The General Data Protection Regulation (GDPR) marks a new era in data privacy and protection — and retailers are in the hot seat to comply.
GDPR, which went into effect on May 25, was created to protect European customers’ data. In addition to defining how companies must safeguard all of the personal data they process going forward, the rules also give consumers more “control” over their personal information. And companies that improperly handle data will have consequences, such as legal actions and fines of up to 4% of their worldwide annual turnover, according to Russell Marsh, managing director, Accenture Digital.
Marsh spoke with Chain Store Age about the new regulation, and what it means for retailers worldwide.
What is GDPR? Drawn up by the European Union (EU), GDPR strengthens the data rights of European residents and harmonizes data protection law across all member states, making it identical. Perhaps the two most significant additions in GDPR are the right related to automated decision making and profiling, and the “right to be forgotten.”
It increases the potential fines organizations face for misusing data, and makes it easier for people to discover what information organizations have on them. In essence, it seeks to bring more transparency to people about what data organizations collect about them, and what those organizations use it for, as well as enabling people to prevent unnecessary data collection.
The types of data considered personal under the existing legislation include name, address, and images (video and photographic). Under GDPR, an IP address or even a web cookie can be personal data. It also includes sensitive personal data, such as genetic and biometric data, which could be processed to uniquely identify an individual.
What is prompting these changes? GDPR seeks to expand and update rules that have been in place since 1995, and unify a patchwork of different laws into one piece of legislation. It provides more robust protection for consumers in the digital age, by tackling concerns over big data, privacy and cyber-theft.
What is the retail industry’s mindset when it comes to preparing for GDPR? Implementing GDPR is not only about compliance or security. It’s essentially about changing the culture to become an organization that asks questions like: “Why do we collect these data?,” and “Do we have a legal right to do so?,” in order to embrace privacy and protection of data. Furthermore, retailers must maintain a high level of trust with their consumer base to retain brand loyalty.
What do companies need to be aware of to become complaint? Retailers need to know where all customer data has come from, show how all data was processed, and where automated processing (algorithms) were applied. They also must be able to prove they have the customer’s consent to use each piece of their data for each specific purpose. If they don't have this consent, they need to stop using a specific piece of their data for a specific profiling purpose.
How do retailers obtain consumer consent? Retailers must use clear and transparent language when securing consent from their customers, and ensure they understand the potential uses of the information. They must also actively seek their consent, meaning opt-out and pre-ticked consent methods will no longer be considered sufficient.
The most obvious implication of the changes relates to the collection and use of data for online direct marketing purposes. Compliance could well mean fewer marketable addresses for retailers who aren’t engaging in best practices.
To innovate and grow, retailers will need to find ways to help customers navigate the choices they have on data sharing and educate them on why sharing information can be beneficial.
How will GDPR impact U.S.-based companies that operate globally? GDPR provides protection to European citizens no matter where their data travels. This means that any company, anywhere, that has a database that includes EU citizens is bound by its rules. Businesses of all sizes are affected — no one is exempt.
In order to comply, American companies can either block EU users altogether (an impossible choice for a multinational brand) or have processes in place to ensure compliance.
Beyond compliance, what other value does GDPR provide? GDPR-compliant companies are good custodians of data, a characteristic that drives greater consumer confidence. GDPR also lays the groundwork for improved data security since the guidelines require organizations to disclose any breach within 72 hours of its occurrence.
GDPR will also force organizations to improve their network, endpoint, and application security, a move that will further increase alignment with evolving technology, such as virtualization, cloud computing, BYOD, and IoT. This can serve two purposes.
First, it gives retailers a way to more effectively manage the growing demand for data. Second, it allows companies to offer end users augmented products, services, and processes.
GDPR is forcing organizations to have more consolidated data, to ensure that data is easier to use, and that they have a greater understanding of its underlying value and of the risk. This insight will let an organization learn more deeply about its customers, and identify areas where customer needs are unmet. By using customer information effectively, retailers have an opportunity to make better decisions, and consequently, get a better return on investments.