Retail and GDPR: Get ready, and get ahead
It is just a few months until the European Union’s General Data Protection Regulation (GDPR) kicks in. From May, every organization that operates in the EU or holds data on EU citizens will have to comply with strict new rules that govern how they use personal data. U.S. retailers are therefore not immune.
Any retailer that is unprepared risks a rude awakening: if it breaches GDPR, the financial penalty is up to 4% of its global annual turnover. The damage to its reputation could be even more costly.
But there’s another risk, too. Retailers recognize that data is the key to growth, giving them invaluable customer insight and unprecedented forecasting abilities. Which means that, if retailers drag their heels on GDPR, there is a limit to what they can do with data – and that will undermine their competitiveness and even threaten their existence.
With the GDPR deadline looming, readiness is a matter of urgency. Worryingly, however, we hear of some that are far from prepared. We advise them to prioritize the following steps:
1. Instill a culture of integrity
Any retailer that does not put transparency at the heart of its data practices will struggle to comply with both the letter and the spirit of GDPR. Those that are most prepared are actively building openness into their cultures. No retailer can expect each member of staff to grasp every intricacy of its data policies and processes, but employees of those with a culture of integrity will be more likely to do the right thing instinctively.
Working out how to create this kind of culture is a key challenge. First of all, we see leading retailers asking themselves whether every employee thinks about what is right as they handle data.
2. Take, and assign, ownership
For many retailers, it can be difficult to apportion responsibility for GDPR compliance. And if they don’t, it could fall through the cracks.
So who should take responsibility? The legal department understands the letter of the law, of course, but it might struggle to see the full picture of how the organization is using data. The marketing team runs the data strategy, but does not have the legal or technical expertise to ensure compliance. Meanwhile, how does technology bring these functions together?
The most prepared retailers recognize that GDPR, rather than being the responsibility of any single function, is an organization-wide issue. It demands a senior leader from the C-suite who can take ownership of compliance and ensure that every part of the business collaborates to develop a framework for collecting, using and managing data in accordance with GDPR.
3. Get permission
Consent is the core of GDPR. Before a retailer can collect personal data of any kind, it should secure opt-in permission – and a further consent for every type of use they may have in mind for that data.
This will affect every area of retailers’ increasingly sophisticated use of data. Many are already using a broad range of data – email addresses, cookie data, transactions data, loyalty card information, data on in-store browsing collected through free Wi-Fi access – and will want to connect these different data points to build comprehensive profiles of their customers.
Without customers’ explicit permission, retailers are likely to have to stop collecting this data. And gone are the days of organizations simply storing that information in a data lake that can be accessed at will by different parts of the organization: they will need permission for every type of processing they want to undertake.
4. Empower the customer
As well as new rules on consent, GDPR forces organizations to provide details of all the data they hold on a customer if they are asked to do so, and to delete or transfer that information elsewhere on request. These are important new rights for customers.
Some retailers – particularly those with legacy IT systems and data held in disparate locations – will find these demands technically challenging, but compliance means working out how to meet them.
Google’s pioneering approach provides retailers with a potential solution. It gives users access to all the data it holds on them through a single online preference center, which enables them to track and control their profiles – to have information removed, for instance, or turn some processes off. Constructing similar structures will enable retailers to comply with GDPR while giving their customers the responsibility and power to manage their own data profiles.
5. Incorporate future flexibility
Retailers’ collection and use of data evolves at pace, so their responses to GDPR may need to include a plan for ensuring that future activities are compliant, too. Many will need new processes to guarantee that new initiatives do not fall foul of the regulation.
Photographs of faces, for example, count as personal data for the purposes of GDPR. Retailers that link to consumers’ Instagram or Facebook accounts – perhaps as part of a competition – may need to develop processes for ensuring compliance. What happens if such accounts feature pictures of more than one person? This is an example of how the creation of processes that ensure that each new data-related activity is acceptable under GDPR will be a crucial element of future data innovation.
Conclusion: The compliance dividend
As they consider the future of retail and what success looks like, leading firms cannot ignore the role that data-driven innovation and advanced analytics will play. But these advances come with new responsibilities, and organizations’ stewardship of customer data will come under unprecedented scrutiny in the years ahead.
The firms that embrace their new responsibilities under regulation such as GDPR will find themselves free to exploit every new innovation opportunity – and delight increasing numbers of customers. As such, GDPR is an opportunity for retailers: if they ensure their compliance, they will be in a position to both realize their boldest ambitions and gain a clear advantage over their slower-moving competitors.
Any retailer that is unprepared risks a rude awakening: if it breaches GDPR, the financial penalty is up to 4% of its global annual turnover. The damage to its reputation could be even more costly.
But there’s another risk, too. Retailers recognize that data is the key to growth, giving them invaluable customer insight and unprecedented forecasting abilities. Which means that, if retailers drag their heels on GDPR, there is a limit to what they can do with data – and that will undermine their competitiveness and even threaten their existence.
With the GDPR deadline looming, readiness is a matter of urgency. Worryingly, however, we hear of some that are far from prepared. We advise them to prioritize the following steps:
1. Instill a culture of integrity
Any retailer that does not put transparency at the heart of its data practices will struggle to comply with both the letter and the spirit of GDPR. Those that are most prepared are actively building openness into their cultures. No retailer can expect each member of staff to grasp every intricacy of its data policies and processes, but employees of those with a culture of integrity will be more likely to do the right thing instinctively.
Working out how to create this kind of culture is a key challenge. First of all, we see leading retailers asking themselves whether every employee thinks about what is right as they handle data.
2. Take, and assign, ownership
For many retailers, it can be difficult to apportion responsibility for GDPR compliance. And if they don’t, it could fall through the cracks.
So who should take responsibility? The legal department understands the letter of the law, of course, but it might struggle to see the full picture of how the organization is using data. The marketing team runs the data strategy, but does not have the legal or technical expertise to ensure compliance. Meanwhile, how does technology bring these functions together?
The most prepared retailers recognize that GDPR, rather than being the responsibility of any single function, is an organization-wide issue. It demands a senior leader from the C-suite who can take ownership of compliance and ensure that every part of the business collaborates to develop a framework for collecting, using and managing data in accordance with GDPR.
3. Get permission
Consent is the core of GDPR. Before a retailer can collect personal data of any kind, it should secure opt-in permission – and a further consent for every type of use they may have in mind for that data.
This will affect every area of retailers’ increasingly sophisticated use of data. Many are already using a broad range of data – email addresses, cookie data, transactions data, loyalty card information, data on in-store browsing collected through free Wi-Fi access – and will want to connect these different data points to build comprehensive profiles of their customers.
Without customers’ explicit permission, retailers are likely to have to stop collecting this data. And gone are the days of organizations simply storing that information in a data lake that can be accessed at will by different parts of the organization: they will need permission for every type of processing they want to undertake.
4. Empower the customer
As well as new rules on consent, GDPR forces organizations to provide details of all the data they hold on a customer if they are asked to do so, and to delete or transfer that information elsewhere on request. These are important new rights for customers.
Some retailers – particularly those with legacy IT systems and data held in disparate locations – will find these demands technically challenging, but compliance means working out how to meet them.
Google’s pioneering approach provides retailers with a potential solution. It gives users access to all the data it holds on them through a single online preference center, which enables them to track and control their profiles – to have information removed, for instance, or turn some processes off. Constructing similar structures will enable retailers to comply with GDPR while giving their customers the responsibility and power to manage their own data profiles.
5. Incorporate future flexibility
Retailers’ collection and use of data evolves at pace, so their responses to GDPR may need to include a plan for ensuring that future activities are compliant, too. Many will need new processes to guarantee that new initiatives do not fall foul of the regulation.
Photographs of faces, for example, count as personal data for the purposes of GDPR. Retailers that link to consumers’ Instagram or Facebook accounts – perhaps as part of a competition – may need to develop processes for ensuring compliance. What happens if such accounts feature pictures of more than one person? This is an example of how the creation of processes that ensure that each new data-related activity is acceptable under GDPR will be a crucial element of future data innovation.
Conclusion: The compliance dividend
As they consider the future of retail and what success looks like, leading firms cannot ignore the role that data-driven innovation and advanced analytics will play. But these advances come with new responsibilities, and organizations’ stewardship of customer data will come under unprecedented scrutiny in the years ahead.
The firms that embrace their new responsibilities under regulation such as GDPR will find themselves free to exploit every new innovation opportunity – and delight increasing numbers of customers. As such, GDPR is an opportunity for retailers: if they ensure their compliance, they will be in a position to both realize their boldest ambitions and gain a clear advantage over their slower-moving competitors.