Jacob Gascoine Becker has been interviewed in Essential Retail on the threats and opportunities for retailers of GDPR.

GDPR is designed to give EU citizens greater control over their data. But with the compliance deadline around 300 days away, how do retailers need to prepare for this new set of regulations?

The General Data Protection Regulation (GDPR) deadline is fast approaching, with organisations that do business in the European Union (EU) required to be compliant by 25 May 2018.

Deadline day is just over 300 days away and many business and organisations are working to ensure they adhere to the regulations. Potential fines of €20 million (£15.3 million) or 4% of turnover are threatened for non-compliance, so what is the retail industry doing to prepare?

It’s a sector where customer data is like oil, with efficient mining of it fuelling new personalised communication strategies, targeted marketing and one-to-one engagement. Any changes to data legislation need to be carefully considered by those in the industry, because the possibility of having to relinquish data due to non-compliance – let alone the big fines accompanying it – could have a serious commercial impact.

Research from software firm Compuware shows 77% of retailers don’t yet have a comprehensive GDPR strategy plan in place and less than half of retailers are well briefed on the regulation and how it will impact the way customer data is handled.

Some 71% of respondents cited the complexity of modern IT services as an obstacle to knowing where customer data is held, while only 38% of CIOs say they are able to locate all of an individual’s personal data quickly.

Jacob Gascoine-Becker, associate director at Pragma Consulting, says: “You don’t have to look very far to see many examples of retailers who don’t conform to existing Data Protection Act (DPA) law.

“Ultimately, it will be consumers governing compliance in the first instance through reporting misuse. Businesses who cause annoyance or distress through misuse of data, either through spam or selling data to third parties, will be most at risk.”

Of course the aim of the DPA and, now, GDPR is to protect consumers, not hamper businesses with red tape. “A sensible data security policy and a considerate approach to data collection and processing will go a long way to minimise retailer risk,” explains Gascoine-Becker.

Getting to grips

Gaining consumer consent to store and process their personal data is where there is a gap in retailer preparedness for GDPR, says Gascoine-Becker.

“Companies must ensure they use clear and transparent language when securing consent from their customers, and that they understand the potential uses of the information.

“Customers must also actively consent, meaning opt-out and pre-ticked consent methods will no longer be considered sufficient. The most obvious implication of the changes relates to the collection and use of data for direct marketing purposes – compliance could well mean fewer marketable addresses for retailers who aren’t engaging in best practice.”

A survey of 2,000 consumers by retail tech supplier SAS found that a third of people will exercise the right to have their data removed from retailers under the new rules, and the same percentage will ask retailers to stop using their data for marketing purposes.

With 17% saying they will challenge automated decisions made by retailers and 24% indicating they want access to the data that retail companies hold about them, the new landscape is set to provide a number of challenges for the industry.

GDPR is clearly spooking some organisations, with pub operator JD Wetherspoon sending a message to its customers last month to inform them they were being removed from the company’s email list.

CEO John Hutson said in his note: “Many companies use email to promote themselves, but we don’t want to take this approach – which many consider intrusive.

“Our database of customers’ email addresses, including yours, will be deleted.”

Whether it was a GDPR precautionary move or not remains unclear, but with Wetherspoon’s experiencing a data breach two years ago it clearly is no longer taking any chances when it comes to storing customer data electronically.

Gascoine-Becker says many retailers have yet to prioritise the appropriate storage and processing of their third-party information, and GDPR will tighten regulations for internal use of personal data and result in penalties for non-compliance. It will also introduce new rules making it the retailer’s responsibility to update data shared with third parties.

International warning

The UK government has confirmed that the country’s decision to leave the EU will not affect the commencement of GDPR – and that is because it impacts all organisations that do business within the union.

Last month the Direct Marketing Association (DMA) issued a warning to international companies operating in the EU, saying there are many organisations that are not even aware of the new rules. Veritas research shows significant numbers of organisations in Singapore, the US, Japan and South Korea are worried about meeting the deadline.

“As citizens from EU countries do business and exchange data with companies across the globe, the GDPR is something that international companies outside the EU need to plan for,” the DMA says. “Failing to do this could seriously hinder their ability to market and sell their products and services in the EU.”

But GDPR will be “the gold standard of data protection law”, according to the DMA, and meeting these regulations will ensure businesses comply with the majority of global data protection laws. The fundamental importance to business of GDPR is clear.

New rules, new opportunities

Book retailer Blackwell’s finds itself in the unique position of serving the general public, as well as organisations like the NHS and Ministry of Defence, and therefore it has been preparing for GDPR rigorously.

“As you can imagine we’re very keen to ensure data protection for all,” explains Blackwell’s digital director Kieron Smith, who says preparation has involved “lots and lots of planning”.

The company is auditing the data it has, where it is stored and the architecture it plans to implement for GDPR – and to support the wider business into the future.

“We’ve already transitioned to a service-oriented infrastructure, so it makes sense for this to be part and parcel with this too,” he notes.

“Then it could also prove to be a tool for the business as a whole which is strategically advantageous. Although initially daunting, I think GDPR could be a great excuse to optimise some of our processes and ways we interact with customers.”

With GDPR, the level of accountability and governance will increase depending on the size of organisation and nature of data collection and usage.

Retailers that track and profile customers online, for example, or those using CCTV in shopping centres, may meet the threshold for a mandatory data protection officer (DPO), according to Gascoine-Becker.

“Even if this does not apply to your business, there’s a strong argument to appoint a voluntary DPO,” he says.

“Additionally, if your organisation has more than 250 employees, you will need to maintain additional internal records of your processing activities. If you’re not thinking about it already, we really recommend a full review of the GDPR in advance of it becoming law in May 2018 to assess the level of governance measures required.”