Retailers must take risk-based approach to GDPR, Tryzens
With less than 60 days to go until GDPR comes into effect, many retailers are still struggling to become compliant due to not being able to deploy the correct data handling practices, Tryzens claims.
Andy Burton, CEO at Tryzens, says that while there are materially larger fines that the ICO can impose for breaches of GDPR (to the sum of 4% of annual turnover or €20 million), focusing solely on this punitive risk is the wrong basis for getting ready for it. Instead he suggests that retailers should adopt a practical, risked-based approach (RBA).
In other words, identifying the extent and nature of personal data held by their business, its current relevance to their operations, the security measures in place to protect it, and the dependence upon third party data processors who also have to demonstrate compliance. In understanding these areas of risk retailers can prepare their processes, manage and minimise their retention of personal data, and educate their staff to help ensure they operate in a compliant way and are able to address questions or requests that may arise from their customers and employees.
Burton comments: “GDPR is a principles-based regulation and this means that there is not a one-size-fits-all approach to achieving compliance. However, we believe that retailers can achieve operational readiness by undertaking a risked-based approach that examines the nature of the data being held and for what purpose. While the tactics for this may vary from one organisation to the next, this method should help retailers by exposing any potential risks. From this, retailers can then create and initiate a plan of action that is relevant to the level of the risks identified, while also determining how personal data will be captured, managed, protected and controlled to ensure fair and lawful processing.”
He concludes: “Ultimately, GDPR requires a fundamental review of personal data management by each retailer – be they traditional or a born-in-the-cloud retailer. To that end, considering the topic is so broad and the clarity of interpretation of the new regulation is still unproven in practice as it is not yet in force, we believe that a risk-based approach is essential to becoming compliant in an efficient, effective and timely manner.”
For more information, visit Tryzens' GDPR Hub.
Continue reading…