The data crunch: Getting ready for GDPR


The arrival of the EU’s new data protection regime, the GDPR, will have far-reaching effects on the retail and retail real estate industry.


When it takes effect on 25 May, all businesses in Europe and even those beyond that handle EU citizens’ data will have to conform to a brave new world that puts the consumer first – or pay the consequences.

The new GDPR legislation coming into effect on May 25 will require all holders of data on EU citizens to overhaul how they collect, store and process data. The timing couldn’t be more pertinent in the wake of the Cambridge Analytica and Facebook scandal. Data, which was once seen as dull, is now in the front of consumers’ minds in the light of questionable harvesting techniques and high-profile security breaches.

‘The regulation itself comes in with sweeping changes to the marketplace for organisations that collect, store, process and transfer data,’ says ­Pragasen Morgan, EY’s privacy leader. ‘In particular, it’s focused on personal, i.e. sensitive data, across seven categories defined by the legislation itself. In its very basic form, this is about protecting individual rights, placing the consumer front of mind. In the past, businesses have utilised customer data for their own benefit, but this puts the control back in the hands of the individual.’

What will this mean in practical terms for owners of retail real estate? Morgan crunches the numbers and reveals several key areas that require attention.


‘If retail real estate owners are providing IT facilities to tenants as part of the space that they are leasing out, we need to identify if they are the processor or the controller of that data. If they are providing IT infrastructure, they could be deemed to be a processor under the new legislation. And that brings more responsibilities,’ Morgan says.


‘The second issue is based on the rental contract itself. The property owner has to make sure that their tenants are adhering to the GDPR legislation. As we’ve seen above, that’s especially the case if they’re providing IT infrastructure but generally as a landlord, they have that responsibility.’


‘All shopping centres provide various marketing campaigns with and on behalf of their tenants. During a Christmas campaign, for example, customers walking into that centre might sign up for something and have their data kept on record, for successive marketing operations. This now becomes more structured – landlords will have to be clear about the grounds they have for processing that data.

‘Ultimately, that means ticking three separate boxes. They need to ask if they have legitimate purpose in collecting that data. They also need to be sure they have a lawful mechanism in place to keep it safe. The third issue is consent, which is one of the biggest changes in the legislation. There has to be explicit consent now, across how the data is processed, stored, transferred and deleted. So companies won’t be able to sell that data on in the future.’


‘Shopping centre owners often take pictures of events, or record CCTV images for security purposes. There now has to be clarity on processing that. So they can’t necessarily just have the CCTV camera images hosted in a cloud, with a third party or a contractor – there needs to be transparency about where it is, what they’re doing and where it’s being stored.

‘This is important because an individual will be able to ask for that data in the future. That means you need to be able to redact all the other images in that component and give it to the individual. It’s worth noting that individuals will have to be specific and have good reasons for why they’re requesting that data.’


‘Whenever data collection involves minors, that will add another level of care. This will be slightly different in each country, irrespective of EU legislation, but essential with image files you will have to be careful about where that data is being stored. Beyond pictures, you might collect the data of minors if you have a kids’ club. In such cases, you need parental consent to collect that data.’


‘Most shopping centres tend to outsource wi-fi provision to a third party, which often involves customers signing up for that service. The shopping centre needs to know who is collecting that data, who is processing and controlling it, and must ensure that it is being captured and stored safely – not least because their reputation is at stake.

‘Equally, the third party needs to be clear as to the reasons why they’re collecting that data, they need to tell the individual, they need to change their privacy policy, they need to update transparency for that data and be very clear about how the individual can get rights to that.


‘The real crunch for this legislation is that it will also affect the way non-EU countries handle EU citizens’ data. The awareness around that is still evolving, although I have already seen plenty of parent companies, in the US for example, take that legislation seriously. Points to note are the following. In theory, the legislation won’t protect you if you are outside the EU, but it’s not clear how that will work.

‘These organisations are much more focused on issues surrounding data that is flowing from the EU to the US. In these cases, data transfer agreements need to be in place, in consultation with the regulator. Because in these cases, the legislation will definitely apply.’

In summary

‘This regulation represents a huge shift in attitudes towards data management. We’ve already seen huge fines being handed out to consumer marketers in the UK for the abuse of data in their possession. It’s expected that we will see a much tougher regime implemented by regulators, country by country, to make sure that the organisations are doing the right thing by customers or by the individual. The time to become compliant is now.’