The explosion of data, brought about by ever sophisticated and pervasive technologies, has led to the new General Data Protection Regulation (GDPR), which will be the most comprehensive shake up of data protection laws in 20 years.
The GDPR aims to update the existing data protection framework across EU markets to reflect today’s digital environment; streamline existing laws making it easier
for businesses to comply; and to give EU citizens a level of privacy that is consistent. This means that all data collected on individuals (with limited exceptions) will now fall within the scope of the new law. Such information includes email addresses
and transaction history. Any company that processes personal data on EU citizens, regardless of whether they are in Europe or not, will be liable. GDPR will become law in the 28 EU member states in 2018, thus the onus is on retailers to ensure they are fully
compliant within that timeframe. The non-compliance fines under the new legislation are up to 4% of a company’s global revenue, with non-financial obligations also in place that require reporting of any breaches ‘without undue delay’. Those who plan accordingly
and implement changes that align with the raft of new regulation will benefit. Those who do not will not only pay a heavy price financially but also suffer potentially irreparable reputational damage.
The challenges for retailers
With the legislation being formally accepted in the spring of 2016, and in the wake of recent significant data breaches, it is important that merchants have the solutions in place that ensure large amounts of information can be stored and analysed in real-time,
without compromising the security of customer data. Retailers must now be meticulous when it comes to data management. When the regulation passes into law, organisations must implement strong data governance processes that impose limits on how long retailers
are able to retain data, which must be reviewed or erased by the end of that period if there are no legitimate grounds for keeping it. Companies will also need to implement appropriate procedures to notify the national supervisory authority in the event of
a data breach, in order for users to take appropriate measures. Stringent breach reporting obligations also mean that organisations must have effective monitoring framework for assessing and improving processes.
How technology can help
How can merchants mitigate this risk? The good news for retailers is that technology exists to help them meet the challenges of migrating to new software, while keeping customer data secure as they work towards GDPR compliance.
One such technology is tokenisation. Tokenisation is a security technology that is already used in the payment industry to encrypt consumer data at the point of sale. It assigns an alphanumeric code, or ‘token’ to payment data when the transaction is being
processed. This token has no extrinsic or exploitable meaning for a cyber-attacker, rendering the customer’s sensitive card details indecipherable. This helps retailers mitigate risk as, in the event of a breach, no sensitive data is exposed; extending these
technical controls to personal data will increase protection in the event of a breach.
With GDPR going through adoption by the European parliament, the countdown to enforcement in 2018 has begun, meaning the whole market needs to react to this regulation in the EU now.