Comment: Data regulations and reputations

The way we shop is changing. Online sales and integrated digital stores (with smaller footprint, fewer staff and higher focus on tech solutions) are helping to ease the strain on traditional retailers. However, connected and eCommerce strategies are opening retailers up to new cyber and data risks – and, with change afoot, it is vital to effectively prepare for a new set of obligations and a rapidly shifting data security landscape.

A changing retail landscape

Online sales are increasing (9.3% year-on-year according to the most recent ONS statistics) and retailers are handling increasing levels of personal customer data – and have far more points of collection with ‘knowing the customer’ driving digital marketing strategies. At the same time, the number of cyber security breaches is also growing, with 94% of respondents to the British Retail Consortium’s 2015 Crime Survey reporting that breaches are increasing or at least staying the same.

Whilst there have been some high profile data breach cases in the industry, notably Target in the US and VTech, fearing cybercrime itself is, arguably, a loud distraction for retailers. The key for these businesses is ensuring that they are fully compliant with the new European regulation regarding personal data which comes into force in 2018 and other cyber security rules coming from Europe.  As part of that compliance, retailers with large digital operations and eCommerce operators more broadly will also have to pay close attention to the data policies of their suppliers and, crucially, logistics partners.


Following four years of negotiations, the new European General Data Protection Regulation (GDPR) was published in May this year and will replace the current data protection framework in the UK and the rest of Europe on 25 May 2018.

This may seem a long way away, but many businesses will be engaged in or pursuing contracts with suppliers which stretch beyond 2018 – casting the extent of the GDPR’s reforms into sharp relief.  It is important to remember that the GDPR will apply not only to data controllers (ie. retailers who gather customer data at point of sale or other contact and who ‘determine the manner and the purpose’ for which that data is used) but also to data processors who handle data on their behalf. Whereas the current UK data protection regime gives the ICO (the UK data protection regulator) no direct power to fine processors, this will all change in 2018. In, for example, a logistics contract where an internet retailer agrees with a distributor to share customer addresses and order information through a digital system, the distributor as well as the retailer will be responsible for the continued security of that data and both parties will need to have adopted appropriate organisational and technical measures to keep that data secure. Retailers will, therefore, need to ensure that their due diligence when choosing a service provider incorporates analysis of that supplier’s data protection and security processes and policies – and service providers will also now be taking closer note of their own practices.  In addition, retailers purchasing bespoke data-handling systems will need to ensure that security and data protection measures are built in by design and set as the default. Maximum fines for breach of the GDPR will be the greater of €20 million and 4% of global turnover for both controllers and processors – up from the £500,000 UK fine currently in place and enough to ensure boardroom interest.

Reporting and beyond

Another big change brought about by the GDPR is to the obligation to report data breaches. Under the current rules there is no statutory obligation to report the loss or hacking of personal data to the public although the ICO encourages reporting. Once exception is found for telecoms companies in the Privacy and Electronic Communications Regulations (PECR), which requires these operators to report breaches which are “likely to adversely affect the personal data or privacy of subscribers or users” without unnecessary delay; this was famously seen in the recent TalkTalk case. The GDPR, though, will roll out data breach reporting across all data controllers and provides that personal data breaches must be reported to the regulator within 72 hours (unless the breach is unlikely to result in a risk to the rights and freedoms of the data subjects) as well as to the data subjects “without undue delay” when there is a high risk to their rights and freedoms. In addition to the larger fines, a serious breach could mean serious reputational damage.

Certain providers will also need to keep an eye on the rapidly approaching new EU laws regarding cyber security with the Network and Information Security Directive, set to be implemented in August 2016 and subsequently to be adopted into UK law by 2018. This will require providers of essential services and digital services providers – including cloud computing services, online pay platforms and online marketplaces – to improve their ability to withstand cyber-attacks, and require new reporting standards to national authorities. Many retailers utilise or partner with these kinds of providers and it will be essential to closely watch how this directive is implemented into UK law.


With much of the current data protection legislation being driven by Brussels, the elephant in the room for UK-based retailers is undoubtedly Brexit. However, whichever way the vote goes on June 23, retailers who sell products into the EU will still have to adhere to EU regulations as the GDPR is no longer limited to data controllers with equipment in the EU, it also bites on data controllers who are offering goods and services to consumers in the EU. With so many sales coming via online platforms and into a global market, data protection obligations are here to stay.

For retailers particularly, it is not even the threat of greater fines that warrants conformity, it is the fact that any significant concerns over customer data security and privacy are an undeniable reputational risk. A fine is a drop in the ocean compared to the loss of a hard-won customer relationship.