Most retailers have been dreading this – GDPR is finally coming into force in the European Union today.
They fear potential fines of €20 million or 4% of their entire turnover if they are found not to comply or have been acting negligently when dealing with sensitive customer data.
Despite most retailers claiming that they are well-prepared for GDPR, we believe that there are still some gaps. In many cases, efforts have been made to restrict data sharing and usage in order to comply with GDPR.
However, most retailers could have done more – such as adjusting their corporate governance structures, upgrading their IT systems, and training their employees.
Many retailers are still not sufficiently prepared, and may need to adjust their business strategies and how they collect, store, and analyse customer data.
Retailers don’t just dread the fines – but fear losing out on sales opportunities
Retailers need to find the right balance between using customer data for up selling, cross-selling, and marketing purposes, and restricting such activities to minimize the risk of any breaches.
Customers who have signed up to loyalty schemes may need to be asked to confirm that they are happy with how their data is used, and may opt to restrict it to certain purposes.
The problem that retailers are facing is that fewer customers will consent to data usage than before, thus limiting opportunities for sales, marketing, and analytics.
Even if strict corporate policies are implemented to satisfy regulators, retailers cannot completely eliminate the threat of rogue employees misusing customer data to meet their sales targets.
Retailers may also need to reorganize the way how they do business if certain data or analytics-driven approaches are no longer viable.
How can technology help retailers to minimize risks but still make use of customer data?
Implementing the latest data governance tools combined with robust cybersecurity protection can lead to a more transparent approach that leads to fewer breaches, and should they occur then the employees in question could be held responsible since data access can be tracked.
Retailers could also look at emerging blockchain technologies for their databases, which provide additional security and accuracy by keeping safe records of all data edits, and data points are stored in a distributed ledger.
Some popular technologies such as the internet of things (IoT) that rely on data capture from in-store devices like cameras, sensors, and beacons may need to be used differently than pre-GDPR by ensuring that records are anonymized, encrypted, and deleted where necessary.
Is GDPR only relevant for European retailers?
Non-European retailers have been late in their preparations for GDPR since they have underestimated its impact on them. However, every retailer that sells to customers in an EU country (including the UK, despite the ongoing Brexit process) needs to ensure that it has taken all necessary measurements to protect their data according to the strict regulations.
By adhering to GDPR, retailers can also achieve higher consumer confidence outside Europe, especially in North America where data protection is also becoming a hot topic.
Retailers increasingly look to compete on data protection and aim to do everything possible to avoid the large data breaches that have affected several major players in the past and have resulted in million-dollar losses.
What will happen when the first breaches emerge?
Retailers will be watched carefully by consumers, authorities, and journalists who will be keen to expose the first major GDPR-era data breaches.
Any retailers that are found to use data in a reckless or negligent way, or have not put any protective measures in place could face a major competitive setback if they have to pay hefty fines in addition to the serious damage to their reputation. It will be exciting to see which retailers will be exposed, and for what reason and by whom.
In some cases we may see internal whistle blowers emerging, while in other cases those retailers that have prepared well for GDPR could get away without getting fined while individual employees may get prosecuted if they have committed any breaches despite receiving clear instructions.
As breaches emerge, any laggards that have not taken GDPR seriously enough will suddenly wake up and invest in the latest cyber security, access management, and monitoring systems.
The biggest winners will be technology vendors, system integrators, and consultancies that focus on IT security combined with retail knowledge.