GDPR Readiness Applies To U.S. Retailers, Too

We’re four months away from the May implementation of the EU General Data Protection Regulation (GDPR). For organizations that haven’t yet prepared, there is precious little time to do so. The regulation’s new rules on the use of personal data will affect every EU retailer and, importantly, any other retailer that operates in or holds data on individuals from Europe. That means U.S. companies, too, must get ready for the impact of the GDPR on their operations.

Serious penalties–both financial and reputational–await those that fail to do so. A breach of the regulation can incur a fine of anything up to 4% of an organization’s global annual turnover. And the reputational damage can be equally severe, especially among today’s ever-more ethically minded consumers for whom data privacy is a fundamental requirement.

In retail, GDPR readiness is perhaps even more vital than in other sectors. Retailers rely on the sophisticated use of customer data as an essential part of their strategies for growth. Without that data, they face being put at a huge competitive disadvantage. So a last-minute or ill-thought-out rush to ensure compliance represents a genuine risk to their business models.

With little time to spare, here are five important steps retailers should be taking to ensure a smooth and efficient transition to the GDPR era.

1. Allocate responsibility at the C-level: For some retailers, responsibility for GDPR compliance falls between the cracks in their organizations. On the one hand, legal might understand the law but lack a view into how data is actually being used. On the other hand, marketing might see the big picture in data use but lack the legal and technical expertise to ensure watertight compliance. And then we have the technology teams, who likely fall somewhere in between.

The solution is to view GDPR compliance as an organization-wide issue–and as a question of behavior as much as technology. A C-level executive should take ownership of the agenda to ensure each and every part of the organization collaborates in the development of a robust compliance framework.

2. Be ready to secure customer consent: Consent goes to the very heart of the GDPR. Retailers must secure opt-ins from their customers for the collection and processing of their personal data. They must also secure further consent for every subsequent type of use they have in mind for that data. This cuts right across every aspect of retailers’ customer data use–email addresses, cookies, transactions, loyalty schemes, in-store visits, and much more.

This data represents the crux of modern retail strategies. And if explicit permissions aren’t secured, or if business processes otherwise fall foul of the GDPR, much of its use will be curtailed. For example, without the right protocols, it might no longer be acceptable to store all data in a data lake accessible by the whole organization. A detailed understanding of the nuances of the GDPR rules is required.

3. Update the culture: The wide-ranging nature of the GDPR requires retailers to put openness, transparency, and data ethics at the heart of their corporate cultures. No individual employee can be expected to understand every intricate detail of the new rules. But those who work within a culture of integrity will be far more likely to do the right thing without even thinking about it.

Retailers should be considering mandatory training for employees in handling data, as well as enterprise-wide codes of data ethics and centers of excellence to develop and share best practices. The key question should be: Are our employees thinking about data privacy and data protection every time they handle personal data? That’s not just essential for GDPR compliance–it’s also a core part of building a broader sense of trust with customers and partners of the organization.

4. Put the customer in control: The GDPR allows customers to request all of the data an organization holds on them–and require its deletion or transfer. That’s going to be a challenge for some retailers, especially those with legacy technology systems and data stored in numerous locations.

A neat solution is to put customers in control through a single online portal. This gives customers visibility of how the retailer is using their data and enables them to update their consents, or request data be removed, at any time. Not only does it help the retailer meet the GDPR’s requirements, it’s also an excellent way of empowering customers with control over and responsibility for their own data profiles.

5. Future-proof compliance: It’s not just today’s collection and use of data that retailers need to think about; they must also consider what data they might need to use, and how, in the future. Take facial images, for example. These constitute personal data for the purposes of the GDPR. So any retailer that links to, say, a customer’s Instagram or Facebook account as part of a promotion will need processes in place to secure consent from the customer for the use of his images (and, what’s more, anyone else featured in those images). In the future, GDPR compliance will need to be written into retailers’ data innovation processes from the very start.

It goes without saying that the GDPR is a big deal for retailers trading outside the U.S. And while there are clear technical and implementation challenges ahead, this is undeniably a huge opportunity for the sector. It’s the perfect time for retailers to re-evaluate approaches to customer data to ensure its value is being maximized and to ultimately emerge as industry leaders in its use. Data-driven innovation and advanced analytics are the keys to future retail success, and getting GDPR-compliant is one vital step in making it happen.