Comment: Retail and GDPR – 5 vital action points

Organisations are running out of time to ensure they can comply with the EU’s General Data Protection Regulation (GDPR). These demanding new rules on the use of personal data come into force this May and will apply to every organisation in the EU, as well as any entity that holds personal data on data subjects in the EU.

For the retail sector, GDPR readiness could hardly be more crucial. This is not just because a breach of the regulation could incur substantial financial penalties – up to 4% of an organisation’s global annual turnover – and huge reputational damage; it is also because retailers see sophisticated use of customer data as a key component of their strategies for growth. If retailers find themselves unable to fully utilise their data, because they are scrambling to catch up with GDPR requirements, they may find themselves at a competitive disadvantage.

Preparing for GDPR will be a constant and evolving challenge over the coming months, with regulators continuing to add fine print to the rulebook. But the regulation also represents an opportunity – for retailers to establish themselves as leaders on data, and to re-evaluate the question of whether they are maximising its value. For now, we believe there are five key issues that retailers should consider addressing:

1. Allocate responsibility

For too many retailers, responsibility for GDPR is in danger of falling through the cracks. The legal department understands the letter of the law, but cannot necessarily see the full picture of how the organisation is using data; the marketing team runs the organisation’s data strategy, but does not have the legal or technical expertise to ensure compliance; meanwhile, technology is looking to try and stitch the different pieces together and lock down the systems.

The most prepared retailers recognise that GDPR, rather than being a problem for any single function, is an organisation-wide issue. It’s as much about behavioural change as it is about technology. It requires a senior leader to take ownership of responding to the regulation – a C-level executive who will ensure that each part of the business collaborates to develop a framework for collecting, using and managing data in accordance with GDPR.

2. Secure customer consents

Consent is a crucial concept in the GDPR. Retailers that want to collect and process personal data must do so in a “lawful” fashion and this may mean they have to secure opt-in permission from the customer, as well as further consents for every type of use they may have in mind for that data.

Such requirements will cut across every area of retailers’ increasingly sophisticated use of data. Many retailers are already making extensive use of a broad range of data – email addresses, cookie data, transactions data, loyalty card information, data on in-store browsing collected through free wi-fi access, and much more – and are seeking to connect these different data points to build comprehensive profiles of their customers.

Without explicit permissions in place, retailers may have to curtail many activities. With further regulatory guidance to come, retailers will need to understand the detailed nuance of the law and ensure the right protocols and processes are in place across their data practices; it may no longer be permissible to store this information in a data lake that can be accessed at will by different parts of the organisation.

3. Update the culture

Complying with the letter and the spirit of GDPR will be challenging for any retailer that fails to put openness and transparency at the heart of its data practices. The more prepared retailers are building such values into their cultures, putting data ethics at the heart of what they do. No organisation can expect every member of its staff to understand the full intricacies of its data policies and processes, but employees of retailers with a culture of integrity will be more likely to do the right thing automatically.

Working out how to instil these values is a key challenge for retailers. Many should ask: Does every one of our employees think about what is right as they handle data?

Thinking carefully about data ethics will help organisations make the leap: leading retailers are now embracing ideas such as mandatory training for all employees on how to handle data, developing enterprise-wide codes of data ethics, and establishing centers of excellence that develop and share best practice. The aim is to ensure all stakeholders in the business respect personal data and strive to earn the trust of customers and partners.

4. Put the customer in control

GDPR gives customers important new rights. As well as new rules on consent, the regulation requires organisations to provide the detail of all the data they hold on a customer if asked to do so, and to delete or transfer that information elsewhere at the customer’s request. Some will find these demands technically challenging – particularly those with legacy IT systems and data in disparate locations – but compliance means working out now how to meet them.

One attractive solution could be the model pioneered by Google, which gives users access to all the data it holds on them through a single online preference centre. This enables users to track and control their profiles – to turn some processes off, for example, or have certain information removed. Building similar structures will get retailers closer to GDPR compliance, while giving their customers the responsibility and power to manage their own data profiles.

5. Future-proof compliance

As retailers’ collection and use of data evolves at pace, the response to GDPR may need to include a plan for ensuring that future activities are compliant, too. Many will need processes that guarantee new initiatives do not fall foul of the regulation.

Facial images, for example, count as personal data for the purposes of GDPR. Retailers that link to consumers’ Instagram or Facebook accounts – when they are running promotional competitions, perhaps – may need to develop processes for ensuring compliance. What happens if such accounts have pictures of more than one person on them? Establishing processes that ensure that each new data-related activity is acceptable under GDPR will be a crucial element of future data innovation.

The regulation advantage

GDPR presents many challenges, but it should not be seen in a negative light. The retail sector is, after all, going through a period of profound, unprecedented transformation. As they look to the future, leading retailers see data-driven innovation and advanced analytics as keys to success. By ensuring they are fully compliant with GDPR, they can realise their boldest ambitions while gaining clear competitive advantage over slower-moving rivals.

For more information visit Accenture's retail consulting services.