Privacy & data security: international intrigues

Last October, RSR published a benchmark report entitled Retail Growth Strategies in 2014 (sponsored by IBM and Oracle), and it contained a surprising finding, that the overall response group rated "more physical stores in existing markets" than "more physical stores in new geographies" as "high value" opportunities, 61% versus 54%. But as is typical in much of our research, retail winners (those that out-perform the competition) had a different point of view, more heavily favouring growth into new geographies, especially compared to under-performing laggards (66% versus 38%).

All well and good: it's a great big world, and there are many new markets – not only BRIC (Brazil, Russia, India, and China), but Eastern Europe, Asia Pacific beyond China, and Central South America beyond Brazil, Mideast and African markets. While many of the world's biggest retailers have already experienced the pros and cons of international business (18 of the world's top 20 retailers operate in more than one country, according to the NRF's 2015 Top 250 Global Powers of Retailing), six out of the top ten fastest growing retailers (also according to the NRF's report) operate in only one country.

So growing companies could easily conclude that to get as big as the really big retailers, they have to get out of a single market mentality and plan for international growth.

But although the retail ecosystem is truly global, laws, rules, and regulations are definitely not. There are myriad challenges on the compliance front, ranging from tax and employment laws, to trade limitations, real estate regulations, financial reporting requirements, what products you can sell, and even the composition of your company's ownership. But one of the big differences between the US and the EU in particular has to do with the privacy and security of personal data – for both consumer and employee information.

While enjoying a dinner in London a couple of weeks ago with friend and fellow tech-guy Nick Goss, we were kicking the can about some of the challenges his company, Lumesse, has in operating across international borders. Nick is the SVP of service delivery at Lumesse, a company that offers "talent cloud solutions for the global enterprise". What that means is that companies use Lumesse's cloud-based services to find and hire permanent and contingent labour, train staff, assess performance, and develop succession plans. The company is used by some of the largest global employers, because of the flexibility of the services and alternate security models to suit changing needs around the world. Lumesse's mission is to "enable companies to become great companies by engaging employees to fulfil their potential".

And as one might imagine, collecting and using all of the personal data associated with millions of employee candidates across the globe comes with some special responsibilities vis-à-vis privacy and security. With that in mind, Nick agreed to share some of his insights with RSR to pass on to our readers.

The Lumesse story

Nick explained: "We're present in 39 countries right now. Western Europe is our heartland, but we're also in North America and APAC, Singapore and China as well as South Korea." But he also mentioned that on the day of our interview (20 March), Lumesse had just announced a strategic collaboration with Salesforce, to deliver its TalentObjects via the new Salesforce Analytics Cloud Ecosystem, called Wave. The two companies believe that the new offer will help "every business user to instantly identify, recruit, engage and retain top talent, at any time, anywhere, from any device".

The reason this is so important to Lumesse is that the collaboration brings its TalentObjects capabilities to the North American market in a big way.

But what about international laws and regulations, and compliance? Nick said: "We grew out of an organisation called Stepstone Solutions – they were Europe-based and had grown via acquisition, picking up companies in the Nordics, Denmark, Germany, and Poland. For all those countries, if you're going to be successful with any service, you obviously have to take it into account that you're 'living' in Europe. You can't create a solution with Europe as a target and hope to be successful if it isn't created from a European perspective."

Nick's contention is that it's far easier to create a solution from a European perspective and bring it to the United States, than the other way around.

Lumesse's systems handle the personal records of millions of people for hundreds of companies, and the executive believes that the privacy and security of that data is a key reason that companies choose to work with them. The privacy of personal information is a major issue in the EU, as Nick explained: "The fundamental law is different in Europe than it is in the US, to a degree that most Americans would regard it as far more restrictive – as to what you can do with information you have collected from people.

"Given that we're holding data in a legal framework that is more highly structured than it is in the US, it becomes one of the key design considerations for any software-as-a-service (SaaS) provider or subscriber."

The way that EU nations conform to EU laws is by passing national laws. As Nick explained: "The EU itself doesn't have control over Britain's laws. What will happen is that Britain will enact a law that is similar to the EU law, within its own legislative framework. The EU law is more than a guideline but less than a law, but it's not quite like the US Federal system. In the US, you can have a state law that is completely at odds with the Federal law. You can't do that in Europe. Europe is much stricter about privacy than the US. We have to maintain third-party accreditation of our data security- it's a ticket to the dance."

So – for US readers in particular – what are the restrictions? Nick described them:

"You are not allowed to export data outside of the European economic area – which is technically different than the EU but practically the same. Now that seems a fairly straightforward thing, except 'export' doesn't just mean 'put it on a disk and take it across a border" – it means someone online outside of the EU cannot see data from which you can derive information about a person in the EU unless that person has given permission, or the company that 'owns' the data has an data processing agreement in place with the third party that's looking at the data. This is particularly challenging for a SaaS provider."

This can even apply to technical support activities, such as network performance analysis. The executive explained, "someone can put a 'sniffer' on the network that's wholly contained within the EU, but the person doing the network analysis for completely legitimate reasons might be sitting in the US or the Philippines or India – that person's employer will have to have a data processing agreement in place with the 'owner' of the network, in order to be compliant."

And the data processing agreement isn't a permission slip – it's a legal contract that describes what you're going to do and not do with the data.

Countries may go beyond the internationally agreed-upon restrictions. For example, Russia very recently passed a law that places a tough restriction on international businesses: data captured in Russia must stay in Russia. So in addition to all the access restrictions described earlier, companies must also maintain data storage facilities in Russia, or pay a company to store it for them.

Think globally, act locally

So you might be thinking, "so what? That doesn't sound too onerous!" Well… the Lumesse exec offered these recommendations for strategists:

(1) Learn about local regulations – and attitudes about privacy. Nick expanded, “in retail in particular, there are some very interesting things happening. We're seeing the best parts of internet shopping blend with the best parts of physical shopping. Click tracks can reveal a lot about a shopper, and that is now extending into the physical store itself (with beaconing, presence zones, etc.). But it can go very badly wrong if you don't keep the consumer informed. In 2008, a German retailer (Metro AG) gave out a loyalty card to its customers, and the card had an RFID chip in it. Someone saw the outline of an RFID chip, and it came out that the retailer had put the chips in to follow customers' movements around the store. Customers just fled the stores."

(2) Seeking explicit consumer consent is a major European theme. It's at the heart of European data privacy law, "that you give your consent only to this one company to use your data, and only for the purposes for which they said they were collecting it."

(3) If you're setting up an eCommerce site that targets customers in a particular EU country that's delivered out of the cloud, if your data administrators are not within the European economic area that have access to personal information, technically you're breaking the law.

Nick ended our conversation with this thought: "The current buzz is all about software as a service, infrastructure as a service, platform as a service, and lately, people as a service. Imagine if the retail industry moved towards goods as a service! In that possibility, the rules associated with data privacy and security would be central to a brand's value – just as important as the products and services offered."

It's worth thinking about. Whether or not the "goods as a service" idea ever comes to fruition, the privacy and security of consumer data should be a key attribute of the brand's value.

This article originally appeared on The RSR Research website. It is reproduced with the organisation's permission.