Application of the GDPR for RFID on item level
Impact of the new EU privacy regulation on RFID implementations in retail stores
By Tom Vieweger
By Tom Vieweger
Over the last days and weeks, perceived half of my emails had “GDPR” in the subject line. Where does that burst come from and what does GDPR mean for RFID implementations in retail stores? In short — today, on May 25th — the new General Data Protection Regulation (GDPR) will become effective and replace previous data protection acts in Europe. We already see that this might change certain rules of the game for dealing with personal data.
That’s why today, I’d like to take a closer look at if and how this may affect RFID implementations in retail. While the usage of RFID in retail stores and in the supply chain is mainly oriented towards increasing stock accuracy and improving logistic processes, this doesn’t exclude a privacy element for the consumers buying RFID-tagged products.
Uncertainty among retailers is big, as huge fines of up to two per cent of annual consolidated sales or up to ten million euros may be imposed. For serious violations, these can be doubled. Thus it is important for retail companies using RFID technology to comply with this regulation. Because at the same time, being compliant with GDPR is also a chance to win trust.
One of the core elements of privacy is the protection of personal data. The GDPR defines that personal data means any information relating to an “identified or identifiable natural person”. However, the data in the RFID tag relates to a serialized product identifier (which states that it is a certain “blue t-shirt in size M” or a “red dress in size XL”) which is unique across the globe – so to say the ID card of a certain product.
So, is the serial number (EPC) on the RFID chip personal data? Well, it depends. As long as it is not related to a single individual it is not. Therefore, if the EPC is purely treated as a supply chain element — it will not be personal data. However, if any use case is added where customer data are registered, it can quickly become personal data. This is especially the case when it comes to checkout processes; no matter if it is performed via the private device of a client (a so-called “mobile checkout”) or at the checkout counter where a client uses a loyalty or a payment card with personal identification. In those cases, the EPC could be related to personal data, and a lot more care should be taken.
The GDPR itself is not specifically targeted at the usages of RFID. However, there is an existing European recommendation “on the implementation of privacy and data protection principles in applications supported by radio-frequency identification” that is focusing on RFID. This recommendation from 2009 can be directly applied, as it gives some interesting insights on how to implement RFID in a privacy-conscious way.
Basically, the recommendation for retailers is to be as transparent as possible towards customers about the application of RFID. These two measures have been proven as best practices:·
Furthermore, privacy and information security features should be built into RFID applications before their widespread use (principle of ‘security and privacy-by-design’). The RFID industry is actually adopting this. An example is the ‘untraceable’ functionality that is present in the most recent version of the RFID standard. The ‘untraceable’ feature offers the following functionality:
A follow-up of the EU recommendation was set with the RFID Privacy Impact Assessment (PIA). Using this assessment, a retail company that is about to deploy RFID technology is able to assess the impact of that deployment on the privacy of consumers and is able to take precautionary measures to minimize the impact.
The international standards organization GS1 has transformed this into an Excel-based tool that can be found here. Another tool was created by the French National Centre for RFID (CNRFID), which can be found here.
There is an undeniable link between GDPR and RFID as the technology has the potential to link a specific purchased item to an individual person. However, retailers do not need to be afraid of over-regulations or potential conflicts with consumers. The good news is that retailers can take very straightforward measures to be GDPR compliant and make sure that their customers do not have to worry about their traceability through any items they have purchased.