How can retailers handle customer data in a GDPR compliant way?
General Data Protection Regulation (GDPR) was set to protect EU citizens' and resident’s data privacy and security. What does GDPR mean for retailers and how can companies process customer data in a GDPR compliant way?
From 25th 2018, every organisation that processes personal data of EU citizens have needed to meet new data protection rules. The GDPR applies to every organisation that provides services or goods to EU, regardless of whether the organisation is in the EU or not.
Compliance requires precise knowledge of the data you store and process, and the right data management policy across your organisation. The law covers all data that relates to identifiable natural person or to personal data that does identify an individual. This entails any kind of data such as:
- bank details
- social networking information
- medical information
- IP address and
- transaction history
This makes GDPR vital for every retailer. At Custobar, we have also made this our top priority. In this blog post we would like to focus on retail and how GDPR affects retailers’ business.
Topics that we’ll cover in this article:
- Benefits of GDPR for retailers
- Changes in the processes for retail
- How Custobar Customer Data Platform (CDP) complies with GDPR
It’s not all bad – GDPR can also benefit retailers
GDPR requires retailers to keep their customer data in good shape and update it constantly. As data is driving sales for retail more and more, the ones who comply with GDPR will most likely have their most important data in the best shape. Bad quality data will cause inaccurate results and contribute to an inability to contact people in a timely manner.
Another important aspect is that consumers are increasingly more aware of data privacy. Storing and using their data respectfully is essential in earning their trust and customership. This trust is extremely important when consumers consider to whom they give their data.
Boston Consulting Group found that generating trust can increase access to consumer data at least by five times. In other words, retailers who can show that they respect individual’s personal data are more likely to continue to have access to this goldmine also going forward.
A great way to improve the transparency of the data that the merchant has is to offer consumers access to their data and give them straight-forward possibility to keep it up to date.
The more progressive the retailer is and complies with the needs and wants of the customer about the topics that they are interested, the likelier they are to succeed. The consumers have more direct access to the data they share with merchants and should also have more possibilities to decide what they want to receive information about.
One more benefit is the harmonisation of laws across all EU member states which bring consistency to the legislation. Meaning that retailers have easier time complying with the data protection laws inside EU countries they do business in, even though in practice, some local differences will continue to exist.
What do you need to know and how to get prepared?
Firstly, make sure you have the right perception about the personal data you hold and process. It is important to determine the legal basis for processing personal data and document this. The GDPR requires that information provided should be in clear and plain language. The policies should be transparent and easily accessible.
Employees and communication
Following the new regulation retailers should put careful consideration to breach prevention and to ensuring that breaches are handled in the correct way. This will not only help avoid non-compliance but reduce the risks to the business of bad press and any subsequent customer and/or profit losses potentially resulting from a data breach. This means that merchants should have a thought-out process in place in case of data breaches. For example, how a complaint or notice about data-breach coming from customer service is checked and escalated forward in the organisation and which stakeholders are contacted.
With the new regulation retailers should be more explicit, open and straight forward with asking consent to store data. Consent must be freely given, specific, informed, and unambiguous. Requests for consent should be separate from other terms, and be in clear and plain language. Something worth noting is that pre-ticked (opt out) boxes are not allowed anymore nor does silence account as consent. One example of effects in retailers every day work, is collecting newsletter subscription list in-store, which is still lawful but even this form of consent must contain appropriate data capture language to clearly explain the data use to the individual.
Data subjects’ rights
One of the biggest impact from GDPR for retail is the broadened rights to the individual’s rights. A right for the individuals to require information about data being processed about themselves, access to the data in certain circumstances, and correction of data which is wrong are among the most concrete ones.
There is also a right to restrict certain processing and a right to object to their personal data being processed for direct marketing purposes. In addition, individuals have the right to be forgotten in conditions, such as when their specific consent to use the data is withdrawn.
How Custobar Customer Data Platform helps you to comply with GDPR?
At Custobar we follow the most modern information security practices. A third party has audited Custobar both from process and from system perspective. Our GDPR guidelines will also be audited regularly.
Even though GDPR affects your processes and how you deal with sensitive personal data, Custobar has the following inbuilt features, which are some of the new additions that help you comply with GDPR:
- Personal data is only visible on need to know basis – User roles are more visible in the system as they restrict the access to individual customer data if the user doesn’t need to have full access to all personal data.
- Consumers can have the right to access their own information – We have developed various options for consumers to see and modify their personal preferences about data collection, data use and data validity.
- Minimize manual data processing – E.g. uploading data sheets to system from files is can be done automatically over our API, which reduces manual processing and data security risks.
- API support for ‘consumer data portal’ – Custobar’s API has the possibility to fetch information over the API from Custobar to clients Online shop, in order to provide customer access to data the retailer has stored about them.
If you have further questions about GDPR – how it affects your business and want to hear more about Custobar, don’t hesitate to contact us.