Demystifying GDPR: Convenience Retailer Checklist
The General Data Protection Regulation (GDPR) is the new framework devised by the European Union to help safeguard people’s rights when it comes to their personal data, coming into effect on the 25th of May 2018. It's adding increased responsibilities onto all businesses that collect or process personal data and the fines for non-compliance are BIG, up to 20 million euros or 4% of your global turnover.
Don’t think a typical convenience store handles much data? You might need to think again.
Katie Jenkins, Head of Customer Proposition at Bolt Learning, highlights the key areas a convenience retailer will need to consider.
I have a website
If your websites sole purpose is as a standalone marketing site, you have little to worry about. However, if you collect any personal data via it, certain considerations need to be made.
Is there a newsletter sign-up form? If yes, make sure that you can collect consent from those signing up.
Can people order online? If yes, you will need to collect and protect certain details in order to deliver their goods.
I have an EPOS system
If you collect customer data via your EPOS, you’ll need to inform the customer exactly what is being collected, what it is being used for, gain positive consent, and be prepared to erase a customer’s details on request. Be aware of the physical theft of a terminal and put measures in place to limit the likelihood.Draw up a policy of what you and/or your staff should do in the event of a breach.
I send marketing materials to people
Consent must be a positive action (opt in rather than opt out) and the text must be clear and simple. You must record consents so that you can prove that active consent has been given. Always make sure to collect consent to send marketing SMS and emails, including an option to unsubscribe.
I have an offline/online database with customers’ personal details
One of the questions that GDPR forces retailers to ask is “do I really require all the personal data that I store on someone, in order to perform my contractual duty/function?” Only store the specific data relevant for a specific task, and you need to collect, and record, active consent.
Can my customers easily get access to the information I hold on them?
I hire companies to help me with payroll/HR/deliveries etc
You are responsible for the personal data that is in the possession of your suppliers. For each supplier make a list of all the personal data you send them – if some of the information you send isn’t necessary, then remove it. Check your suppliers are GDPR compliant; they must legally inform you of any potential breaches.
I employee people
Be careful not to pass on any employee’s details to anyone other than those performing a specific function for the business, e.g Payroll suppliers (who must be compliant too.). Ensure you have a retention policy for employee data (eg deletion 7 years after employment ended.) It is also an employer’s responsibility to ensure their employees are also aware of how these legislations affect them.
What if something goes wrong?
In case of data breach incidents, you may be required to inform your supervisory authority and your customers, within 72 hours of becoming aware of it. Create a plan showing what you and your employees should do in the case of a data breach.
Need further advice?
Bolt Learning is offering two online training modules, with 10% discount for Store Excel readers – contact firstname.lastname@example.org
Disclaimer: this article is not meant as legal advice. You must seek advice from your legal advisors to ensure complete compliance with GDPR.
Start a discussion of this article