In recent years, businesses operating in the fashion and luxury brands sector have become more sophisticated in their ability to collect, process and analyse the personal data of their customers. This is true both online and in-store thanks to new technologies and tracking tools.

The use of such technologies involves collecting and processing a higher volume of customer data than ever before and poses security and data protection compliance challenges. To protect against those risks, businesses operating in the fashion and luxury brands space must implement appropriate safeguards to comply with the upcoming General Data Protection Regulation (GDPR) which will apply from 25 May 2018.

Preparing for the GDPR

The GDPR will significantly impact businesses' approach to data protection compliance. Considering the nature of the data processing activities and the importance of marketing campaigns and analytics, should form part of a GDPR risk assessment against current data processing practices. This is the first step in implementing a GDPR compliance programme.

Implementing robust transparency mechanisms

The use of technology increases consumer interaction across brands and platforms and generates a higher volume of data, especially through connected devices or CRM programmes. Methods of collection of personal data are also more complex. Personal data can be collected directly from individuals or from other sources, increasing the need for an effective transparency mechanism (e.g. in a privacy notice or website privacy policy).

The GDPR requires data controllers (as defined under the GDPR) to be transparent about their data processing activities. A prescriptive list of information must be provided to individuals including the types of personal data processed, how they are used, for what purposes and the rights that individuals have over their data. Providing that information can be a particular challenge where it is collected in-store when, for example, customers sign up for a loyalty card, especially given that the information should not be provided retrospectively. In any event, it will be good practice for the information to be sent again to the customer's email address, together with an opportunity for the customer to opt-out of further communications, or to cancel participation in any scheme but only where there is a lawful basis (such as consent) for sending it in the first place.

Transparency is not only about providing notices in a "concise, transparent, intelligible and easily accessible form, using clear language", it also requires actively monitoring new data practices. When a new technology is introduced (e.g. analytics software or a new customer application) and involves processing personal data for purposes other than those for which the data was originally collected, such new purpose must be communicated to individuals by way of appropriate notice or where, applicable, by contacting individuals directly. In essence, transparency is an ongoing requirement, not a one-off obligation.

Direct marketing and profiling activities

Direct marketing and advertising practices in the fashion and luxury brands sector

Businesses operating in the fashion and luxury brands space have long been using customer data collected from a wide range of sources including cookies, beacon and pixel technologies to analyse their habits. New technologies can help create innovative and targeted marketing campaigns (e.g. the 'See now Buy Now' campaign) and provide more personalised products to customers by analysing their personal data using online tracking tools, Artificial Intelligence (AI), RFID tags, mobile applications wearable and block chain technologies. They can also help to predict trends, obtain customer feedback and identify potential growth areas.

Businesses making the most of AI and Big Data include Stich Fix which provides an online personal stylist based on consumer-provided data, True Grault which supplies custom-fit shoes based on a scan of your feet and data on personal preferences and the soon to be launched Coded Couture which will use Google technology to create a personalised "Data Dress". AI has also been introduced to offer more personalised solutions to e-commerce platforms, in particular for luxury brands (e.g. the partnership between Farfetch and Certona), and to improve supply chain capabilities for retailers (e.g. Zara, Inditex, H&M) – see our article for more.

Mobile applications have also become more sophisticated and help customers manage their orders, pay for their items online, find their nearest shops or have personalised stories based on their shopping habits (e.g. Burberry's mobile application).

Direct marketing obligations under the GDPR and the e-Privacy regime

Controllers carrying out direct marketing activities have to comply with obligations under the GDPR and the electronic communications rules under the e-Privacy Directive (currently under review) when sending electronic communications to their customers.

Businesses may find it difficult to navigate between the GDPR and e-Privacy regimes and will first need to assess what basis they want to rely on to carry out their direct marketing activities, most likely either consent or the processing being in their legitimate interests. If they decide to rely on consent for sending direct marketing communications to their customers, they will have to review their existing consent mechanisms to ensure that they meet the enhanced GDPR threshold - consent may need to be refreshed), record and evidence consent collection, present it in a transparent way and offer a clear opportunity to opt out. They may also want to consider other purposes as a justification for processing the data, particularly if valid consent will be hard to achieve.

Where tracking customers amounts to profiling (e.g. where businesses use personal data to analyse or predict their customers' personal preferences, behaviours and attitudes), controllers should be aware of the special GDPR rules, including a requirement to provide customers with the right to object to profiling. Before this kind of processing is carried out, businesses should undertake a privacy impact assessment to ensure that the rights of their customers will not be unduly affected.

Providing appropriate security measures

The integrity and security of the data is critical to ensuring data protection compliance but the relevance of data security goes wider than legal compliance - a serious data breach can cause significant damage to a carefully built-up brand.

The GDPR requires controllers to implement appropriate security and organisational measures and processors should assist them in implementing such measures. It is necessary for businesses to fully understand how the technology works, how it operates with the business' internal systems and what security measures are applied to protect the data from security incidents or breaches.

To minimise security risks, controllers should carry out a thorough security assessment of their suppliers and app providers and review their security measures and procedures prior to implementing any new service which involves processing personal data, including an e-commerce platform, a mobile or CRM application.

Considering the potential privacy risks for individuals, controllers should also develop privacy by design and default techniques, which can be in cooperation with third party developers or providers.

Recent high profile data breaches have shown how quickly a breach can escalate and the speed at which the media and regulators become involved. It is worth preparing a breach readiness plan to help to manage any security incident or breach.

All part of the customer experience

Whether in-store or online, fashion and luxury brands businesses will need to embed data privacy into their operations, not only to comply with the law, but also to enhance customer confidence and experience. Only by doing so, will they be able to make full use of the new technologies which can benefit their customers but also help them grow and differentiate their businesses.