Online crimes against retailers rise 30 per cent as new data protection rules loom

Incidents of online crime against businesses in the retail sector have risen by 30 per cent over the last year according to a new crime survey, raising concerns about the sector’s preparedness for new data protection rules.

The latest commercial victimisation survey published by the Home Office found that there were 787 incidents of online crime per 1,000 retail premises in 2016, up from 603 in 2015.

The online crimes experienced by retailers included included hacking, website vandalism, viruses and the theft of money and information.

The new figures support the findings of a recent British Retail Consortium (BRC) crime survey which revealed that cyber-crimes such as hacking and data theft represent 5 per cent of the total direct cost of crime to retail businesses costing upwards of £36m.

A separate survey from the Department for Culture, Media and Sport found that retailers who hold electronic personal data on their customers are 14 per cent more likely to have experienced a cyber security breach than those who do not.

With less than a year to the introduction of the General Data Protection Regulation (GDPR) on 25 May 2018, audit, tax and consulting firm RSM is warning that failure to prepare for the changes could see companies facing penalties of up to €20m, or four per cent of annual global turnover.

Andrew Westbrook, head of retail at RSM said:

‘As more retailers shift to online, the amount of customer data they collect to help drive sales and improve the customer experience will continue to increase. With the new data protection rules coming in next year, now is the time to act and safeguard the business by ensuring that systems are secure and compliant. Failure to do so could lead to significant fines and the loss of customer trust.’

The new GDPR rules come into force on 25 May 2018 and will transform how retailers need to store and manage personal data.

Retailers will have to ensure data processes protect the rights of individuals. An organised data protection programme will need to be established, with all activities accurately recorded. This obligation also extends to any third-party contractors or partners working with the business, presenting firms with much greater legal liability in the event of error.