Retailers risk huge fines by ignoring new data protection rules

More than a quarter of businesses in the retail sector are unaware of the new wide-ranging data protection rules, and the associated fines, which come into force in less than a year’s time.

That’s according to a YouGov survey of 243 retail businesses, commissioned by national law firm Irwin Mitchell.

It found that only 26% of retailers admit to being aware of the new General Data Protection Regulation (GDPR) which comes into force on May 25, 2018.

Story continues below

Despite lack of awareness, a quarter (25%) of participants admitted the maximum fine for non-compliance would force them out of business and 10% said it would lead to large scale redundancies.

Under the new regime, the notification of certain data breaches where there is an impact on privacy, such as a customer database being hacked or a letter being put in the wrong envelope, must be given to the regulator within 72 hours.

The maximum fine for certain data breaches in the UK will rise from £500,000 to €20million (£17.4 million) or 4% of global turnover, whichever is larger. GDPR represents the biggest change in 25 years to how businesses process personal information and it replaces existing data protection laws.

Joanne Bone, partner and data protection expert at Irwin Mitchell said: “These results are concerning because with next May’s deadline fast-approaching and with so much at stake, our study reveals there’s a very real possibility that a large number of retailers will not be compliant in time.”

Irwin Mitchell’s survey found that just 23% of retail businesses are certain that they would be able to detect a data breach within their organisation. Just 35% say they are confident they would notify the relevant stakeholders within the required timescale of three days.

Other changes under the GDPR include an obligation to be more transparent about how personal data is used. Businesses will also need to have processes in place in case an individual asks for all their personal data to be erased.



Related posts