We’re four months away from the May implementation of the EU General Data Protection Regulation (GDPR). For organizations that haven’t yet prepared, there is precious little time to do so. The Regulation’s new rules on the use of personal data will affect every EU retailer and, importantly, any other retailer that operates in or holds data on individuals from Europe. That means U.S. companies, too, must get ready for the impact of the GDPR on their operations.
Serious penalties–both financial and reputational–await those that fail to do so. A breach of the regulation can incur a fine of anything up to 4% of an organization’s global annual turnover. And the reputational damage can be equally severe, especially among today’s ever-more ethically minded consumers for whom data privacy is a fundamental requirement.
In retail, GDPR readiness is perhaps even more vital than in other sectors. Retailers rely on the sophisticated use of customer data as an essential part of their strategies for growth. Without that data, they face being put at a huge competitive disadvantage. So a last-minute or ill-thought-out rush to ensure compliance represents a genuine risk to their business models.
With little time to spare, here are five important steps retailers should be taking to ensure a smooth and efficient transition to the GDPR era.
1. Allocate responsibility at the C-level: For some retailers, responsibility for GDPR compliance falls between the cracks in their organizations. On the one hand, legal might understand the law but lack a view into how data is actually being used. On the other hand, marketing might see the big picture in data use but lack the legal and technical expertise to ensure watertight compliance. And then we have the technology teams, who likely fall somewhere in between.
The solution is to view GDPR compliance as an organization-wide issue–and as a question of behavior as much as technology. A C-level executive should take ownership of the agenda to ensure each and every part of the organization collaborates in the development of a robust compliance framework.
2. Be ready to secure customer consent: Consent goes to the very heart of the GDPR. Retailers must secure opt-ins from their customers for the collection and processing of their personal data. They must also secure further consent for every subsequent type of use they have in mind for that data. This cuts right across every aspect of retailers’ customer data use–email addresses, cookies, transactions, loyalty schemes, in-store visits, and much more.
This data represents the crux of modern retail strategies. And if explicit permissions aren’t secured, or if business processes otherwise fall foul of the GDPR, much of its use will be curtailed.
