Data protection rules across Europe have changed forever, following the introduction of the General Data Protection Regulation (GDPR) on 25th May. Suzi Sendama of Michcon De Reya explains what this means for luxury brands, particularly with Brexit on the horizen.
Why GDPR matters
The GDPR introduces more stringent data protection obligations on companies and will strengthen the rights of individuals. Its implementation and effect is therefore of relevance both to brands and to those seeking to enforce their rights. The GDPR will be implemented across all EU Member States before Brexit. Once the UK leaves the EU, it will need a data protection regime that mirrors the new rules, not least because the GDPR applies not only to entities based in the EU, but also to those outside the EU who collect or process data in respect of people in the EU. It has therefore paved the way for a new Data Protection Bill in the UK, currently in Parliament, which will replace the Data Protection Act 1998.
The GDPR sets out new rules for organisations collecting or processing personal data of individuals (known as data subjects). Luxury brands often collect and process information relating to their clientele in order to provide a more tailored experience. Personal data is any information relating to an individual, including names, addresses, photographs of individuals, email addresses, bank details, IP addresses and even social media posts. As a result of the changes in the law, and the publicity surrounding the introduction of the GDPR, individuals are more likely to scrutinise the way in which information about them is held by organisations.
How does GDPR affect businesses?
Two key themes arising from GDPR are transparency and accountability. Brands must explicitly and clearly tell individuals what data they are holding, why they have captured it and what they intend to do with it. Brands will also need to be able to show that what they are doing is in accordance with the law. In practical terms, this is likely to involve at the very least updating privacy policies to ensure that they are in plain English and that they accurately reflect what data is being processed.
Another change which will be introduced is that electronic direct marketing, such as emails sent to people who are not existing customers, will require a higher level of 'consent' than now: it needs to be explicit and freely given, by way of a positive opt in. The GDPR also introduces a requirement for some types of organisation to appoint an expert in data protection law as a Data Protection Officer.
Reputation management is a key consideration for a luxury brand. Brands should ensure that they have a crisis plan in place for dealing with data breaches, particularly in a sector where clientele place a lot of emphasis on their privacy. Brands could also face enforcement action if they are unable to demonstrate that they have addressed the new requirements. The legislation introduces hefty fines for data breaches of up to 4% of global annual turnover or €20million, whichever is more.
Notification strategy for breaches
Brands should also think carefully about a notification strategy for breaches. In the event of a data breach, brands will often have just 72 hours to notify both data subjects and the Information Commissioner's Office, so having a strategy in place for dealing with this will be crucial. Employers will also need to ensure that the way in which they handle their employees' data is GDPR compliant. Brands should review their HR policies to ensure that they have systems in place to deal with their obligations under the GDPR and inform employees and any job applicants about the purpose and legal basis for processing their personal data.
Data breaches are most likely to occur as a result of human error – brands should make sure that members of staff are appropriately trained on the changes which are coming into force and ensure that they have policies in place in relation to data security and how to handle data breaches.
Key action points
- It is vital that a brand understands what data it is holding, why and where it is being stored. Understanding the risks and privacy impact of each data type will enable a brand to better protect its organisation and its data subjects. Where possible, brands should minimise the data they are holding before the GDPR comes into force.
- Transparency and accountability is key: brands should review and amend their policies for collecting and processing personal data. Every pound spent on preparation for the changes in law is likely to pay off exponentially in the future.
- Brands should appoint someone suitably trained in data protection to be the point-person for GDPR, and train all staff on the new legislation.
- Brands should have a reputation management strategy in place for dealing with potential breaches. In the luxury sector, customers' trust and confidence in a brand is of paramount importance.