The clash between data optimisation and security

Akamai and Rackspace explore how retailers can collect customer data to improve the shopping experience while ensuring the utmost security.

Retailers are dealing with an increasingly careful balancing act whereby they offer rich, data-driven personalised customer experiences while also ensuring that they deliver the relevant levels of security around the data and adhere to GDPR regulations.

During a recent Essential Retail webinar the discussion focused on this issue of retailers delivering a secure and optimised customer experience, which involves both challenges and opportunities when retailers attempt to balance the two factors.

Richard Meeus, senior technology and strategy director at Akamai, says the question for retailers is: “What is it that the customer is looking for in the customer experience and what security do they expect?”

He adds: “Customers need to know that their data is stored safely and securely. They don’t expect to see it for sale on the dark web. They also need to know that their data is not used unnecessarily. The security of it should be handled as seamlessly and as fluidly as possible as it must not hinder the online experience for the customer.”

Customers are concerned

There is no doubt that customers are sensitive to the security and privacy of their data, with 47% admitting it deters them from using digital channels, and 49% state that they are likely to cancel an online transaction if they read something they do not like in a company’s privacy policy.

Meeus believes these sensitivities are well founded: “Threats abound and I can see why people are concerned…about cyberattacks including e-skimming, credential stuffing, and data theft,” he suggests, adding that these are all grouped together and called ‘hacks’ by the general media who will invariably suggest the blame lies with the retailer, even if it is the customer at fault with a reused password.

There is a “huge financial incentive” to attackers, as in the case of validating millions of previously breached credentials against a target website, with a success rate of 1-2% and a dark web resale value of £10-£20 each. To get a handle on the scale of the crimes being committed Meeus says the website ‘Have I Been Pwned?’ contains around 10 billion accounts whereby the person’s user name and password has been breached and you can check if you are affected.

This difficult situation sits against a backdrop of customers increasingly expecting retailers to look after their data and being more aware of the value of this data to the retailer. This scenario is fully recognised by Bhavesh Unadkat, principal consultant in retail customer engagement at Capgemini, who says: “Retail is at a real crossroads around where technology can be used better and it is data that underpins it in order to engage with customers.”

Automation and engaging spaces

He points to some key trends for the future where data is the driving force in ensuring a richer experience for the customer. Firstly there is the issue of too much unprofitable space in retail that is resulting in a move towards the creation of more engaging spaces that are linked to digital including pop-up shops and autonomous stores that have no employees and rely on automation.

He also cites the Lululemon flagship store as a great example of an engaging space: “It’s a wellness shop with gym, meditation classes and a healthy restaurant where the meals are recommended to customers based on their goals that have been set out in the company’s loyalty programme. It is data-driven and the offer is around relevance.”

Secondly, he highlights the move to new channels such as outlets at airports and bus stops that involve immersive experiences. He highlights the Singtel store in Singapore as an interesting unmanned store that is open 24 hours a day and involves customers communicating through a live bot and entry into the unit and payment authorisation being undertaken via facial recognition. “It has been developed through leveraging the data. It’s all linked together through the customer’s online account and facial recognition provides the security,” he explains.

Drowning in options and data-as-a-currency

Thirdly, there is the paradox of choice that involves consumers drowning in options. This is fueling a move towards driving desire around personalisation and curation, which involves retailers linking data sets together. Unadkat points to Spotify that has connected customers’ data from fashion, sports and their other interests to create a much richer level of personalisation.

Fourthly, there is data-as-a-currency that recognises the power shift that is taking place as customers better understand the value of their data and trade it accordingly. “They are exchanging this data based on the value they’ve given it. It’s giving power to the customers and it shows retailers are respecting them,” he explains.

Another trend is around purposeful consumption that involves sharing products and spaces to better utilise assets and resources. New propositions will involve incentivising shoppers through sharing. Examples of this mission-driven approach were the openings of a pop-up low and no alcohol pub and a meat-free butchers by Sainsbury’s. Where customers had been searching [online] for meat-free dishes they were offered such dishes in the pub and also the employees in the venues were selected because they are very much activists in these specific areas.

Finally Unadkat highlights the new eco-systems that are emerging to maximise the value chain. “Companies have been more active in communities – such as the last mile – and competitors and distributors have been working together. One example is in Denmark where Zalando has collaborated with PostNord to drop parcels off at participating people’s homes, from where other shoppers can collect their items.

“There is a reduction in the carbon footprint and a 20% reduction in costs and this has been given back to the customers. It’s a very data-driven initiative,” he says.

In order for retailers to fully maximise the potential of these trends William Long, global co-leader of privacy and cybersecurity at Sidley Austin, recommends they “do the right thing with GDPR”.

This view is reinforced by his opinion that since GDPR was introduced in May 2018 the questions over whether there would be plenty of enforcement, or if it would ultimately prove toothless, have been answered. “It’s clear there has been significant enforcement. And we will see it accelerating,” he suggests.

As many as 300,000 cases have been brought to European data protection enforcers of which most have been related to compliance. Around 90,000 cases were data breach notifications. “A lot of cases have not been about harm to customers. They instead relate to non-compliance. You don’t have to suffer a data breach to be fined,” he says, adding that where fines have been issued it was not to companies like Google but to regular businesses such as retailers.

Within Europe he says countries are “getting their act together”. In Germany the data protection authority fined a business €14.5 million for not deleting old customer data. This was reduced from €28 million as a result of its co-operation with the authorities. Danish authorities have also fined businesses for similar offences and in the UK British Airways has been given an intention to fine it £183 million after user traffic was diverted from the BA site to a fraudulent website.

But Long warns that it is not just the fines that should worry retailers: “There is a strong move to privacy litigation from customers and groups (using class action lawsuits). We’ll definitely see a move to significant fines from regulators but also claims from customers.”

Facial recognition

Among the areas where retailers have to be particularly careful is around facial recognition technology. When video surveillance is involved then in most cases the explicit consent will be required from all those people whose images are being collected.

“A shop looking to personalise advertising must get the consent beforehand from its customers. It raises practical problems. How would you get consent?” asks Long, who adds that the ad tech industry is also being looked into as regulators have concerns over the over-collection of customer data. Early investigations have concluded that the industry as a whole is “immature with its data protection requirements”. 

Likewise, cookies are also an area that is being inspected by regulators. The relevant bodies in the UK, France and Germany have publicised a desire for introducing stricter standards for GDPR around the area of cookies. Within the UK, the regulator would like to introduce regular cookie audits.

Managing this scenario while also maximising the customer experience through leveraging data is possible through the use of the relevant tools and the right mindset, according to Meeus, who recommends retailers use a robust Customer and Identity Management platform.

He also advocates having a system in place for when a breach takes place. “You need to plan, prep for it, and practice it. If you need to make it public then who is the front person? Retailers need to understand what happens and have an instant response plan in place,” he says.

Long very much agrees that an ‘instant response plan’ has to be put in place and that the key stakeholders need to test how the business would react to a breach. Within the plan should be steps to: work with IT to contain the problem; work with legal or compliance teams as soon as possible; make a quick assessment about possibly bringing in greater expertise; and determining within 72 hours of becoming aware of the breach whether to notify relevant Data Protection Authorities.

Brought to you by