Data is crucial for retailers to understand and interact with customers. That’s why retailers need to be on top of big EU-driven changes to data laws that take effect in May.
The General Data Protection Regulation (GDPR) dictates how you collect, store and use personal information about consumers and employees. It aims to return control of personal data to individuals and simplify rules for international businesses by harmonising EU regulation.
These intentions sound reasonable, but GDPR imposes additional obligations on businesses – and getting it wrong can lead to fines of up to €20 million or four per cent of global annual turnover.
GDPR’s basic requirements include:
• Companies of 250-plus employees must appoint an independent data protection officer to ensure data standards are met.
• GDPR applies to smaller businesses if they use data regularly or handle data likely to put rights and freedoms of the data subjects at risk.
• Customers must give active consent for businesses to use their data for marketing or profiling.
• Data breaches must be reported within 72 hours to the Information Commissioner’s Office (UK).
• People have the “right to be forgotten” if they withdraw consent or data relating to them isn’t needed any longer.
The Omnichannel Twist
Retailers will find GDPR particularly challenging. Data is the backbone of the omnichannel customer experience, which aims to provide seamless shopping for customers, whether they’re in-store, or browsing on a device, all whilst making them accurate, personalised offers.
A frictionless experience means purchases complete quicker, and customers choose you over competitors who fail to offer the same experience.
GDPR complicates this. Achieving omnichannel relies on retailers storing and accessing vast data troves amassed as customers interact with them. Retailers have spent years collecting this data, and now have to retrospectively assure their methods meet new standards.
All this means extra costs and management time, both preparing for and keeping up with GDPR’s demands. GDPR’s wide scope covers emails, purchase histories, video, CCTV and eyetracking data as well as paper forms. Any information you hold on a customer counts.
Some companies have changed approach radically ahead of GDPR. JD Wetherspoon has scrapped its customer newsletter and deleted data on 700,000 customers. It now uses social media and its website to tell customers about curry nights and promotions.
Most retailers won’t feel able to take such drastic action when data is essential for creating personalised offers. GDPR creates the challenge of holding on to the data needed to stay competitive whilst complying with this new regime.
Everyday examples of considerations for retailers adapting to GDPR include:
• Emailing offers or promotions to a customer now requires their active consent. This means spelling out how you intend to use the customer’s email and giving them a clear opportunity to say no. No more pre-ticked boxes.
• Loyalty schemes are the most obvious examples of profiling – the automated collection of information about a customer’s behaviour and preferences.
• Stricter rules on security breaches don’t just mean bigger fines. Your reputation is at risk, too. Customers don’t like their data being hacked and headlines can damage your business even if the hackers don’t get to the vital information.
The Ticking Clock
They’ve had two years to prepare for GDPR but many businesses aren’t ready for the looming deadline. A survey by the Institute of Direct and Digital Marketing in February found only half of companies had appointed a data protection officer and more than half hadn’t trained employees for GDPR.
If you haven’t already, here are some key actions to take to prepare for GDPR:
Conduct a data audit. What data do you hold, where and in what form? What is it used for? Delete any unnecessary data, making sure it’s gone forever.
Review systems and suppliers to ensure you have a view of each consumer and can provide them with a clear, timely account of what data you hold on them. Make sure you have active consent for using customers’ data.
Appoint an independent data protection officer if required. They can be an existing employee as long as it doesn’t create a conflict of interest.
Ensure you have the right people in place. The Information Commissioner’s Office says: “You must ensure that your organisation has sufficient staff and skills to discharge your obligations under the GDPR.”
Do your staff know how to handle a data breach? Which insurers or suppliers would you need to involve? Have you got a communication strategy?
GDPR creates an extra burden but also an opportunity. Data often sits in siloes with little integration. By forcing retailers to review how they handle data, GDPR is a wake-up call to think strategically about contact with customers to achieve better communication, earn trust and provide a better experience to the consumer.
For retailers who need advice on GDPR compliance and the omnichannel, the topic will be discussed at this year’s InternetRetailing Expo in Birmingham, March 21-22. Alessandra Di Lorenzo, Chief Commercial Officer at Lastminute.com will be holding a keynote on GDPR, while Tom Martin, Retail Intelligence and Customer Analytics Expert, OmniCX, will be running a workshop.
Lucia Ruiz is the Head of Marketing at InternetRetailing Events