With the growing prevalence of online retail and direct sales, more and more consumer product manufacturers are turning to direct-to-consumer (DTC) selling as a means of driving sales, strengthening their brand and loyalty, and taking greater control over the end-consumer's shopping experience.

Apple is perhaps one of the most ubiquitous and successful examples of a manufacturer who has looked to take the DTC route, with their online and offline DTC offering a key focus in its drive to increase sales and control its overall customer experience. Other notable companies looking to exploit DTC sales include Nike, who is looking to increase such sales to $16 billion by 2020 (an increase of 250% from its 2015 position), and Tesla Motors, who has fought to overturn legislation in the US which prohibits the direct sales which are central to its business model. UK car manufacturers are now offering direct sales too.

In addition to the financial benefits associated with DTC sales, manufacturers are increasingly attracted to the rich customer data which can be collected through DTC sales. Effective use of this customer data can allow manufacturers to tailor advertising campaigns and personalise the shopping experience of its customers in order to rationalise its marketing activity and, ultimately, drive revenues through loyalty.

Once a manufacturer has collected their customer's data, however, it does not have a free hand to exploit that data in any way it pleases; to the extent that the data collected is personal, then the manufacturer's use of their customer's data is governed by the Data Protection Act 1998 (DPA). For the purposes of the DPA, personal data is data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the relevant data controller.

Manufacturers dealing with the personal data of its customers on a daily basis are likely to be well-versed in the data protection principles underpinning the DPA. From 25 May 2018, however, the General Data Protection Regulation (GDPR) takes direct effect in all EU member states, replacing the existing European directive and each member state's national data protection laws. The GDPR contains a number of key changes to the DPA and Directive, and manufacturers dealing with customer data as part of their DTC sales approach should be aware of these.

You may wonder what impact the Brexit vote and Britain's expected departure from the EU will have on the GDPR? Given that Britain will still be a member of the EU on 25 May 2018, all UK businesses will need to be GDPR-compliant by this date. Likewise after that date, it is expected that for as long as there are transfers of data between the UK and the EU, then the UK will need its own national law that provides an equivalent level of protection of personal data, as is provided by the GDPR, to continue strong trading relationships and also as the GDPR applies wherever personal data is processed relating to EU citizens. There is a key benefit of having a standardised data protection approach across organisations operating across many countries.

One of the key changes to existing data protection law contained in the GDPR is that non-compliance could lead to heavier sanctions; the revised enforcement regime is underpinned by power for regulators to levy financial sanctions of up to 4% of the annual worldwide turnover of the organisation's group or up to 20 million, whichever is the higher. This is a significant change from the current regime, including in the UK, where the maximum fine is currently 500,000.

In light of the pending implementation of the GDPR and its tougher penalties for non-compliance, we have set out below a list of ten essentials for compliance which manufacturers handling personal data through its DTC channels or otherwise should seek to follow:

1)Be transparent with data subjects about the processing of

their data greater detail is needed, balanced with ease of access and understanding, as well as careful use of consents;

2) Appoint a data protection officer to manage compliance;

3)Implement procedures which allow individuals to exercise their rights to access and correct their data;

4)Put in place rigorous data security breach notification procedures;

5) Train and educate staff involved in data processing;

6)Consider international data transfer restrictions and put in place legally approved transfer mechanisms;

7)Contractually stipulate warranties from third party data processors, and put in place the contractual requirements set out in the GDPR through a contract updating exercise;

8) Document data processing operations in detail;

9)Ensure continuous monitoring and follow up of compliance efforts so that you can justify why particular processing is taking place; and

10)Adopt a privacy-by-design and privacy-by-default approach when developing new products or services, or new uses of personal data.

There are clear benefits to be derived in the adoption of a DTC sales model, but it is an approach that brings with it new and evolving risks which will need to be carefully considered by manufacturers seeking either to continue existing DTC sales or break into that space for the first time in the new GDPR world.