As of May 25th 2018, every organization, regardless of whether they operate in Europe or not, that processes personal data of EU citizens will have to meet new data protection rules. Compliance requires precise knowledge of the data you store and process, and the right data management policy across your organization. The law covers all data that relates to identifiable natural person or to personal data that does identify an individual, this entails any kind of data from the basics such as names and address to photo and bank details, email and social networking, medical information, IP addresses, and transaction history.
This makes GDPR vital for every retailer and at Custobar we have also made this our top priority. There have been lot of discussion about GDPR in general, but we would like to focus on Retail and how it affects retailers’ business.
Topics that we’ll cover in this article:
GDPR requires retailers to keep their customer data in good shape and update it constantly, which in fact means that as data is driving sales and marketing for retail more and more, the ones who comply GDPR, most likely have their most important data in best shape. Bad quality data will either cause inaccurate results, or contribute to an inability to contact people in a timely manner.
Another important aspect is that consumers are increasingly aware of what rights they have concerning their data and storing and using their data respectfully is essential in earning their trust and customership. This trust is extremely important when consumers consider to whom they give their data - Boston Consulting Group found that generating trust can increase access to consumer data at least by five times. In other words, retailers who can show that they respect individual’s personal data are more likely to continue to have access to this goldmine also going forward. A great way to improve the transparency of the data that the merchant has is to offer consumers access to their data and give them straight-forward possibility to keep it up to date.
The more progressive the retailer is and complies with the needs and wants of the customer about the topics that they are interested, the likelier they are to succeed. The consumers have more direct to access the data they share with merchants and should also have more possibilities to decide what they want to receive information about. However, this is not an issue for retailers who use micro segmentation to tailor their messages based on their customers interests – an easy way to differentiate from many competitors.
One more benefit is the harmonization of laws across all EU member states which bring consistency to the legislation. Meaning that retailers have easier time complying with the data protection laws inside EU countries they do business in, even though in practice, some local differences will continue to exist.
Firstly, make sure you have the right perception about the personal data you hold and process. It is important to determine the legal basis for processing personal data and document this. The GDPR requires that information provided should be in clear and plain language. The policies should be transparent and easily accessible.
Employees and communication
Following the new regulation retailers should put careful consideration to breach prevention and to ensuring that breaches are handled in the correct way. This will not only help avoid non-compliance but reduce the risks to the business of bad press and any subsequent customer and/or profit losses potentially resulting from a data breach. This means that merchants should have a thought-out process in place in case of data breaches, and for example how a complaint or notice about data-breach coming from customer service is checked and escalated forward in the organization and which stakeholders are contacted.
With the new regulation retailers should be more explicit, open and straight forward with asking consent to store data. Consent must be freely given, specific, informed, and unambiguous. Requests for consent should be separate from other terms, and be in clear and plain language. Something worth noting is that pre-ticked (opt out) boxes are not allowed anymore nor does silence account as consent. One example of effects in retailers every day work, is collecting newsletter subscription list in-store, which is still lawful but even this form of consent must contain appropriate data capture language to clearly explain the data use to the individual.
Data subjects’ rights
One of the biggest impact from GDPR is the broadened rights to the individual’s rights. A right for the individuals to require information about data being processed about themselves, access to the data in certain circumstances, and correction of data which is wrong are among the most concrete ones. There is also a right to restrict certain processing and a right to object to their personal data being processed for direct marketing purposes. In addition, individuals have the right to be forgotten in conditions, such as when their specific consent to use the data is withdrawn.
Because GDPR is one of the biggest focus points for most retailers during 2017, we have made it our mission to help retailers in every way we can from systems perspective. In Custobar privacy by design means that from technical standpoint we follow the most modern information security practices. A third party has audited Custobar both from process and from system perspective and in our GDPR guideline we are going to do regular audits.
The best part is that, even though GDPR will affect your processes and how you deal with sensitive personal data, Custobar has the following inbuilt features, which are some of the new additions that help you comply with GDPR:
We have already implemented most these functionalities and we are rolling them out gradually during the second half of 2017.
If you have further questions about GDPR – how it affects your business and want to hear more about Custobar, don’t hesitate to contact us at firstname.lastname@example.org.