CASE STUDY

GDPR, Established Retail Brand

 

Scope

A highly reputable retail brand asked Dallas Consulting to help their business meet GDPR compliance. The client defined their requirement as providing advice and support to implement GDPR compliance in handling personal data for shop floor retail sales and marketing purposes. The client had the understanding that personal data would need to be reviewed in how and when personal data is requested for retail sales and email marketing campaigns. The aim was to:

  • Enable staff to correctly take customer personal data for product sales and services

  • Allow customer personal data to be captured for each retail transaction

  • Use new and existing customer details to contact about marketing activities and offers

  • Ensure GDPR compliance in the business to avoid penalties and operate best practice.

The client had a Data Protection Policy aligned with the Data Protection 1998 Act and secure electronic systems including Till systems.

Our Solution

Our first step was to qualify the purpose because the scope focused on requesting compliance for sales and marketing only. With this in mind, we needed to establish if GDPR compliance had been achieved or was needed across all Company functions. The purpose was clarified as compliance across the Company which had been understood by the client as only sales and marketing.

The next task was to establish the requirements to meet full GDPR compliance in an audit. Working alongside the Operations Director we customised the assessment capturing status and needs across each division in the Company. Upon completion of the audit, the key requirements were identified and implemented as follows:

  • Provided the choice for Customers/General Public to ‘Opt-In’ to receive different types of email marketing newsletters

  • Implemented a new process to identify and track contacting existing Customers prior to the GDPR Effective Date and a process for consented Customers only afterwards

  • Provided a GDPR Statement to request Customer consent in the shop and online

  • Defined what personal data may be obtained and how long it is stored for

  • Provided Formal Registers with documentation and process for Subject Access Requests

  • Drafted legal terms for customers, third parties and website

  • Created employee consent forms for Company marketing publication requests

  • Reviewed and updated the existing HR Handbook to meet GDPR requirements

  • Validated if security on existing systems complied with GDPR and introduced new more efficient, compatible and integrated systems supported by a strategy

  • Identified standardised step by step processes covering all key operations across the Company

  • Third parties reviewed with process aligned and contractual terms in place supporting GDPR

Our Success

Overall, operational efficiency increased by 30% across the Company and there was a reduction of over 50% process issues raised internally.

This GDPR project highlighted multiple methods and approaches across the workforce, that despite being a high standard were causing inefficiencies in time and costs. This was resolved by defining and implementing a suite of key step by step processes. This not only streamlined operations but improved Company quality standards leading to strategic objectives to implement ISO9001.

This was further enhanced by creating a Company branded training programme giving value-add in-house certified training to new staff and refresher training for the team. Finally, it highlighted systems integration needs for additional efficiency and functionality supporting business growth.