5 GDPR Challenges for Retailers from the NRF
How does GDPR apply to retailers with storefronts, websites, mobile apps and other means to sell products to consumers? We just discovered the 14 page report titled “Retail Approach to Implementing Critical Elements of the GDPR” which was published by the National Retail Federation and EuroCommerce in May which provides insight into this issue.
The report is a discussion document for the global retail industry issued by two of the world’s largest retail trade associations. The National Retail Federation is the world’s largest retail trade association representing companies in the United States and 45 other countries. EuroCommerce is the principal organization representing the retail and wholesale sector in Europe with national associations in 31 countries. The accompanying press release indicates that the paper will be shared with the data protection authorities in the 28 EU member states.
Special Challenges in GDPR for Retailers:
The challenge in the discussion paper is how to apply the industry-neutral rules protecting customers’ personal data with the unique challenges of the retail industry across all of their channels. Here are some of the suggestions that the paper offers:
Right to Erasure: Retailers should allow the erasure of personal data for specific purpose but maintain records of goods purchased by customers to facilitate product returns and exchanges, avoid weakening fraud protections and enable reconiliation of card transactions. Some countries require retailers to maintain transaction records for up to 10 years, so this data simply cannot be deleted.
Right to Data Portability: The paper advocates for the decoupling of personal data to be exported from competitive or commercially-sensitive retail transaction data which would raise significant competition concerns and could reveal product sales strategy, trade secrets and other sensitive business data.
Can Legitimate Interest and Contractual Necessity supplement Consent: Customers expect retailers to process data as a necessary component of the underlying retail shopping experience and do not want serial notifications to obtain affirmative consent for every interaction, so one of these two lawful basis should apply to certain operations without the need for consent.
Data Breach Notices: Data Protection Authorities should consider making payment card processors responsible for disclosing their own data breaches as individual retailers are not in a good position to do so. It would also prevent the massive over-notification of regulators and individuals from a single breach.
Automated Decision-Making: Retailers hope that customized advertising relying on automated tools and decison-making will not be subject to consent, consistent with the WP29 guidelines.
Here is the link to the PDF available on the NRF website.
Discover the Benefits of Privacy Management Software with Clarip
The Clarip data privacy software and team are available to help improve privacy and trust at your organization. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If you are working towards GDPR compliance, try our modular GDPR software. Start with our automated GDPR data mapping software, enhance your privacy program with DPIA software, and meet ePrivacy requirements with the cookie consent manager.
If CCPA compliance in 2020 is on your radar, ask us about our California Consumer Privacy Act software. Improve efficiency of responses to data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with our consent software.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.