GDPR Hits One-Year Mark: Time to whip your compliance strategy into shape
After massive data breaches at some of the largest retailers, more than 70% of U.S. shoppers are worried about how brands use and collect their personal data. But while tech giants, like Facebook and Google, are under a strict microscope to comply with consumer privacy and law enforcement, other companies have flown under the radar.
When Europe’s data privacy law (the General Data Protection Regulation) first hit, many retailers rolled out changes to comply with the new regulations. While larger brands have taken a proactive approach to achieving GDPR compliance, smaller retailers are more passive -- observing the trends and waiting for precedent-setting public cases to provide more clarity on the actual financial and reputational risks of poor compliance.
But now that GDPR is about to hit the one-year mark in tandem with California’s Consumer Privacy Act, a new law that will enhance privacy rights for residents of California, retailers will need to rethink their lax data protocols to avoid penalization and the risk of losing customer trust altogether.
That said, it’s critical to understand the challenges of complying with GDPR, the costs of failure to comply, and what your business can do to make sure you’re on the right track.
The challenges of GDPR It’s easy to understand what might prevent retailers -- especially smaller ones -- from complying with GDPR. Challenges with accommodating GDPR include:
● The fear of losing valuable business data ● Significant revenue decreases associated with lost customer data ● High expenditures for achieving initial compliance on top of continuous administrative overhead ● A general lack of awareness as well as missing know-how in the practical implementation of the requirements hinders progress
Even larger brands face these challenges, especially since many underestimated the difficulty of implementing the necessary technical and organizational measures to achieve compliance.
But none of these challenges are excuses. Failure to comply with GDPR has the potential for hefty short-term and long-term consequences.
The short-term and long-term costs of lax compliance But lax GDPR compliance can have major long- and short-term consequences for retailers. In the short term, companies face potential data breaches resulting in legal and financial fees (tier two administrative fees reach up to €20 million, or 4% annual global turnover – whichever is higher).
Long-term, retailers risk alienating consumers and damaging their reputation irreparably. Customers are already on edge about their personal data, and won’t forgive easily if brands don’t protect it.
Additionally, GDPR non-compliant companies will have increased issues complying with the upcoming CCPA, while GDPR compliant brands already have the framework, people, processes and technologies in place to adopt towards any additional legal requirements.
In short, the need for compliance is clear, and the consequences of a failure to do so are dire.
Here’s where to begin when it comes to GDPR and your brand The good news? Even after a year, there’s still time to get your organization on track for compliance. Here’s where to start:
● Establish a dedicated interdisciplinary team that has a deep understanding of business, legal and IT-related processes within your organization.
● Develop a self-sustaining data protection management system or framework that ensures ongoing compliance and that allows the alignment toward upcoming legal or regulatory requirements (e.g., the CCPA).
● Internalize the seven key principles of GDPR, as they should lie at the very heart of your approach for collecting, processing and storing personal data. Ensure that all employees understand those principles and their implications for your company.
● Perform a detailed gap analysis to see where your company stands and follow a risk-based compliance approach as it will be challenging to tackle the entire backlog and to comply with all requirements at once, while preparing for upcoming legislation like the CCPA.
● With the introduction of double opt-ins and further compliance obstacles, GDPR has significantly impacted retail marketers in the use of contact databases. You need to focus on content syndication and further inbound strategies to compensate for the loss of revenue resulting from those strict requirements. Make sure you have the right technology like automated feed management and content syndication tools to ensure these strategies are effective and efficient.
● Define a clear process for managing and communicating data breaches to comply with the GDPR requirements (e.g., 72 hours for reporting to supervisory authorities) and to avoid bad press and the loss of consumer trust.
Ultimately, think of GDPR as an opportunity rather than as a risk for your business. Remember: GDPR compliance means better data quality, and better data means more revenue. Refurbishing existing data pools and consent doesn’t have to mean fewer sales. It’s an opportunity to rebuild better relationships with customers based on trust, personalization and effective use of data. Besides that, it’s a necessary nudge to improve inbound marketing strategies such as content syndication, social media marketing, SEO and branding. Your ability to comply with GDPR regulations will only improve your company’s marketing strategy and overall customer experience.
Lucas Wojcik is chief information security officer at Productsup.