This is the third article in our series on data security and protection regulations in different industries, this time about retail and manufacturing.
Whilst the first two posts on the finance sector and healthcare looked at very specific regulations, this sector has a wider scope. The finance sector’s main regulatory frameworks cover financial transactions and financial risk. Healthcare is more about protecting Protected Health Information (PHI)
Organizations that fall under the remit of retail and manufacturing have to often deal with both general data protection regulations and industry-specific ones, such as financial transaction security.
Disclaimer: This article is meant for introductory guidance only and summarizes the most commonly-cited data security regulations for the retail and manufacturing industry. It does neither claim to be an exhaustive list of all currently-applicable data security regulations across the globe, nor does it claim to provide legal/ compliance advice. For a full assessment of your organization’s regulatory context, please consult with a legal/ compliance professional.
General Data Protection Compliance in Retail and Manufacturing
Personal data protection is a major issue in 2019. The rates of cybercrime continue to increase, seemingly unabated. The 2019, Cybercrime Report from Cybersecurity Ventures expects the cost of cybercrime to reach $6 trillion USD annually by 2021 – which is double the figure for 2015.
Any organization that processes personal data must take steps to protect it and regulations reflect this. The sample of laws below are not exhaustive but show the flavor of regulations that impact the retailer and manufacturer in the consumer space.
The GDPR turned one year old on May 25, 2019. It is a far-reaching regulation that covers all industries of all sizes. Although the GDPR is a regulation of the European Union (EU), it affects any organization that processes the data of an EU data subject – no matter where they are based.
In other words, if your company has a website that actively sells products in an EU state, in euros, and you take the personal data (or process behavioral data) of the purchaser, you will be affected.
Let’s keep in mind that the GDPR is not just about customer data. It also extends to current employees and when hiring employees, if those employees are citizens of the EU.
Retail management of customers has come under the spotlight during the run-up to the enactment of the GDPR. This was in particular around the subject of “consent” and marketing. Consent, under GDPR, needs to be taken, actively and freely without restrictions. The “opt-out” version of consent on a form was eliminated by the GDPR. Instead, the customer had to actively choose to opt-in to make consent lawful.
Profiling user behavior also came under the spotlight of GDPR. This affects retailers that profile a customer using methods such as loyalty cards, online behavior monitoring, etc. The GDPR expressly states that you must collect granular consent if the profiling might have a “legal effect” on the customer. Even without a legal impact, consent should be actively taken.
The “go to” GDPR fix for retailers has been the clause of “Legitimate Interest”. This is a lawful basis under GDPR. It fits when processing data is highly limited in terms of privacy impact or when needed to continue normal service operation. You must prove this is the case in a Data Privacy Impact Assessment.
Interested in knowing more about the GDPR? Learn more about GDPR Posture Assessments or access our webinar “Beyond GDPR: Implementing a Comprehensive Privacy Compliance Program”.
Much like the EU’s GDPR, most countries currently have or will have their own data protection laws. We will look at some examples below.
Related Post: Data Breach Notification Laws: Canada, U.S. & Europe
All 50 U.S. states, including the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands have their own state laws for data breach notification. Some of these are very recent.
Colorado, for example, has the HB 1128 breach notification law which took effect on September 1, 2018. This sets out a clear mandate on applying appropriate measures of security to personal data. The bill has overlap with the breach notification laws of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA expects a notice made within 60 days, whereas the Colorado bill sets a limit of 30-days.
The overlap between state data protection laws and industry-specific ones can make writing a security policy more complicated.
The California Consumer Privacy Act of 2018 (CCPA) is one of the better-known data privacy laws in the United States. The CCPA has been compared to the GDPR as it places more power in the hands of an individual when processing their personal data. The CCPA differs from the GDPR in its scope; it only applies to organizations who do business in the State of California.
The DPA 2018 is an update of the earlier UK DPA law that dates back to 1995. This update brings it into line with the GDPR and helps smooth the possible transition imposed by Brexit. It does have some divergence with the GDPR, mainly to add more UK pertinent detail.
In terms of retail, the section which may cause an issue is in automated decision making, which is more stringent than the GDPR. It also adds in extensions to cover law enforcement and the intelligence services.
PIPEDA covers private sector, for-profit, companies who process personal data and are not federally regulated. Employees of federally regulated organizations such as airlines are also covered.
PIPEDA was enacted on April 13, 2000. It is a law covering the enablement of privacy when personal data is processed. PIPEDA has some similarities with GDPR such as the right to access data and the right to challenge the collection of data.
In order to ensure credit card payment security, the Payment Card Industry Security Standards Council (PCI SSC) has defined a set of compliance requirements to safeguard credit card transactions and consumer personal and financial data under the Payment Card Industry Data Security Standard (PCI DSS).
The PCI DSS regulation covers any company that has a financial element, e.g. online and offline merchants. The regulation is managed by the Security Standards Council. It was originally developed in 2006 by a consortium of financial sector players, including Mastercard, Visa, Discover, American Express and JCB. In its original guise, PCI-DSS covered online payments. In 2018, phone-based payments were added.
There are 4 different levels based on transaction size that can be adhered to. Fines can be up to $500,000.
The six pillars covered by PCI-DSS are:
If your organizations needs to become PCI compliant or assess its current compliance level with the PDI DSS, you may want to engage an independent firm to conduct a PCI compliance audit.
The Internet of Things (IoT) has suffered from being unregulated. Massive Distributed Denial of Service (DDoS) incidents like the Mirai botnet attack have stemmed from poor security practices. The privacy of the data created and consumed by connected devices is now under the regulation spotlight.
Best practice guides and regulations are now appearing across the world.
These two bills cover the State of California and will enter into law on Jan. 1, 2020.
They require that IoT manufacturers use security measures to ensure the privacy of consumer data. The law includes ensuring the device has “reasonable security feature or features”, such as having a unique password for each device.
The UK is proposing a similar IoT regulation to the California law above. However, it is still in the consultation phase.
The UK government “Department for Digital, Culture, Media & Sport” (DCMS) previously released a set of 13 best practice guidelines for consumer IoT device security (see below).
Image property of Department for Digital, Culture, Media & Support (Source)
This Code of Practice for Consumer IoT Security is the basis for the consultation paper which will eventually become law. The consultation paper includes having a labeling system that shows the level of protection used in the device by the manufacturer.
The retail and manufacturing sectors have a complicated matrix of data protection laws to deal with. This can become a complicated job when mapping security strategies and policies to compliance requirements. In a regulatory landscape that seems to undergo continuous updates, it is especially difficult to keep up with the changing cybersecurity threat-scape.
The best foot forward strategy is to place cybersecurity and data protection as a central remit of your company. This will help you tick those compliance boxes and while protecting your business – even when they are added to or new ones enter your space.