Impact of the new EU privacy regulation on RFID implementations in retail stores
Over the last days and weeks, perceived half of my emails had *GDPR* in the subject line. Where does that burst come from and what does GDPR mean for RFID implementations in retail stores? In short — today, on May 25th — the new General Data Protection Regulation (GDPR) will become effective and replace previous data protection acts in Europe. We already see that this might change certain rules of the game for dealing with personal data.
That’s why today, I’d like to take a closer look if and how this may effect RFID implementations in retail. While the usage of RFID in retail stores and in the supply chain is mainly oriented towards increasing stock accuracy and improving logistic processes, this doesn’t exclude a privacy element for the consumers buying RFID-tagged products.
Uncertainty among retailers is big, as huge fines of up to two percent of annual consolidated sales or up to ten million euros may be imposed. For serious violations, these can be doubled. Thus it is important for retail companies using RFID technology to comply with this regulation. Because at the same time, being compliant to GDPR is also a chance to win trust.
Application of the GDPR for RFID on item level
One of the core elements of privacy is the protection of personal data. The GDPR defines that personal data means any information relating to an “identified or identifiable natural person”. However, the data in the RFID tag relates to a serialized product identifier (which states that it is a certain “blue t-shirt in size M” or a “red dress in size XL”) which is unique across the globe – so to say the ID card of a certain product.
There is no personal data on the RFID tag of a retail item, but item identification could be combined with personal data
So, is the serial number (EPC) on the RFID chip personal data? Well, it depends. As long as it is not related to a single individual it is not. Therefore, if the EPC is purely treated as a supply chain element — it will not be personal data. However, if any use case is added where customer data are registered, it can quickly become personal data. This is especially the case when it comes to checkout processes; no matter if it is performed via the private device of a client (a so called “mobile checkout”) or at the checkout counter where a client uses a loyalty or a payment card with personal identification. In those cases, the EPC could be related to personal data, and a lot more care should be taken.
Must-haves for a retailer’s RFID and privacy implementation agenda
The GDPR itself is not specifically targeted at the usages of RFID. However, there is an existing European recommendation “on the implementation of privacy and data protection principles in applications supported by radio-frequency identification” that is focusing on RFID. This recommendation from 2009 can be directly applied, as it gives some interesting insights on how to implement RFID in a privacy-conscious way.
1. Transparency of use
Basically, the recommendation for retailers is to be as transparent as possible towards customers about the application of RFID. These two measures have been proven as best practices:·
- Inform customers of the presence of RFID tags. This can be easily done by including the ISO standardized RFID logo on a product (for example on the price ticket) and putting the logo on the shop window.
- Customers should be able to easily remove or deactivate the RFID tag. This is quite straightforward when the RFID tag is in a swing ticket (which is safely to be assumed removed by the customer after purchase), but more challenging when the RFID tag is in a care label or embedded in the product. In the latter case, it makes sense to offer a ‘deactivation’ service to customers.
2. Privacy by technical design
Furthermore, privacy and information security features should be built into RFID applications before their widespread use (principle of ‘security and privacy-by-design’). The RFID industry is actually adopting this. An example is the ‘untraceable’ functionality that is present in the most recent version of the RFID standard. The ‘untraceable’ feature offers the following functionality:
- Reduce the read range of the tag from long range (2–5 meter) to only short range (few centimeters). This can be done at the point-of-sale and reversed at return.
- Hide part of the EPC. This allows hiding the serial number, which makes the EPC unique. It also has the capability of hiding the non-changeable production identifier of the tag.
3. Privacy Impact Assessment (PIA)
A follow-up of the EU recommendation was set with the RFID Privacy Impact Assessment (PIA). Using this assessment, a retail company that is about to deploy RFID technology is able to assess the impact of that deployment on the privacy of consumers and is able to take precautionary measures to minimize the impact.
The international standards organization GS1 has transformed this into an Excel-based tool that can be found on https://www.gs1.org/pia; another tool was created by the French National Centre for RFID (CNRFID) on http://rfid-pia-en16571.eu.
There is an undeniable link between GDPR and RFID as the technology has the potential to link a specific purchased item to an individual person. However, retailers do not need to be afraid of over-regulations or potential conflicts with consumers. The good news is that retailers can take very straightforward measures to be GDPR compliant and make sure that their customers do not have to worry about their traceability through any items they have purchased.