May 07, 2018 | HORST JUNG
On the one hand, living in a consumer-centric world, retailers are working hard to personalize their interactions with consumers, for example by offering the right information, discount or promotion at the right time to the right individual. This requires a data-driven marketing approach, converting personal data into meaningful and relevant information for both retailer and consumer. On the other hand, we all expect that our privacy is taken seriously, which is reflected in new – and stricter – data privacy regulations imposed by the government.
Personalization requires data
In the effort to personalize campaigns, offers or (more generally), shopping experiences, retailers need to collect, store, combine and analyze data about shoppers. Using sophisticated engagement solutions retailers can do this while interacting with individual shoppers. Data can be collected at various touchpoints such as mobile, in-store POS or e-commerce sites, and through a variety of technologies. In order to do this properly, retailers not only need to have smart tools in place, but also the right processes, so they can ensure data is kept private and secure.
Taking Privacy Seriously
Retailers need to know the boundaries of what they are allowed to do with consumer data, and how to manage this data properly. Research by Harvard Business Review shows that 70-80% of consumers trust retailers with their data. However, to make sure retailers keep this high level of trust, they must tread carefully. To assist organizations with this and to ensure all organizations are using the same basic approach to handling consumer data, governments are responding with privacy laws.
GDPR: A New Data Privacy Law
In the European Union (EU), a new privacy law has come into effect called the General Data Protection Regulation (GDPR). This privacy regulation stipulates in detail the rights of EU citizens with regards to data privacy and data handling. This law potentially affects retail organizations around the globe, as it protects the privacy of EU citizens – and if a single one of their consumers is based in the EU, they are bound to this law, regardless of where the retail organization itself is located.
Retailers, being data controllers in GDPR terminology, are being held accountable and responsible for how they treat personal data of their consumers and employees, even if they have outsourced the data handling partly or fully to third-party solution providers. This means retail organizations cannot deny their responsibility for proper data handling, even if they are using external cloud services for their e-commerce activities or marketing campaigns. The retailer remains responsible for following the right processes to ensure alignment with the GDPR.
Retailers Must Have a Reason for Needing Consumers’ Data
A so-called data controller is not the owner of individual´s personal data. The natural person (or in GDPR terms, the data subject) delivers data about himself to the data controller (i.e. retailer). This data could identify a person directly or indirectly. The key here is that, according to GDPR, it must be clear why the retailer is asking for this data.
Retailers may have one of many reasons for gathering this data. One reason could be to fulfill a contract. Selling products and granting guarantees and services as well as installment payments requires retailers to have a consumer’s personal data for identification purposes. Another reason could be marketing and targeted advertising that provides benefits to the customer, i.e. informing him about special offers.
Retailers must address the reasons they’re pulling employee data as well; reasons could include the need to gather statistics on cashier interactions, cash difference analysis and fraud detection.
Four Tips for Staying Compliant with GDPR
The responsibility for lawfully and fairly processing personal data cannot be outsourced by the retailer; whether the retailer or a third party is processing the data, it is the retailer who is responsible for ensuring compliance with the new laws.
Retailers can no longer expect to request carte blanche access to consumers’ data with a simple one-click interaction. No matter why you are gathering and processing personal data, explicit consent is needed from the data subject at each stage and for each piece of information. Retailers must describe what they intend to do with the data, and prove that they obtained consent. They must also be aware that at any time, consent can be withdrawn. However, reasons to keep personal data, such as contract fulfillment, fiscal laws or other government regulations, may override the GDPR.
The request for disclosure of information from an individual to a retailer has to be handled seriously in a reasonable time. Retailers must be able to relay relevant information, such as:
The retailer has to grant access to the data, and ensure that it can be rectified if necessary. In the case of a data breach, the retailer has to inform the data subject in a timely fashion, and alert them about who may potentially have gotten access to the data.
Consumers can, at any time, request to be “forgotten” from a retailer´s data environment (analog or digital). If there’s no extenuating circumstance (e.g. fiscal regulations), the requirement has to be fulfilled, and retailers must have the capability to erase the consumer’s information from their entire system.
GDPR is not the first privacy compliance initiative to come along, and it certainly won’t be the last. Make sure your software partner can help you maintain compliance and ensure a positive consumer experience every time.
Contact us today to get our GDPR handbook, which outlines how the Vynamic™ Retail Suite can best be used to help you remain compliant with GDPR.