GDPR: Retail is far from ready

GDPR requires retailers to start thinking about how they use personal data of individuals across their business and whether it’s in a legal and legitimate fashion. Since the answer to that in most cases is going to be “not entirely”, then what are they going to do?

1437

“It leaves the opportunity for these companies to do some serious shoveling if you only have 10 people.”

Jon Snow made his point pretty clearly in a recent TV interview after failing to get a straight answer from the information commissioner Elizabeth Denham on whether her watchdog has the necessary resources to handle the ongoing Cambridge Analytica debacle.

Although Denham expertly avoided having to answer the question directly, her evasiveness speaks volumes to the strain the regulator is under. Unfortunately for the Information Commissioner’s Office (ICO), a far greater stress on its resources is just around the corner.

The General Data Protection Act (GDPR) is a very complex piece of new legislation poised to come into effect across the European Union on May 25. The ICO has the unenviable task of informing and guiding UK business through its implementation and then reprimanding those that have failed to comply with its many guidelines.

This is bad news for the ICO because the retail industry, one of the most affected by GDPR due to the amount of customer data it handles, is not probably ready for it.

According to research from W8Data, nearly a third of retailers feel unprepared or don’t even know about GDPR. Further research from Clarenet suggests that over two thirds of retailers couldn’t secure data correctly.

“The ICO will be critical to creating an environment which focuses on education and prevention and not punishment”

With around 200,000 registered retailers in the UK, that means over 66,000 retailers could be ripe for investigation and a fine from the ICO, an undertaking that would require an army of IT experts and lawyers.

But why is this legislation proving so difficult for the industry to implement? The date of implementation has been known for the best part of two years, and the potential punishments for non-compliance could be devastating for an industry already under strain. The ICO has the power to fine a company four per cent of its annual income or €20 million, whichever figure is higher, for noncompliance.

“Part of the problem derives from the fact that most internal IT teams don’t have the skills, expertise or the time to keep up with the rapidly changing threat landscape as it’s not their key area of focus,” Claranet UK managing director Michel Robert said.

“Our research has shown that organisations are very much aware of this problem, but also that they are still some way away from solving it.”

For many, it’s not simply that they’ve been blissfully ignorant of the upcoming legislation, but that they don’t have the technological knowledge, the time to acquire it, nor the resources available to hire the staff who do.

“Security can slide down the list of priorities, jostling with ‘keeping the lights on’ maintenance activities and innovation,” Robert said.

One of the biggest issues with the implementation of GDPR is a significant skills shortage, affecting both retailers and the ICO.

Law firm Collyer Bristow’s head of intellectual property and data protection, Patrick Wheeler, said that like most large retailers, their best and brightest have been pinched by specialist companies.

“The bigger problem they have is they have suffered with budget cuts as they’re a government body,” he said.

“The other problem they face is all of the big businesses that are advising on GDPR have been headhunting their best people. It’s going to be a massive job for them.

“I have to say the ICO are doing a terrific job, they’re pumping out huge amounts of info their website has masses of guidance. The difficulty is its very complex legislation. They can’t be accused of not going out on a limb to make people aware.”

Aware or not, the reality is that swathes of retailers will not be compliant with GDPR in time for its ever-shortening deadline. With this in mind, what happens after May 25?

Though it is within the ICO’s power legally it is not possible in terms of man power, nor is it in its interest, to penalise thousands of retailers for non-compliance.

However, failing to take action would undermine the legislation entirely, giving the impression that it’s not necessarily something to worry about.

“One of two things are likely to happen,” Wheeler said.

“Either the ICO will make a big noise and get people focused on ‘this is something you should all have in place by now’, there might be one or two cases where people are made an example of. The other is they’ll go on a charm offensive.”

He added that companies that “ought to know” what their obligations are, such as tech and IT based firms, would likely be made an example of should they be found to not be in compliance.

The Federation of Small Business, which represents hundreds of small retailers in the UK, has called on the ICO to use a “light touch” when dealing with non-compliant businesses to start with, adding that just eight per cent of small businesses had completed preparations.

Its chief executive Mike Cherry said: “There must be a willingness to play a supportive role in ensuring that small businesses can and are able to comply.

“The ICO will be critical to creating an environment which focuses on education and prevention and not punishment.”

“Whatever happens, businesses shouldn’t see the ICO as the enemy”

Though Denham echoed this, stating “this law is not about fines”, the budget issues and skills shortages hindering many retailers progressing to compliance are long term problems.

With ICO’s stretched resources and subsequent inability to challenge non-compliance quickly and effectively, it is also likely to remain unprioritised for many.

Thus, this issue is destined to pervade long past the May 25 introduction date. ICO is therefore likely to look at the effort a retailer has put into meeting GDPR guidelines rather than whether they were met on time.

As Coalfire’s UK managing director Andy Barratt points out: “The ICO has made an effort to play down talk of crippling fines so far, but part of avoiding them in future will involve being able to show that your business made a concerted effort to comply. That won’t be quite so easy if the ICO decides you left it all to the last minute.”

“The fundamental step to meeting the various requirements of GDPR is identifying and documenting all the personal data held, what consent you have to retain it and who you share it with.

“Whatever happens, businesses shouldn’t see the ICO as the enemy.”

With the threat of such substantial fines it can be easy to overlook the bigger picture. It’s important for both the ICO, the retail industry and the general public to remember that GDPR stands to benefit them all.

Click here to sign up to Retail Gazette‘s free daily email newsletter