GDPR famously came into effect in 2018 but since then, CCPA in California and PIPEDA in Canada have both changed the privacy landscape further in North America. Now more than ever, retail owners have to be prepared to deal with customers who have questions about privacy. More specifically, questions regarding the collection of their personal information , what retailers intend to do with it, and how they will protect it from misuse/data breaches.
The best thing you can do right now is start on the process so that you protect your reputation with customers and be prepared when the US or Canadian government changes local privacy regulations again. After all, regulators and customers everywhere would rather see that you have a plan and that you’re working on improving rather than giving up or saying “it doesn’t apply to me.”
Rome wasn’t built in a day
For many small businesses, even knowing where the data of their customers and other people is stored is already hard. This is especially true nowadays with so much data being used and so many integrated systems. For most of us in North America, we’re just starting to consider how best to handle privacy in our day-to-day operations.
To make it easier, we’ve listed 8 basic steps for you below to help you get started on your privacy regulation journey within the context of PIPEDA, GDPR, and CCPA (download our GDPR checklists). These 8 steps are not necessarily enough for compliance with the different privacy regulations but they are a step in the right direction. Only you can decide the data risks you are willing to take with your business but hopefully this will help you clarify what those risks are.
1) Do a Privacy Audit for Personal Data
Download our checklists to make a detailed spreadsheet or summary of where you keep and collect personal data in your business.
2) Check if you currently handle Personal Data Outside of the Country
If you do already handle sensitive Canadian, American, or European personal data, we would recommend that you get further legal assistance as the different policies (PIPEDA, GDPR, and CCPA) already require that you comply. Here is a good comparative guide you can reference to understand the differences between each act.
3) What reason(s) do you have for collecting Personal Data?
Determine what lawful basis you have to collect personal data. Consent? Contract? Legal Obligation? Legitimate Interests?
4) Review existing data and delete any unwanted data
This is probably the most painful part of this exercise. If you have been patiently collecting customer or lead data for years, you will need to make the difficult decision to determine as to whether it is necessary for you to keep all of your existing data. In some instances, you may find that you have been collecting data for years that you never use. In others, it may be that you have some concerns about the source of a list of leads you received in the past. Whether you decide to keep the data or not, it is important that you are aware of what you have so that you know the risks.
5) Update company policies and agreements
6) Revise company processes and suppliers
Moving forward you should only gather personal data you need and make sure you have lawful grounds to process it.
Add and document consent wherever possible in your business processes. Consent has to be freely given, specific, informed and unambiguous (pre-ticked boxes aren’t allowed) on all of your forms (digital or paper). For email marketing, use reputable services such as MailChimp that are legally compliant so that subscribers are able to unsubscribe at any time.
7) Review all 3rd party processors and sign Data Processing Agreements (DPAs)
It’s also important to consider the privacy practices of your suppliers if you share any data with them that contains personal information. Be understanding that many North American businesses and most small businesses aren’t ready for updated privacy regulations but just make sure that your key partners are making efforts to improve how they handle privacy in their operations. If you’re sharing data with large processors such as Google Analytics, Facebook or MailChimp, you should sign the Data Processing Agreements (DPAs) or review the privacy settings they have for customers that share personal data with them. We’ve listed a few key processor DPAs below:
8) Review your company data security
You cannot have privacy without security. While there’s no such thing as 100% security, every business should review who has access to company data and whether current security settings and back-ups are sufficient.
What we’re doing at TAKU Retail
This post is an updated version of an original post published on the ACE POS retail blog.
You can join our beta waitlist here. In the meantime, subscribe to our blog for more retail tips and strategies.