On 14 April 2016, the European Union reached an agreement on the so-called “General Data Protection Regulation” (most of the times simply referred to as the “GDPR”). This Regulation will be applicable in all member states of the European Union as of 25 May 2018 (thereby replacing the current national legislations) and will have a drastic impact on the way companies and organizations deal with “personal data”.
The GDPR will be applicable for all companies and organizations that process personal data, not only those companies and organizations who have their registered seat in a member state of the EU but also those who are located outside the EU, but either target EU citizens to sell goods or services or actively monitor the behavior of EU citizens.
What does “processing of personal data” actually refers to?
From the above mentioned definitions it clearly follows that most companies and organizations active in the consumer markets sector processing large quantities of personal data (e.g. in the framework of a loyalty card program, for reasons of direct marketing…) and will therefore be subject to the provisions of the GDPR.
Overall, the GDPR brings the privacy legislation in line with the “digital” world we currently live in. On the one hand a number of simplifications have been introduced (for example it will no longer be required to formally report processing activities to the privacy commission) but on the other hand, the GDPR imposes the responsibility for compliance with the provisions of that same GDPR on the organizations and companies – they will need to be able to prove their compliance or (and this is the biggest novelty) face serious fines, up to a total of 4% of the global turnover (or 20 Mio EUR).
Under the new GDPR the legal grounds on which the processing of personal data can be based will be defined more clearly. Processing of personal data will furthermore only be allowed for a limited number of reasons, for example when it is required for the performance of a contract. This will e.g. be the case when an online retailer needs to process the address of a client for the delivery of goods ordered by that client.
“Consent” will also still be allowed as a legal ground for processing of personal data under the GDPR. However, the interpretation of “consent” will be a lot stricter than it is now. Consent must be “free, specific, informed and unconditional”; which means that the technique of the so called “opt-out” (still often used in the framework of online marketing) will have to be replaced by an “opt-in” principle.
Consumers will also benefit from a number of new and improved rights under the GDPR, such as the right to be forgotten or the right to data-portability. This means that privacy policies and other contractual documentation most likely will have to be updated to align with the requirements imposed by the GDPR. Furthermore a number of processes and procedures will have to be updated.
As retail companies in general process large quantities of personal data and see “data” also more and more as a valuable asset (to predict consumer behavior, target marketing….) the retail and consumer markets sector is one of the sector heavily impacted by the provisions of the GDPR. Existing processes and policies are often not compliant with the upcoming legislation.
We notice in practice that it takes up from several months to over a year (depending on the size of the organization and the amount of personal data being processed) to comply with all the provisions of the GDPR.
Compliance with the GDPR can therefore be considered as a serious “challenge” for organizations processing personal data, but also offers opportunities for retail companies. A clear and transparent approach to privacy as organization can lead to an increase in the confidence consumers have in it.
Want to know more? Contact one of our experts.
© 2019 Kratos Law, a Belgian civ. CVBA/SCRL civ. All rights reserved. * Kratos Law civ. CVBA/SCRL civ. has entered into a cost association with KPMG Tax Advisers civ. CVBA/SCRL civ.