The result of the EU referendum means the people of the UK have made the collective decision to leave. However, to take advantage of the huge opportunity the EU market offers, retailers will need still need to prepare for the new data protection rules the EU has been developing.

The EU General Data Protection Regulation (GDPR) passed into law earlier this year changes the data relationship between retailers and customers. The new laws will come into force in May 2018 and give consumers greater protection by changing the rules on how businesses hold, process and deal with all customer data. The new legislation will also help brands protect their own reputations by building long-term relationships with customers based on transparency and trust.

What about the EU referendum result?

The UK voted to leave the EU, but the transition away from the institutions of Europe we have been working with for the past 40 years will take time. How long exactly, will depend on our nation’s politicians to confirm. For the time being the UK remains an EU member state and so retailers will still need to prepare for incoming legislation like the GDPR in any regard – the new laws will come into force before any Brexit becomes real.

Importantly, any company doing business in Europe with any European citizen will need to be compliant with the regulation even if UK national laws change following Brexit. Additionally, EU data legislation might continue to apply in the UK as part of any negotiation to access the single market or, at a minimum, new national data protection legislation will need to be broadly equivalent to the GDPR if not identical

What does GDPR mean for my business?

The new rules replace the EU data protection directive, formed in 1995 when the internet was still in its infancy. Legislation formed so long ago is simply inadequate to deal with the proliferation of digital media we are used to today that didn’t exist in 1995: smartphones, Facebook, Uber – the list is extremely lengthy.

The GDPR formalises concepts like the ‘right to be forgotten’, data portability, data breach notification and accountability that will protect consumer data and open up new possibilities for business. Those falling foul of the guidelines could face massive fines of €20m, or up to 4% of global revenues, applicable for the smallest startup right up to digital giants.

In the future, companies will need to be more transparent about how they handle personal data, while individuals will have more control of their information. It means marketers, increasingly reliant on data for targeting, will have to move deftly, post May 2018 when the regulation comes into force.

Will GDPR really impact my business?

The events of the last few weeks may lead some to assume they can drag their feet on getting ready for the new data protection laws, but it’s more important than ever that retailers begin preparing their business now.

In fact, in a survey of marketers we conducted earlier this year, when asked about the GDPR a third (30%) of those that took part believed their company to be ‘unprepared’ for the new rules, while 42% believed their marketing efforts will be ‘very’ or ‘extremely’ affected by new rules, showing the need for retailers to act now.

In terms of tangible changes to the business, the GDPR will mean many organisations needing to appoint or hire a data protection officer (DPO) to be responsible for these new rules. One of the first challenges for many of these newly appointed DPOs will also be how the new regulations will affect profiling individuals using customer data. As under Article 20 of the GDPR, individuals will have the right to opt-out from an organisation making a decision based on automated processing, including profiling, which produces legal effects concerning the individual or similarly significantly affects the individual. While there remains some grey area on exactly what constitutes ‘automated decision making’, it’s clear that this will change how many retailers are able to segment and potentially automate their marketing decisions.

Whose responsibility is data protection?

According to our research 21% of marketers admitted that they do not know specifically where responsibility for GDPR should lie, while 22% agreed that ‘senior management’ must take responsibility for ensuring their organisation is fit and ready.

Ultimately a brand’s approach to privacy should be a board-level issue with customer trust prioritised as a key component of long term brand and shareholder value. As seen in the recent TalkTalk data security breach, a loss of trust leads to loss of custom and declines in share value. It is crucial that companies add data protection to board risk registers treating it as a critical commercial issue rather than as compliance issue alone.

Seizing the digital opportunity

When it comes to commerce and marketing, data is increasingly at the heart of everything retailers do to engage customers. As such, those not preparing for the new legislation – in whatever exact form it takes – are risking the very lifeblood of their business. As well as protecting consumers, the retailers that take action now will be better placed to take advantage of the economic opportunities that digital transformation and big data will offer in the future.

For more information, click below:

The Direct Marketing Association