The EU’s General Data Protection Regulation legislation will come into force in May 2018. Sean Farrell offers a guide to what retailers should do in order to be prepared
Data is crucial for retailers to understand, tailor offers to and keep in touch with customers. That’s why businesses need to be on top of big EU-driven changes to data laws that take effect in less than three months.
The General Data Protection Regulation (GDPR) will replace the 1988 Data Protection Act on 25 May 2018. It dictates how businesses collect, store and use personal information about anyone – not just consumers but employees too. GDPR’s main aims are to give control of personal data back to individuals and to simplify rules for international businesses by harmonising EU regulation.
These intentions sound reasonable enough but GDPR imposes big additional obligations on businesses, while getting it wrong can lead to fines of up to €20m or 4% of annual turnover.
Here are GDPR’s basic requirements:
Retailers are likely to find GDPR particularly challenging. Data is the key to understanding customers and many retailers rely on large troves of information built up over time as customers have interacted with them. This, along with their high profile, makes retailers obvious prey for hackers and opportunistic claims, which are both likely to increase under GDPR.
All this means extra costs and management time, both in preparation for GDPR and in staying up-to-date with its demands. GDPR’s scope is wide. As well as emails and purchase histories, it also covers video, CCTV and eyetracking data as well as old-style paper forms. Any information a retailer holds on a customer is covered by the regulation.
Some customer-facing companies have changed their approach radically ahead of GDPR. Last year, JD Wetherspoon scrapped its customer newsletter by deleting data it held on almost 700,000 customers. Now the pub chain uses social media and its website to tell customers about curry nights and other promotions.
Most retailers won’t feel able to take such drastic action, since data holds the key to the personalised offers consumers increasingly expect. GDPR creates the challenge of holding onto the data businesses need in order to keep in touch with customers and compete with rivals while still complying with this tough new regime.
Everyday examples of considerations for retailers adapting to GDPR include:
Rules empowering individuals are almost certain to attract vexatious activity from consumers seeking compensation, disgruntled employees and claims handlers. This is more likely because the £10 fee companies can charge to provide someone with their data has been scrapped. Privacy campaigners may also try to make examples of companies that don’t comply fully with GDPR.
Companies have had two years to get ready for GDPR but many businesses remain unprepared for the looming deadline. A survey by the Institute of Direct and Digital Marketing in February found only half the companies surveyed had appointed a data protection officer and more than half hadn’t carried out GDPR training for employees.
If your business hasn’t done this already, here are some of the key actions to take to get ready for GDPR:
There’s no doubt GDPR creates an extra burden but there’s an opportunity here too. All too often data sits in silos with little coordination using outmoded technology. By forcing retailers to review how they handle data, GDPR is a wake-up call to think strategically about contact with customers to achieve better communication, earn trust and provide a better experience to the consumer.