The General Data Protection Regulation (GDPR) is shedding new light on data privacy and protection — one that shines far beyond the European Union (EU).
As retailers across 28 European countries increasingly tighten their strategies to improve data privacy and processes, there are many lessons to be learned. By leveraging the best practices being implemented across the pond, retailers in the United States will not only better protect sensitive customer information, but they can also gain a competitive advantage in an increasingly tough retail environment.
To keep all companies honest, and ensure they are taking all proactive albeit mandatory measures necessary to protect the integrity and safety of EU citizens’ personal data, non-compliant companies will be punished — and penalties are steep. These sanctions can cost companies between 2% and 4% of their annual global turnover, depending on the infraction, according to the GDPR EU website.
What Does the GDPR Mean for the United States?
While the rules don’t affect U.S. citizens, American companies that do operate across the globe — especially those that have a presence in Europe — need to get a handle on guidelines in an effort to keep customer information safe. Rather than consider the new regulation a punishment, the GDPR is an opportunity for U.S.-based companies to evaluate the information moving across internal networks, as well as the practices they have in place to protect this data.
These proactive efforts will only benefit companies. With tighter data protection processes in place for example, the industry as a whole could see a reduction of potential data breaches.
It is no secret that cyber-thieves continue to get more brazen, and retailers are definitely suffering with 50% of U.S. retailers experiencing some form of data breach in the past year, up from 19% the previous year, according to “The 2017 Thales Data Threat Report, Retail Edition” from cyber and data security leader Thales.
Hackers continue to exploit weak access points and find new ways on a seemingly daily basis to snag sensitive data. Oftentimes, many cyber-criminals find their way onto Wi-Fi networks that do not use strict security measures, and this becomes the perfect gateway into store-level systems, such as data center servers, point-of-sale systems or payment terminals.
During the first half of 2018 alone, retailers including Adidas, Best Buy, Panera Bread, Sears Holdings, Under Armour, and Hudson’s Bay Co.’s Saks, Saks Off Fifth and Lord & Taylor brands have already been targeted by cyber-thieves. Their booty of choice: sensitive customer data ranging from usernames and passwords to credit card information.
What is GDPR?
The GDPR was established to replace an outdated data protection directive dating back to the pre-internet and e-commerce days of 1995. However, in the last two decades, companies have rapidly become digitally influenced, a factor that drastically increased the amount of data flowing through retailers’ databases. Yet, as retail and other industries collectively struggled with how to securely collect, analyze and share data enterprisewide, it became evident that customer privacy protection efforts clearly needed a change — thus the evolution of the GDPR. The new mandate established by the EU, which went into effect on May 25, 2018, was created to protect the personal data and privacy of European customers. In addition to defining how companies must safeguard all of the personal data they process going forward, the rules also give consumers more “control” over their personal information.
More importantly, reducing data breaches will help minimize the reputational damage caused by breaches, especially those seen by the highly publicized and public Cambridge Analytica breach, for example. Political data firm Cambridge Analytica gained access to private data belonging to approximately 87 million Facebook users. The incident, which was disclosed in March, generated backlash in the form of calls for regulation and for users to leave the social network. In addition to this incident prompting more companies to take measures to further protect customer data, GDPR rules provide a global best practice framework that retailers can benchmark privacy standards against. Overall, the GDPR is an opportunity for domestic companies
to re-evaluate cybersecurity strategies, from tightening IT infrastructures to adopting intrusion detection software and data loss protection solutions that proactively protect sensitive information from being leaked — intentionally or unintentionally — outside the corporate network. And companies are already getting on board, as approximately two-thirds of U.S. companies expect to rethink their strategy in Europe, according to data from analyst firm Ovum. “There is a benefit for companies operating in the United States to proactively comply with the GDPR guidelines,” said Kenneth Holzer, head of global data consulting at dunnhumby.
“By doing so, companies will build customer trust and create a new level of social responsibility,” he added. “When it comes to the value that a company can deliver, customer privacy and trust will be among the most important assets a brand can provide going forward.”
Protection from mega breaches is only the tip of the iceberg, however. The following steps can keep companies across the United States on top of their data privacy game, and simultaneously encourage consumer confidence:
Shift corporate culture toward a “customer-first” strategy. As retailers renew their awareness toward the value of consumer data, efforts cannot stop with senior management. Companies also need to educate their staff on how to manage and protect customer information, a move that can proactively elevate attention to privacy sensitivity. It is a process that must begin with the C-suite, then filter through senior management, and down to associates at the store-level.
“People and processes need to change,” said David Ciancio, senior customer strategist at dunnhumby. “Companies need to ensure whoever is touching, harvesting and analyzing data is also informed about new requirements and consequences. These prerequisites will create organizational awareness and lead to better standards of data protection.”
To keep efforts on track, privacy needs to be championed by an appointed data protection officer (DPO). This executive is tasked with keeping internal records of data protection activities, as well as monitoring the health of the company’s GDPR compliance. The DPO advises all staff on data protection impact assessments (DPIAs), and is also the point of contact with the supervisory authority when it comes to protection actions, according to “Leveraging GDPR to Become a Trusted Data Steward,” a study from the Boston Consulting Group (BCG).
“Creating a data-aware culture is about more than having a lineage of steps toward data protection, it is also about having more insight into how data is being used within the organization,” said dunnhumby’s Holzer. “It is important to have a data road map that incorporates people, processes, data assets, technology and legal requirements.”
Take a stand of active data stewardship. Despite being held to mandated technical remediations, as well as legal actions that will be imposed for not following regulations, companies still have their work cut out for them when it comes to earning consumers’ trust regarding data privacy. More so, consumers are becoming increasingly savvier about data collection and analysis, and with every misstep a retailer makes, consumers are growing more dubious of companies’ data protection strategies.
In fact, there is a growing wariness among consumers in almost every country and age group. Besides being more concerned or cautious about sharing personal data today than just two years earlier, at least 4-out-of-5 European consumers, regardless of their age, are worried about sharing their data, according to the BCG study.
Additionally, the study revealed that a vast majority of consumers want companies to take active steps to secure notification or permission for any use of personal data.
This is where U.S.-based companies have the chance to up their game. Retailers must take steps to become trusted data stewards. These are companies that go above and beyond mandatory regulatory and technology compliances, and also take proactive measures to increase consumer trust.
“Poor stewardship of customers’ personal data can lead to data breaches, which erode customer trust and reflect badly on the industry as a whole,” said dunnhumby’s Ciancio.
The first step to becoming a data steward is for retailers to align their data privacy policies with consumers’ wishes. Further, companies need to re-examine practices of data collection, storage and usage, and create best practices that will foster more trust among their customers. This includes more open, transparent communications with consumers about their data, the ability to opt-in to programs, and to opt-out.
Make data “portable.” In addition to making companies more accountable for how they process personal data, the GDPR also affords consumers more “personal rights” when it comes to sharing their data with their favorite brands.
For example, retailers are now in the hot seat to provide more explicit, transparent communications that “ask for consumers’ consent” to store data. Gone are the days when a company can scan a set of emails and create a marketing message. Now, companies must have consumer opt-in to send personal communications if they want to stay GDPR-compliant.
Retailers are required to establish a clear, concise and accessible privacy policy — one that outlines the company’s stance on obtaining consumer consent, as well as how the data is stored and used. To safeguard the business as well as the consumer, retailers should also give consumers new methods to opt-in and opt-out of data sharing processes — and these must go beyond presenting pre-ticked “opt-out” boxes.
Customers are also partial to this regulation. In fact, a majority agree that companies should notify or seek permission to use their data when internally improving products and services, personalizing offers, and marketing products from third parties, according to BCG’s study.
Specifically, more than 60% of consumers believed that opt-in or opt-out permissions should be required for all of the aforementioned practices. Only two uses of data — internal improvement and personalization of offers — were acceptable to more than 10% of consumers in the absence of action by the company to obtain the consumer’s permission, the study revealed.
ASOS is one retailer that has found a way to make this a reality. ASOS’ website features a video summarizing the company’s privacy policy, as well as a written explanation of how customer data is used to deliver merchandise, send marketing messages by email, text or online, as well as how to detect and prevent fraud. The website also educates customers about how to delete their information from the site if they choose to have the retailer stop processing it or collecting it, according to ASOS.
The GDPR also requires retailers to make customer data “portable.” This gives the customer the right to request a download of their personal data, which allows them to transfer it to another organization, if they wish, according to the EU GDPR to another organization, if they wish, according to the EU GDPR website.
While companies may believe the majority of their customers are unlikely to want to view or download their own data, it may not be wise to be complacent on this issue. In a recent study, 45% of U.K. shoppers said they were “likely to exercise their right to access their personal data” and 25% were “likely to ‘port’ or download their data,” according to “The EU General Data Protection Regulation: opportunities for grocery retail report” by the Open Data Institute.
This mandate is increasingly important as greater quantities of personal data are stored in the cloud. Another factor exacerbating this issue is that consumers are eager to unify the data they share across multiple social media sites, such as their contacts, exchanges, photos, videos, sound clips, and personal or professional information. It is an option that streamlines data, keeps information current and consistent, and eliminates the need to manage content on each individual site.
While the process gives consumers more control over their information, the practice also benefits retailers. For example, marketing initiatives are primed to take a new, more effective turn.
“Companies have become too lazy, often using customer data for poorly targeted marketing campaigns. However, these efforts cause ‘message fatigue,’ or an abundance of wasteful messages that lead to spam and become an annoyance,” explained Ciancio.
“Companies need to pursue strategies that offer more useful and personalized content to drive loyalty.”
Since the introduction of the GDPR, European retailers have been putting their right foot forward when it comes to data processing, according to Ciancio. In addition to emphasizing more privacy throughout the consumer experience, “that lazy marketing experience has slowed down,” he explained. “With more explicit opt-in requirements, consumers are protecting themselves, and retailers are able to engage customers with more personalized content, while still emphasizing privacy and staying compliant.”