GDPR — What does it mean for retail & hospitality?

You may have heard a new Data Protection Act is coming into play soon. On the 25th May to be precise and no, Brexit wont be abolishing this EU legislation. Nice try though 😉

From speaking to both potential and current customers it is obvious there is uncertainty about what this all actually means.

It essentially means you no longer own a customer’s personal data. You merely look after it until they choose to exercise their right and request deletion.

First up, let’s establish what personal data is:

“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Oh so not much then.

Lets check out the new regulation and put a simple example to the test – A Visitor/contractor Log

✅ = Pass ❌ = Fail

Principle 1: Lawfulness, Fairness, and Transparency

• Explicit consumer consent is required before data can be captured, processed and stored (opt-in) ❌

Do you ask each visitor verbally? Do you write it at the top of the piece of paper? How can you guarantee consent is given? You can’t.

• Personal data must be collected for a very specific, pre-defined purpose ❌

Different visitors may have different requirements. Chances are you’ll need to record different information (personal identifiers) depending on who they are.

This either amounts to pages and pages of visitor logs (and associated risk of data loss) or collecting more data than required and angering the GDPR gods.

• Everyone has a right to be forgotten (all personal data deleted) ❌
• On request, you must provide all personal data you currently hold on a consumer within one month ❌

Best of luck trying to find all the visitor data recorded in multiple files in multiple offices. Unfortunately there’s no Cmd + F in an analogue world.

It’s not even worth thinking about the labor cost of that riveting task

Principles 2 & 3: Accuracy and Purpose Limitation

• All personal data must be accurate and kept up to date ❌

Handwriting. If a visitor’s entry can’t be read, it can’t be accurate. Keeping records up to date isn’t too arduous a task. However, the lucky person responsible for this sure would look fondly at a chronological database.

Hospitality and medical professionals are still battling for the top spot

• Individuals have the right to request that inaccurate information be corrected ✅
• Personal data can only be processed for its initial intended purpose ✅

Principles 4 & 5: Data Minimisation and Storage Limitation

• Only personal data that is absolutely necessary should be collected ❌
• Personal data must be stored for no longer than is required ❌

You’ll need a task management system with advanced scheduling to maintain these deletion schedules. Eg. a task every month to shred logs from a given period

• Individuals must be informed about the planned retention period for their personal data ✅

Principle 6: Integrity and Confidentiality

• Personal data should be rendered anonymous where possible ✅
• Controllers must implement appropriate technical and organisational controls to safeguard the processing of any personal data that cannot be made anonymous ❌

The data can’t be made anonymous, anyone can read it. How can you ensure the next signer cannot see previous entries? Again, you can’t. (well you could with a fresh piece of A4 for each person but what would the baby seals say)

They’re not keen on deforestation

Principle 7: Accountability

• Organisations that systematically collect and process personal data must appoint a Data Protection Officer (DPO) ✅
• You must be able to give evidence that you are compliant with the previous 6 principles ❌
• You must implement a data-breach notification scheme that ensures all known breaches are reported to the appropriate DPA within 72 hours and records of these data breaches are stored ✅

The results would leave you asking:

“Alexa, what’s 4% of {last year’s revenue}?”

For those unfamiliar with the new penalties, this is the maximum fine for non-compliance (or €20,000,000, whichever is higher)

It all sounds pretty bleak right? Fear not, we’re here to help.

Trail-the smart checklist for effortless operations 🙌

GDPR compliance: Paper vs Trail

How does Trail tackle the problem areas?

• Mandatory fields ensure explicit consent is given 🤝
• An unlimited catalog of tasks and logic jumping forms guarantee personal identifiers are kept to a minimum 🎩
• A consumer’s personal data can be located, exported (for them) and deleted in a matter of minutes ⌛️
• Records are entered on any device keyboard and timestamped. This ensures entries are both up to date and accurate ⌨
• Any data reaching a specified retention period can be removed systematically. Steps can be taken to inform consumers automatically should such periods be amended 🚮
• Our data is encrypted and stored on Amazon’s Web Servers (AWS). AWS have been accredited under ISO 27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II), PCI Level 1 , FISMA Moderate & Sarbanes-Oxley (SOX) to name just a few 🔐

With the right processes, and supporting technology in place, being GDPR compliant come May 25th should be a doddle!

Trail does more than just visitor logs. Our app serves up a daily list of tasks to guide teams through their day. Anything from opening checks, food compliance, incident logging to cashing up. Visit our website to find out more.