On May 25th, 2018, the EU’s General Data Protection Regulation (GDPR) rules will come into force. Although many of our member companies are already prepared for, and are abiding by GDPR, others are seemingly less clear about the policies and procedures that they need to put into place before the May 25th deadline.

We have therefore prepared an interpretive document to help support our membership.  We have addressed the key issues and focused most specifically on the questions most frequently asked by our members. This document, titled ‘An Interpretation of GDPR for Mystery Shopping Providers’ is now available in the secure members area of our website.  All members are urged to access the information and make sure that they are clear about our interpretation of their roles and responsibilities as both Data Controllers and Data Processors.  Failure to adhere to the new rules could result in heavy penalties being levied. 

Issued covered within our advisory document include:

• What is GDPR?
• Why was it introduced?
• How does it apply – what are Data Controllers and Data Processors?
• Who are the “Data Subjects”?
• What is their “Personal Data”?
• How does the regulation protect the Data Subject?
• What should the Data Subject expect?
• What does all this mean to me as a Data Controller?
• What does all this mean to me as a Data Processor?
• How should I manage the issue of Consent, Correction and Erasure for client employees?
• What do I need to do and when should I do it?

It’s probably fair to state that when GDPR was discussed at last year’s conference in Belgrade, the main take out was that we needed to ensure that we were compliant with regard to our role as Data Controllers i.e. that we had a duty to protect our Data Subjects – our employees and mystery shoppers – and ensure we afforded them the right of Consent, Review, Correct, Erase and Be Informed.

Our role as Data Processors wasn’t as clear - however this is equally as important to address.  As Data Processors, we additionally need to think about how we Collect, Publish and Store our clients’ data, which includes the personal data of the Data Subjects (the employees) that we mystery shop.   It should be noted that clients’ franchises and competitors also fall under this umbrella.  Hopefully this document provides further guidance on this point, though we cannot be definitive at this stage.

We will provide further information regarding other aspects of GDPR as and when we find out more.  Our other planned activities on GDPR include:

• CONNECT - we are intending to open a forum where members can exchange views regarding GDPR, so watch this space.
• LEARN - we are working to provide other information, education options and certification programmes with the help of trusted partners.
• SHARE -  we welcome any comments, questions and suggested alterations from members who may have information to share with the association.

We trust that you will find the information contained within the detailed document valuable, however please remember that this has expressly been created to offer an interpretation of GDPR in terms of its impact on you as providers of Mystery Shopping services. It does in no way constitute advice, and the MSPA and its representatives have no liability for the information that’s been provided.

Finally, an interactive session on GDPR is scheduled for inclusion at the conference in the Algarve in May. Make sure you have a representative of your company attending the conference so that best practice can be shared across our community. 

Don’t delay, act today!

Login to the secure members area to see the FAQ and KNOWLEDGE centre the advisory documentation