Guest Column | May 9, 2018

GDPR Is Coming And Retailers Need To Get Ready

By John Barchie, Arrakis Consulting

GDPR Strategy

In 2017, over 8.1 million citizens of European Union countries visited the U.S. as tourists, according to the U.S. Department of Commerce. It is reasonable to believe that while they were in the country, most of these tourists probably made some purchases at U.S. retailers. Some might have even seen an item they liked and then waited until returning home to order it online. In the past these purchases would have been just another customer but, starting at the end of the month — under certain circumstances — they could put a retailer at risk for fines.

When the EU’s General Data Protection Regulation (GDPR) goes into full effect on May 25, 2018 — and along with it penalties for non-compliance — it will change how retailers in the U.S. must store and protect information about EU citizens. Generally, a brick and mortar retailer would be affected by GDPR if the retailer collected credit card or banking and personal information on an EU citizen during a purchase. This can be true for every type of retail from a gift store at a national park to a national department store to an ice cream shack at the beach.

It will be nearly impossible for most small retailers to predict when and if an EU citizen will stop into their store and happen to make a purchase while visiting the U.S. However, larger retailers in major metropolitan areas such as New York, Chicago, and Los Angeles — as well as popular vacation destination cities — can reasonably assume they will have EU customers and need to be prepared.

Regardless of size or location, brick and mortar retailers of all sizes will want to make sure they are GDPR compliant because maximum fines could be up to $26MM or 4 percent of global gross revenue, whichever is greater. It is also worth mentioning, there is a surefire way to eliminate GDPR risks for brick and mortar retailers — only accept cash from EU citizens.

Online retailers will fall into two categories, those that it will be impossible for GDPR to affect and those that will have the greatest risk for GDPR violations. Small mom and pop online retailers that only ship in the U.S. will most likely never have an EU customer. Shopping carts can be set to only accept credit and debit cards with U.S. addresses, removing the potential for an EU citizen to even make a purchase while visiting the U.S.

Large online retailers and auction sites that ship worldwide will be the sector or retail most widely affected by GDPR. They will need to make sure they are following all components of GDPR from delivering clear data collection notification to EU customers, to proper data encryption and speedy reporting if a breach does occur.

Essentially, GDPR was created to ensure companies in the EU and worldwide are better protecting any data collected on EU citizens. GDPR also requires that EU citizens be clearly notified and requires their explicit consent before any personal data is collected and stored. In order to comply with GDPR, healthcare organizations and facilities would need to ensure they have developed and are implementing compliant consent forms starting in May. Other GDPR requirements include specifications on how long a company has to notify authorities if a breach occurs, along with requirements of how personal data on EU citizens is encrypted while being transferred or stored.

Current U.S. based data privacy regulations require companies to notify customers if a data breach occurs, but in the U.S. there can be a significant time delay between the breach and the notification letter; not so with GDPR. GDPR requires the Supervisory Authorities be notified within 72 hours, even while a breach is still being investigated. Failure to report within 72 hours could lead to significant fines.

Depending how many EU customers a retailer attracts, it may be necessary to assign a Data Protection Officer (DPO). A company will be required to have a DPO if it possesses large amounts of data covered by GDPR. The DPO must be available and involved in any events where there is a possibility of a loss of GDPR covered data. The DPO will be the point person for any GDPR issue with the affected persons and the Supervisory Authority. The DPO needs to know the regulations and the company’s security protocols. If a company is not required to have a DPO, it should still have a plan in place for who it will call if the Supervisory Authority opens an investigation and take steps to ensure data on EU citizens that is being collected is done so with consent and stored in a manner that meets GDPR security requirements.

John Barchie, Arrakis ConsultingAbout The Author

John Barchie, Senior Fellow at Arrakis Consulting, which specializes in GDPR compliance, has twenty years of experience in computer networking, particularly Information Technology and Cyber Security. The majority of his career has been spent developing security protocols for Silicon Valley corporations including Symantec, Paypal, PG&E, KPMG and OpenSky. He has completed security projects for Sony PlayStation and NASA. For more information, visit