDPR that there was a rush to meet all of the GDPR notice requirements which were more extensive than before.

A year on, it is important to keep an eye on your current uses of personal data to ensure your notices (for customers and your staff) genuinely reflect your use of data now. We have found that some uses have been overlooked in the rush to comply especially around tracking technologies used online, such as email pixels. 

Now that the dust has settled, it is also probably a good time to reconsider if your notices are fit for purpose in terms of user experience and whether your notice genuinely reflects your business values and culture. 

Remember that you should also keep your Register of Processing Activities up to date (required by Article 30 of the GDPR) and this should mirror what your privacy notices disclose. 

Data Protection and Brexit

Personal data sharing from European Member States to the UK will need carefully checked following Brexit given that the UK will not be treated as having "adequate protection" to receive personal data without measures being in put in place to ensure such protection. Standard contractual clauses tend to be the most straight forward "go to" solution here for sharing, especially in intra-group arrangements. 

Businesses will need also consider whether they need to appoint a representative in Europe post Brexit if using personal data of European citizens unless there is an actual European presence already that can handle data protection issues. This will be important from the perspective also of considering appointing a "lead supervisory authority" in Europe to avoid having to deal with multiple regulators in Europe. 

Keeping up to date on data protection law

This is a pretty fast moving area and one to keep a close eye on. We have a regular Data Privacy newsletter that we update regularly on this area. Let us know if you would like added to that.

Key contact

Helena Brown

Helena Brown

Partner, Head of Data
Edinburgh, UK

View profile
Ross McKenzie

Ross McKenzie

Partner, Commercial Services
Aberdeen, UK

View profile