With the General Data Protection Regulation (GDPR) due to come into force on 25th May 2018, retailers are starting to consider what it will mean for them. The new legislation will override national data protection laws including the Data Protection Act 1998 and include new and more detailed protection for personal data.
Briefly, GDPR encompasses how data is managed, processed and deleted and includes all of a company’s data dealing with EU citizens, in marketing, sales and finance and CRM systems. It also contains a raft of new rights for individuals – (often called data subject rights) which include the right to data portability, to be forgotten and a strengthening of access to their data or data access requests.
For many retailers it will mean a review of data policies and practices to ensure that they comply with how data is kept throughout the organisation. What’s more, there will be a high price to pay for organisations that fail to comply with the legislation. Punitive fines of up to 4% of an organisation’s annual global turnover or €20m, whichever is greater, not to mention reputational damage, are not to be taken lightly.
What does GDPR mean for retailers?
There’s no doubt that there will be some challenges. In today’s market place successful retailers are those with high rated customer experiences. Whether marketing to customers directly or providing a service instore, the customer experience is also now ranked as a top priority on most boardroom agendas.
Yet it’s important to remember that effective CRM can only be successful with good data – and that means good data management. With GDPR an even more meticulous approach to data management will be required, even perhaps a new mindset and culture shift in relation to data.
Thinking about these challenges we’ve identified three key areas relating to data to consider:
- 1. Customer profiling and promotions
Many of our customers use a CRM system to automate the collection and use of customer data for loyalty cards and special promotions, both instore and with email campaigns. With GDPR it will be important that not only do you gather explicit consent for storing customer data, but that you also maintain auditable proof of this consent, and are able to retrieve records easily, whilst also providing your customers with the opportunity to object/opt out.
In fact, the regulation gives far more power to the individuals and gives them the right to know how their data is being processed. This is where it is really important to clarify to the customer the reality of how you plan to use their data, and of course, the tangible offers that you will be giving , to make it worth their while agreeing.
2. Security and breach notification
Another important part of the new legislation is that any data breaches must be notified within 72 hours to the regulators – and in some cases to your customers. It’s essential that all companies – and this includes retailers – are prepared to act should a breach occur.
In fact one of the biggest risks in any organisation relating to data is not the processes that are put in place but staff – not necessarily from fraudsters or malicious intent, but people just not taking proper care of data.
Forewarned is forearmed, so it is important to train your staff on GDPR and the changes it will make. Employing or designating a Data Protection Officer and the relatively low cost of training and education of the risks involved can go a long way towards making staff vigilant to perils such as phishing emails and fraudulent representation. The staff should therefore be notified of the risks to the company (financial and reputation), as well as the risk to themselves (possible disciplinary issues, dismissal, redundancy) and know what they should do in the event of a data breach.
- 3. Sharing data with third parties
Working with our clients on integrating systems, we know that retailers often use specialist suppliers for different aspects of the business – for example, ecommerce, delivery and logistics providers and marketing agencies. Now is the time to dust off the agreements you have in place with third parties and make sure that security measures and breach actions are included, where transfer of personal information is involved. Also remember that customer preferences such as the right to be forgotten and opt out, must be synchronised effectively across systems.
But will GDPR still apply if we are leaving the EU?
GDPR has been agreed and ratified by the EU. The UK may be leaving the EU but this legislation will remain in effect in the UK until further notice.
Taking your first steps to GDPR
While these three points may at first be daunting, in fact they can easily be managed with integrated systems and the right technology and processes. Our systems help retailers capture and track customer details and consent, and will allow you, the retailer, to manage GDPR issues and together with effective processes and workflows, ensure data compliance.
It’s certainly worth considering these data areas in your company now, as your first steps towards GDPR. The more advanced your organisation is along the way to compliance, the lower the risk of breaches occurring once GDPR comes into play.
If you would like to discuss further, why not contact Eurostop and speak to a retail expert.