Weighing up the cost of GDPR compliance
Posted by Taj Onigbanjo
With multiple in-store and online channels to account for, the modern retail landscape is a complex playing field. Retailers are tasked with offering customers more choice, greater flexibility, and competitive pricing in a clear and concise manner. At the same time, customers expect to receive the best possible service experience at every step of their journey.
With so much to grapple with, many retailers today are realising the countless benefits of adopting cloud software as a service (SaaS) to streamline their business operations end-to-end.
A unified system will help retailers to manage their supply chains and gain greater flexibility and visibility over their business operations, streamlining every process along the way, but the ease and accessibility of SaaS solutions can also be a slippery slope for the IT departments that have to deploy and oversee them. With GDPR enforcement just around the corner and huge implications for non-compliance, it’s essential for retailers to understand what steps are being taken to ensure GDPR compliance is being met when using SaaS.
The new GDPR data protection act will apply to all EU citizens. This means that any retailer that collects, stores, or processes customer data belonging to EU individuals - such as names, addresses, phone numbers, and email addresses - will need to comply with the rules of GDPR. The legislation requires personal data to be stored securely and businesses must take responsibility for how, where and, why the data is used. For, e-commerce companies utilising third-party software partners, this data may well be spread across multiple locations.
Failure to comply with GDPR could lead to fines of up to €20 million, or 4% of a company’s annual revenue, so retail owners really have no margin for error. Poorly managed data handling, for example through a legacy SaaS provider, could mean failure to comply with GDPR, and could cost millions.
GDPR requires the ‘controller’ - i.e. the retail company (or otherwise) - to sign a data processing agreement with its processor - i.e. the SaaS provider. The agreement is to specify a number of obligations including; only acting on the instructions of the controller, taking adequate security measures to protect the organization from data loss, assisting in responding to requests for data, and removing traces of data following the termination of service.
Similarly, companies are also required to meet the obligations set out by the GDPR which means they must be able to demonstrate what processes are implemented to guarantee data protection and compliance.
It goes without saying that privacy (and therefore GDPR) is paramount for Unit4. We have been preparing our people, products, and processes to comply with the obligations under GDPR as well as with obligations that may be imposed under national legislations. As such, our retail organisation customers can rest assured that their data remains protected and compliant at all times. Our SaaS is watertight in terms of GDPR compliance, offering:
- Privacy by design - Unit4 complies with other privacy regulations, and is in the process of strengthening the built-in principles to ensure the confidentiality and integrity of data stored within our applications.
- Data processing agreements - these along with technical and organisational measures for data security, and the accountability and auditing obligations will be reviewed to comply with the requirements under GDPR.
- Processing and auditing - Unit4 will register all processing activities and document it in accordance with the GDPR requirements.
- Data security requirements - The data security requirements under GDPR are more or less the same as those stated in the Dutch Data Protection Authority guidance, which Unit4 complies with.
- Data leak reporting - Unit4 has an internal protocol in case of data leaks, which will be updated for GDPR compliance to ensure any data leaks are reported to the Responsible Authority within the 72-hour time frame provided in the GDPR.
While a processor is liable for any data breaches it may inflict or damages relating to poor compliance, the onus is on the retailer to take responsibility for actions relating to its customer data, and as such, it is vital to tread very carefully when engaging with any third party supplier(s).
Choosing a SaaS vendor has never been an easy task, especially now GDPR compliance and additional privacy constraints are added to the equation, which has multiplied the complexities. Before entering into a contract with a Software as a Service supplier, organisations should consider what steps are being taken to meet GDPR requirements and always check the Terms and Conditions of the contract.
Understand how the supplier handles sensitive data and what methods they use to guarantee that it is safely managed, processed, and stored. The supplier must prove that data will be secured by explaining the controls and security management processes in place. It is important to be able to trace the path of data during its entire lifecycle to ensure it is secure at all stages. Ask: What information security systems do they have in place to ensure they are compliant? Is it possible to have stored customer data deleted if they demand it? Can user data easily be collected, stored, and sent in a suitable format? Is the data centre that stores personal data compliant?
Failure to comply with GDPR will result in huge financial and reputational damage, therefore, a lack of clarity from an SaaS provider around any data security practices should ring alarm bells for all retail organisations. While legacy systems may have sufficed until now, continuing the relationship is not a risk worth taking, for the sake of saving a few pounds. If data is going to be put at risk, GDPR fines will make a much larger dent.