The subject of customer data protection is more important than ever, with the EU’s General Data Protection Regulation (GDPR) coming into effect on 25th May 2018. But what does that mean for retail businesses, and how will they be affected?
Retail businesses collect significant quantities of data on their customers, be that in the form of loyalty cards, 3rd-party fulfilment and profiling systems or customer credit card data, to name but a few. All this data covers the personal data of customers, and under the GDPR you will have to prove that you are doing all you can when it comes to customer data protection.
In this post, we’ll look at some of the issues the GDPR poses to organisations in the retail industry when it comes to customer data protection, and what you can do to adjust.
A wider reach
The GDPR will largely replace the current data protection regulations in place in the UK. The GDPR marks a significant expansion in terms of geographical scope as the regulation considers not only the location of where data is processed, but the location of the individual whose data is being processed. The GDPR is all about the data of consumers, not the company. Companies with networks containing customer data are liable if they:
- Offer goods or services to individuals in the EU (including free-of-charge)
- Monitor the behaviour of individuals in the EU
That means the UK, despite the result of Brexit, won’t be exempt from the GDPR.
That means that an organisation residing in the United States, Canada, Argentina, or anywhere else in the world that deals with the data of a customer in the EU, will still be affected by the GDPR.
And that means that organisations in the retail industry won’t be exempt from the GDPR—whether you are an international clothing conglomerate or a small, family-run business.
So, organisations in industries, or even countries, that on the surface might not seem liable to the GDPR might be in for a shock come May 2018, especially considering that fines for non-compliance will be extremely severe: at €20m or 4% of your global annual turnover (whichever is greater).
What issues will the GDPR present retailers with?
Especially within the retail and e-commerce sectors, capturing and using customer data plays a significant role in product marketing decisions, as well as underpinning the product journey from seller to consumer. UK retailers will need to comply with the GDPR in order to continue selling and trading to customers based in the EU. The following are some of the key changes the GDPR will introduce and what that means for retail businesses.
Like in many industries, customers’ personal data is often used for marketing purposes so they can be informed of new deals and offers. This could be done through asking for the customer’s email over the till or online, but under the GDPR retailers will need to ensure an individual’s consent is actively and freely given. This means the reasons why their personal data is being used cannot be hidden in the T&Cs or via a pre-ticked box: it must be explicitly stated.
The GDPR stipulates you must report a data breach to regulatory bodies within 72 hours. This is mandatory, so retailers need to give careful consideration to breach prevention and ensuring a worst-case scenario is dealt with in the right way. Consider insurers, PR agencies and other suppliers by way of ‘damage control’ in the case of a breach. Unfortunately, some of the most recent data breaches have involved the retail industry, so take precautions to reduce the risks of bad press and customer or profit losses.
The GDPR will regulate the profiling of individuals—where data is collected in an automated format and used to build perceived customer preferences. For retail, that usually takes the form of loyalty cards, targeted advertising, etc. Again, this now requires the explicit consent of the customer, and you must give them the opportunity to object or refuse profiling. If your profiling is done through website cookies, consent may already be in place. But you need to know that’s the case.
Give you and your customers some peace of mind
Most of all, retailers will want to ensure that the relationship with the customer is not tarnished or lessened in any way as a result of the more prescriptive changes implemented by the GDPR.
So, what can they do to make sure that’s not the case?
At bluesource, we have been making it our mission to ensure companies of all descriptions are prepared for the GDPR come May 2018. To do so, we provide a range of assessments to help your business identify the areas most susceptible to the incoming regulatory changes and see what can be done to secure them.
For more information regarding the GDPR, follow this link! It includes a video on what the GDPR means for organisations around the world, our new eBook on GDPR compliance, and information on our compliance assessments and workshops.