New Penalties for Mishandling Data

How the EU's data-privacy regulation could affect U.S. retailers

CHICAGO -- New efforts overseas to protect consumers could mean hoops to jump through for retailers in the United States—or the risk of fines up to $25 million.

Collecting the personal data of European Union (EU) residents will become more legally complicated as of May 25 when the EU’s General Data Protection Regulation (GDPR) goes into effect, and the protection expands well beyond the EU's borders.

At its core, the regulation requires any business or other organization to seek the permission of EU residents before they collect or use data from said resident. But that’s not nearly the whole story. The Economist has called the regulation “arguably the most complex piece of regulation the EU has ever produced.” Click here for a more complete online resource the EU has compiled to help those who might be affected prepare.

Even a U.S.-based business can be affected by the regulation if it misuses an EU resident’s data, per the GDPR. For example, imagine someone from Germany is on vacation and stops at a U.S. convenience store. If the tourist swipes his credit card at a store or pump, signs up for a loyalty program or shares personal information online or offline, GDPR requires that retailer to first seek permission to hold that data and use it. The retailer also must be transparent with the customer regarding how the data will be used, and the customer must have the ability to take his data back if he chooses, among other requirements.

Violations of the rules could lead to complaints. And companies that ignore such complaints could face fines of up to $25 million, or 4% of global annual sales, whichever is greater, according to the Economist.

But how should c-store retailers prepare for such a possibility?

“The bottom line is: You must have consent,” said Simon Stocks, chairman of IFSF, a forum of international petroleum retailers based in Essex, United Kingdom. “Without consent, you have no right to have that data.”

Stocks gave a presentation at the recent Conexxus Annual Conference in Chicago, a technology-standards meeting held April 30-May 3, in which he outlined the regulation and how it could potentially affect U.S. retailers.

During the presentation, Stocks urged attendees to assess whether their business holds data of any EU citizens today and if that data has any direct implications on their business. He also mentioned that the regulation will still apply to residents of the United Kingdom. “There’s no Brexit for GDPR,” Stocks said.

Getting Ready

CSP Daily News sat down with Alan Thiemann, general counsel for Conexxus, for more tips on how to prepare for GDPR.

“By May 25, what you really need to be doing is showing that you’re taking steps to get into a legally defensible position,” Thiemann said. “The first thing that anybody needs to do under GDPR is you need to do a data flow.”

Retailers should evaluate what data is coming in, where it’s coming from, what they plan to do with the data and the purpose of collecting the data. This process, should data protection someday be an issue, will help the retails show they are handling consumer data responsibly.

“Once you have the flow of the data, you can go look at your privacy policy and figure out what amendments and modifications you should be making,” he said. Thiemann explained that the EU is not the only governing body with data privacy laws; Canada and Australia also have their own policies. Thiemann’s advice is to build a data-privacy policy based on GDPR, because it is likely the most stringent data regulation in existence, and following GDPR will probably put data collectors in line with all other policies.

But what might that privacy policy look like? Basically, the EU resident agreeing to exchange their data for a good or service should have access to all necessary information about the entity they are giving their data to: who they are, what they are doing with the data and if the data will be shared. Data controllers are also required to inform data subjects of their rights under GDPR. Additionally, EU residents have the right to erase their online data, the right to request a copy of data taken from them and a right to have their personal data ported elsewhere.

What's the Point?

If this all seems complicated, well, it is.

Luckily, it’s not as if the EU is going to start searching for companies to prosecute due to lack of GDPR compliance. “If an EU resident has a problem with [a company or organization] in the United States, they could certainly file a complaint. If enough complaints got filed about a particular company, that would probably spawn a letter to that company asking for information about the consent,” said Thiemann. Besides, the regulation’s real targets with this action are huge data-gobbling corporations such as Facebook, Amazon and Google, he said.

The launch of GDPR might seem scary, but Thiemann said its arrival should not be treated with panic. “Do I think this is going to create a groundswell of immediate problems? No. I think this is unfortunately one of those situations where an ounce of prevention is worth a pound of cure,” he said, to borrow from Benjamin Franklin.

In other words, retailers should look deeper into GDPR and start assessing their data practices, but he does not see a need to rethink everything about the way we collect consumer data today.

“Being the lawyer, I tend to think that it would be most beneficial to be ready, but I recognize that businesses are always confronted with a host of regulatory requirements,” Thiemann said. “Sometimes you’re able to get there quickly and other times it takes quite a while to go through all of the steps. And this is one where the steps are pretty significantly complex.”


More from our partners