DE4CC0DE-5FC3-4494-BCBF-4D50B00366B5

Why Retailers Should Be Wary About The Forthcoming GDPR Regulations

By Steve Wynne-Jones
Share this article
Why Retailers Should Be Wary About The Forthcoming GDPR Regulations

Mark Beresford, who heads up Retailer Payments Practice at consultants Edgar, Dunn & Company, outlines what retailers need to know about the forthcoming General Data Protection Regulation. This article originally appeared in Issue 6, 2017 of ESM: European Supermarket Magazine.

The General Data Protection Regulation (GDPR), which will be implemented on 25 May 2018, sets a new legal framework in the EU and the UK for the protection of personal consumer data. Anyone in a retailer who has day-to-day responsibility for data protection must be gearing up to be GDPR-ready.

21st Century Digital Shopping

As we already know, the use of innovative technology in retailing is transforming the relationship between retailers and customers. From a customer’s perspective, it has never been easier to be connected anywhere, anytime to get product information and compare prices. From a retailer’s perspective, technology creates new opportunities to sell products and communicate with customers, for example, push marketing and location-based offers. Mobile technology is another area where retailers can differentiate themselves by offering an improved shopping experience, creating new use cases and generating additional sales.

Global e-commerce sales are growing at more than 19% a year and are expected to reach nearly US$4 trillion value of sales by 2020 (around 14% of total retail sales, compared with 10% recorded today).

Data Protection

What does this mean for data protection? GDPR will revamp the way personal data is collected and used. Retailers must understand the priorities for online and offline retailing.

ADVERTISEMENT

Consumer consent, the use of cookies, behavioural advertising and mobile devices all must be appraised. A retailer must be prepared for explicit consent across multiple channels. After years of creating an omnichannel strategy for your consumers, GDPR now requires you to review how you achieve this.

Your omnichannel strategy may be deploying disruptive technologies, such as iBeacons, virtual reality, facial recognition, digital marketing, etc. There are both ethical and privacy concerns, especially when considering the roles of the data controller and the data processor. A proper due diligence of your vendor relationships must be conducted.

Technology Alone Is Only Part Of The Solution

When Edgar, Dunn & Company provides advice to retailers we generally look at the omnichannel strategy and the customer experience from a payment’s perspective.

Payment is at the heart of every retailer-consumer interaction. The payments industry is increasingly encrypting consumer data at the point of sale using tokenisation as a security technology.

ADVERTISEMENT

In Article 25, ‘data protection by design and by default’ and again in Article 32 of the GDPR, it is more clearly prescriptive around anonymisation and pseudonymisation. The regulation supports that the principles of data protection do not apply to anonymous information (i.e. information that does not relate to an identified or identifiable natural person or to personal data that does not identify an individual).

Pseudonymisation, as in the handling of personal data in such a manner that they can no longer be attributed to a specific person without the use of additional information, such as a token, is positively encouraged by the GDPR.

Retailers that can take advantage of pseudonymisation, encryption or anonymising personal data will be able to reduce their risk of non-compliance. This helps retailers mitigate risk, such as a data breach of personal consumer data. However, GDPR is not just a question of technology. Personal consumer data includes the home address (required for home deliveries) and email address (required for marketing communications, e-receipts, loyalty and reward programs). Retailers (or their solutions providers) who believe that technology is the sole solution to GDPR will be very wrong.

Data Ownership

The regulation gives customers the right to opt out or to stop their data being used by the retailer or by their partners. In Article 17, ‘the right to be forgotten’, there are potential new scenarios that will enable consumers to edit, extract, transfer and delete any data held on them by any part of the business.

ADVERTISEMENT

This opens huge opportunities and risks for new propositions and business models. In Article 20, ‘the right to data portability’, the more innovative retailers that are thinking outside the box are considering how data portability could be an opportunity to access new customer segments.

Data is always considered to be a valued asset but now that ‘personal data’ is the customers to do with as they see fit, it will become a currency which retailers will have to demonstrate they are worthy of holding and looking after on behalf of the consumer.

You could compare personal data held by a retailer with the money held by a bank. A bank customer can request their bank to return their savings or transfer it to a competitor. In the future, a consumer could approach Tesco, for example, and request all the data that they have on them, their spending patterns, and shopping preferences, etc. and transfer it to Amazon Fresh because Amazon has made an offer of 20% discount on their first six months of purchases.

Personally Identifiable Information

The term ‘Personally Identifiable Information’ (PII) is not explicitly used in the GDPR, but it will cause a significant challenge to anyone seeking compliance with the GDPR. Personally Identifiable Information (PII) is a term found in the US but it is loosely defined and varies from state to state. On the other hand, in the EU, PII may be a term not used in the GDPR but it does more clearly describe what personal data includes. The regulation is littered with references to personal data and identification of personal data.

ADVERTISEMENT

Personally Identifiable Information will have significant implications for retailers and the data processors that serve retailers, such as payment service providers, fraud prevention vendors, credit agencies, coalition loyalty programs, search engines, and any shopping apps that use personal data.

Beyond Compliance

GDPR is not just about compliance. Retailers need to evaluate their role in holding and processing personal data for consumers. It is time to ask yourself whether you can invest in the extra burden of data protection required for GDPR. In the Retailer Payments Practice within Edgar, Dunn & Company (EDC), we are assisting retailers to answer the strategic questions around the role of personal data which GDPR compliance is highlighting.

The date of implementation, 25th May 2018 is not far away and there will be considerable work to be done within many retailers. Nonetheless, it is important to recognise that although this may look like a deadline, it is not one that you must cross and then relax when you believe you are GDPR compliant.

For further information, visit edgardunn.com

About The Author

Mark Beresford is a Director in the London office and heads up the Retailer Payments Practice for Edgar, Dunn & Company. He has over 20 years of experience of consulting strategy, developing and managing financial services businesses. In the Retailer Payments Practice, Mark works with a number of global merchants to develop omnichannel payment acceptance strategies. He uses the 360° Payment Diagnostic methodology developed by Edgar, Dunn & Company to identify cost efficiencies for retailers by defining an appropriate mix of payment methods, acceptance channels, alternative forms of payments, and optimising Payment Service Provider and acquiring relationships.

© 2017 European Supermarket Magazine – your source for the latest retail news. Article by Stephen Wynne-Jones. Click subscribe to sign up to ESM: The European Supermarket Magazine.

Get the week's top grocery retail news

The most important stories from European grocery retail direct to your inbox every Thursday

Processing your request...

Thanks! please check your email to confirm your subscription.

By signing up you are agreeing to our terms & conditions and privacy policy. You can unsubscribe at any time.