The Retail Transformation Blog

Advice and insight to help retailers thrive in the new age of retail.

Return to blog index

Is your retail business ready for GDPR?

One of the most important and most challenging components of becoming a fully omni-channel retailer is to collect, understand, and form a single view of customers’ data.

This aspect of omni-channel retailing is about to get even more challenging, as the EU General Data Protection Regulation (GDPR) calls for an overhaul of how retailers store, manage and use consumer data. With sanctions reaching up to 4% of global turnover or €20m (whichever is greater), it is crucial for retailers to ensure that they comply with the Regulation by the May 2018 deadline.

Here are 5 key steps retailers can take to start to be compliant:

1 Create a data inventory. Retailers need to have full visibility of all the data they currently hold and where this data is stored. This includes understanding the solutions in place to store and process data, and how these solutions interface with one another.

Creating a data inventory and data “map” is the very first step towards fulfilling some of the GDPR’s central principles: data accessibility (consumers have the right to access the data that companies hold on them), data portability (consumers have the right to download their data and re-use it for their own purposes), and consumers’ right to be forgotten.

In addition, a data inventory is necessary to understand the nature and sensitivity of data that is currently held; in turn, this will help determine what it can be used for, whether it can be kept, and for how long.

2 Improve security processes, and set up a data breach plan. Under the GDPR, data subjects must be notified within 72 hours in case of a data breach; data controllers must be able to explain to customers what happened, why, what risks the data subjects incur as a result, and what next steps are.

The ideal solution is clearly to avoid any data breaches altogether, so retailers might want to look at and improve their security systems. However, 100% prevention of data breaches despite best efforts is not always possible, so preparing for this scenario by putting in place well-rehearsed processes to trigger in the event of a data breach is highly recommended.

Such processes are likely to require systems to instantly identify security breaches, to involve internal coordination (e.g. between IT, legal and PR teams) as well as external communication processes.

3 Review current processes used to obtain consent. The GDPR requires all data controllers to obtain unambiguous, active, and explicit consent for the use of personal data. Retailers need to provide their customers with a clear explanation, laid out in simple language, of what data they collect and what they use it for. Data controllers as well as processors cannot use the data for purposes other than those communicated to the data subject when requesting consent.

Consent must be obtained actively and explicitly, so a pre-ticked box will not do for this purpose. To ensure they obtain proper consent, retailers should review their current interfaces and processes, and amend them if they do not respect the criteria stipulated by the GDPR.

They might need to re-obtain consent for data they have previously obtained. If so, retailers should come up with a plan to re-obtain consent for the data, without breaking any of GDPR rules (e.g. avoid using data that was not properly obtained to re-solicit consent).

4 Create processes to allow customers to access and extract their data. Under the GDPR, customers have the right to access, export and transfer their data if they wish (data accessibility and data portability). While it is not yet mandatory for retailers to have leading practice solutions, retailers do need to create processes to provide customers with their own data information, if they wish to request it, within the time frame foreseen by the GDPR (30 days).

In addition, retailers should create processes that allow them to honour customers’ right to be forgotten, i.e. to delete the data pertaining to them if they so require.

5 Review all third party contracts. Retailers (data controllers) are likely to work with vendors or other third party partners, who act as data processors. Under the GDPR, data controllers are accountable for how data is processed and used, but in case of a data breach or misuse, controller and processor share the liability.

This means that retailers can still be fully liable if their data processor partners suffer data breach or misuse. It is the controller’s responsibility to clearly stipulate how the processor should use the data, so retailers need to set out clear and comprehensive guidelines on data use for any such third party.

In addition, retailers should review all the contracts they hold with these partners to ensure there are no accountability ambiguities.

The implications of successfully carrying out the above key steps can include potentially significant investment in processes and systems, as well as communication and training, to educate staff about the GDPR and familiarise them with the new processes.

Retailers are also likely to need to appoint a Data Protection Officer (DPO), since activities such as marketing and ecommerce mean they handle and process large amounts of personal data.

For further reading on this topic, read Accenture’s report A new slice of PII (Personally Identifiable Information), with a side of digital trust

For advice on how your business can ensure GDPR compliance, please contact Matt Jeffers, Director of Strategy at Javelin Group.


Notes / additional information 

The GDPR will replace the Data Protection Act (DPA) from May 25th 2018. The set of new laws will apply to any company that offers goods or services to data subjects residing in the EU and processed or holds their personal data. Retailers that gather, store and process data of EU residents (including multinationals based outside the EU) will need to comply with the GDPR – and this applies in the UK despite Brexit. Unlike the current relatively lenient sanction system (small fines up to £500k under the DPA), non-compliance with the GDPR can be extremely costly – up to €20m or 4% of global turnover, whichever is greater.

Key changes include:

  • Broader definition of “data” vs. traditionally – the definition of personal data used in the GDPR includes cookies & IP addresses, which are not usually included in typical data definitions. Data as intended here can be “anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address”
  • Consent will need to be informed, active, explicit and unambiguous, meaning pre-ticked boxes are not enough (consent has to be fully and explicitly opt-in), no more unintelligible Ts & Cs. The consumer (data subject) needs to be able to withdraw consent at any time
  • Breach notification – if a breach occurs, data subjects must be notified within 72 hours
  • Right to access – the data subject has the right to obtain confirmation from the controller on whether their personal data is being processed, and to obtain a soft copy of the data for free
  • Right to be forgotten / right to object – the data subject can request for his/her data to be deleted if and when it is no longer relevant for original purposes and/or if he/she exerts his/her right to object
  • Data portability – the data subject can download and reuse the data for his/her own purposes as well as transfer it to another company if he/she wishes
  •  Privacy by design – retailers’ processes need to be designed in a way that inherently protects privacy and honours the principles 2 – 6 laid out above. Pseudonymisation and anonymization of data are also encouraged
  • Data Protection Officers will need to be appointed at public authorities and/or large-scale organisations engaging in systematic monitoring and/or processing of personal data
  • Profiling, i.e. predicting a data subject’s behaviour based on data is not allowed if it has “legal effect”, unless there is sufficient mutual interest between the data subject and the data controller

Note: The data controller is the body that determines the purpose for processing personal data, and the way the data is processed. The data processor is the body that processes the data on behalf of the data controller.