Most retailers have been dreading this – the General Data Protection Regulation (GDPR) is finally coming into force in the European Union today (25 May 2018). They fear potential fines of €20 million or 4% of their entire turnover if they are found not to comply or have been acting negligently when dealing with sensitive customer data.
Despite most retailers claiming that they are well-prepared for GDPR, we believe that there are still some gaps. In many cases, efforts have been made to restrict data sharing and usage to comply with GDPR. However, most retailers could have done more, such as adjusting their corporate governance structures, upgrading their IT systems and training their employees. Many retailers are still not sufficiently prepared, and may need to adjust their business strategies and how they collect, store and analyse customer data.
Retailers don’t just dread the fines
Retailers need to find the right balance between using customer data for upselling, cross-selling, and marketing purposes, and restricting such activities to minimise the risk of any breaches. Customers who have signed up to loyalty schemes may need to be asked to confirm that they are happy with how their data is used, and may opt to restrict it to certain purposes.
The problem that retailers are facing is that fewer customers will consent to data usage than before, thus limiting opportunities for sales, marketing and analytics. Even if strict corporate policies are implemented to satisfy regulators, retailers cannot completely eliminate the threat of rogue employees misusing customer data to meet their sales targets. Retailers may also need to reorganise the way they do business if certain data or analytics-driven approaches are no longer viable.
How can technology help retailers minimise risks?
Implementing the latest data governance tools combined with robust cybersecurity protection can lead to a more transparent approach that leads to fewer breaches, and should they occur then the employees in question could be held responsible since data access can be tracked.
Retailers could also look at emerging blockchain technologies for their databases, which provide additional security and accuracy by keeping safe records of all data edits, and data points are stored in a distributed ledger. Some popular technologies such as the internet of things (IoT) that rely on data capture from in-store devices like cameras, sensors, and beacons may need to be used differently than pre-GDPR by ensuring that records are anonymised, encrypted and deleted where necessary.
Is GDPR only relevant for European retailers?
Non-European retailers have been late in their preparations for GDPR since they have underestimated its impact on them. However, every retailer that sells to customers in an EU country (including the UK, despite the ongoing Brexit process) needs to ensure that it has taken all necessary measurements to protect their data according to the strict regulations.
By adhering to GDPR, retailers can also achieve higher consumer confidence outside Europe, especially in North America where data protection is also becoming a hot topic. Retailers increasingly look to compete on data protection and aim to do everything possible to avoid the large data breaches that have affected several major players in the past and have resulted in million-dollar losses.
What will happen when the first breaches emerge?
Retailers will be watched carefully by consumers, authorities and journalists, who will be keen to expose the first major GDPR-era data breaches. Any retailers that are found to use data in a reckless or negligent way, or have not put any protective measures in place, could face a major competitive setback if they have to pay hefty fines in addition to the serious damage to their reputation.
It will be interesting to see which retailers will be exposed, for what reason and by whom. In some cases we may see internal whistleblowers emerging, while in other cases those retailers that have prepared well for GDPR could get away without getting fined while individual employees may get prosecuted if they have committed any breaches despite receiving clear instructions. As breaches emerge, any laggards that have not taken GDPR seriously enough will suddenly wake up and invest in the latest cybersecurity, access management and monitoring systems. The biggest winners will be technology vendors, system integrators and consultancies that focus on IT security combined with retail knowledge.
For more insight and data, visit the GlobalData Report Store – Verdict Retail is part of GlobalData Plc.