This case study is based on a recent audit carried out on a high street retailer client. The retail industry typically works on high volume sales. For the high street, this also means high staff turnover, shops, warehouses, distribution, and consumer regulation.
Sales and marketing is important to them and helps to entice consumers into the shops.
Our retailer client is no exception to this.
Typically, most retailers would also have a substantial online presence, however our case study has a website where you can view products and deals, there is no facility to purchase online.
After an initial consultation with the MD, the retailer then filled out the pre-assessment questionnaire and from this we determined that due to the size of the business, the close proximity and availability of all interviewees, and the identified data types – that a two day audit would be suitable.
What we did
The scope of the audit was to assess the entire business against the new GDPR.
Following our standard methodology our consultants developed a comprehensive view of the retail business, and collected data from all of the business areas, including HR, Accounts, Payroll, IT, and 3rd party data processors.
With unhindered access to all parts of the business and a nominated project manager, GDPR Auditing we able to complete the audit interviews in one visit over the proposed two day period, and came away with no unanswered questions.
What we found
The audit confirmed a number of areas where the retailer was following good practice guidelines, and industry specific codes of conduct.
However as expected GDPR Auditing helped the retailer uncover several areas where improvements could be made. It is important to note here that because the retailer is not yet fully complaint with GDPR, does not in any way imply that they are deficient or out of compliance against current legislation.
We identified remediation required across several areas so that when the GDPR comes into force on the 25th May 2018 the retailer would be confident that they had performed the requisite actions to comply with GDPR.
The items we found were a subset of issues we have seen across a number of businesses and are discussed in general later in this case study, see “Common Areas Where Businesses Can Start Working Towards GDPR“ below.
What we delivered
GDPR Auditing compiled a report on the findings from the audit, covering HR, Accounts and outsourced Payroll, web presence, sales and marketing, IT and outsourced IT, DPO and DPIA requirements.
A report from GDPR Auditing can be used as evidence to the ICO that your business is taking the GDPR seriously, it highlights areas in the business that are doing well and are using good practice.
Most importantly the report highlights areas for improvement and critically for a business sets out recommendations for what actions need to take place.
Here are some quotes from our retailer:
“The interviews were conducted in a collaborative manner to educate and make staff aware of what and how they do, and how it relates to GDPR.”
“The discussion was around what and how to incorporate GDPR into processes rather than just for the sake of it.”
“It provides a plan for (retailer) to address the issues raised to meet GDPR requirements.”
Common Areas Where Businesses Can Start Working Towards GDPR
Phil Mather – Senior Consultant – GDPR Auditing talks about the key areas business need to address when looking at GDPR.
“Having worked with a number of businesses, pre and post the GDPR I have observed the same issues and behaviours over time that are going to become critical for the GDPR.”
“Financial data – credit and debit card information used to be a hot topic, PCI DSS is a standard imposed by the card schemes encouraging businesses to ensure card data is secure, five plus years on businesses are still struggling with it or ignoring it.”
“GDPR is law, businesses will have to comply, with a nod to proportionality.”
Without implication or prejudice the following areas should be on the priority list for most if not all businesses:
- Review and amend where necessary cookie and privacy policies
- Ensure you have the right consent – for all the types of PII data you hold
- Ensue that your 3rd party processors are aware of the GDPR and that your contracts with them follow the GDPR guidelines
- Register your data processing activities with the ICO
- Keep as little information as absolutely necessary to run your business old or unneeded data
- Completely remove (where possible) all unnecessary PII data
- Make sure your IT systems are not only secure but that you can demonstrate it
- Know where all of your PII data is
- Provide means by which ‘all’ data subjects can make the relevant data requests
- Assign a DPO or a resource who can undertake DPO duties
- Ensure responsibility for data privacy at board level
- Build data related issues into your incident management process
For more details about our auditing services please click here.
© GDPR Auditing 2017
The information provided in this post is for general information only and is not intended to provide legal advice.