Personal data and data protection may not spring to mind when you think about your local grocery store, butcher, off-licence, or restaurant. However, those in the food and beverage industry should assess how they manage information they collect, for example information collected through loyalty card programmes, mailing lists and e-receipts. The General Data Protection Regulation or GDPR, which comes into force on 25 May 2018, will regulate the use of information that may be used to identify an individual i.e. personal data.
Obligations under GDPR
GDPR provides a comprehensive set of obligations, which businesses must adapt to when dealing with personal data. The GDPR requires that a number of details must be provided to customers when you process their personal data. This includes providing customers or individuals with information about what personal data is being processed, how it is being processed, why it is being processed and who the personal data is being disclosed to. This is important because it could include third parties e.g. marketing agencies who assist in loyalty card programmes.
Five points to remember
From a practical perspective, collecting information is an important part of providing good customer service and ensuring customers get a more tailored and bespoke service. With that in mind, we set out five points which a business in the food and beverage industry must give priority consideration to in preparing for GDPR.
- Accountability: Under GDPR businesses must be accountable and in a position to demonstrate, and in most instances document, the manner in which they comply with data protection law. This may include refreshing fair processing practices, reviewing privacy notices, and rethinking consent capture mechanisms. For many, this will mean revisiting data protection wording on websites, online application forms, interactive voice recordings, call centre scripts, proposal and application forms, renewal notices and annual account statements.
- Legal Basis for Processing Personal Data: For GDPR, businesses will have to identify the legal basis upon which they process personal data and the purpose for this processing. Broadly, the GDPR offers six legal bases which are consent, contracts, legal compliance (with another law), protecting the vital interests of a person, public interest and legitimate interest. In the food and beverage industry, businesses may have relied on consent and/or legitimate interests to process personal data pre-GDPR. In considering legal bases under GDPR, much will depend on what kind of processing you intend to do and why.
- Consent: Consent has to be given through a clear and affirmative action. So if a business will be asking customers for consent, then customers, as data subjects, must actively choose to give a business their personal information. Customers will also have the right to withdraw their consent at any stage and businesses will have the responsibility of reviewing consents on a regular basis.
- Transparency: This is one of the key data protection principles under the GDPR. It essentially requires communication of information to customers about the collection and processing of their personal data in a simple, concise and easily accessible form, using clear and plain language.
- Data Breaches: Personal data breaches can have far-reaching consequences, both in reputational and financial terms. The GDPR requires that data breaches are notified to the local data protection authority within much stricter timescales than before. Where the data breach poses a high risk to the privacy rights of customers, affected customers must also be notified without undue delay.
This is just a snapshot of the changes that are due to take effect under GDPR. Businesses in the food and beverage industry need to understand what data they are collecting, what they do with that data, and what their consumers or customers need to know. Substantial fines may be imposed under the GDPR, up to €20 million or 4% of global turnover, and customers have the ability to pursue compensation as a result of a breach of their rights.
It is advised that businesses take stock and review their data collection policies and processes in advance of the deadline in May 2018.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.