No industry is will feel the force of the EU General Data Protection Regulation more than retail—both online and off.
After decades of being relatively static on an EU level, and with incremental and piecemeal changes in member states, Europe’s privacy laws are in for a major overhaul.
The EU General Data Protection Regulation (GDPR) is now law across Europe, and its provisions for penalties comes into force on May 25, 2018.
The penalties for not adhering to the GDPR depend on the nature of the breach, with the Regulation allowing for between two to four percent of annual worldwide turnover, or €10 million to €20 million. In short, you have to be compliant: any digitally dependent business, or business undergoing a digital transformation, will no longer be in business if it fails to protect customer confidentiality.
Although onerous for businesses, the GDPR is good news for EU citizens and, to the extent that they have known about, has broadly been welcomed. In effect, it gives EU residents more control over their personal data; making it far easier for individuals to access and manage their data, have it deleted under the “right to be forgotten” and receive clear information on how it is processed.
In addition, consumers must explicitly provide “opt-in” consent to the use of their data.
The GDPR sets out EU-wide standards for data protection and demands that personally identifying information is kept safe and establishes new methods for customers to complain, gain redress in the case of misuse of data, and, crucially, know if a system containing their data has been hacked. Companies suffering a breach with data protection implications will have just 72 hours to report it to their national information commissioners, unless this personal data is unreadable or in an inaccessible state.
All personally identifying information is subject to this regime, meaning data can no longer be stored haphazardly across an organisation.
[cta link=”http://www.trc-solutions.com/gdpr-and-your-business/” colour=”grey”]Download the GDPR Guide from TRC Solutions[/cta]
Retail businesses are in the front line of the GDPR because of the connected nature of retail today: websites that track customer identity, loyalty programmes and marketing techniques based on past purchases are all within the scope of the GDPR, and it is retail businesses that are likely to find themselves bombarded with customer requests about what data is being held and why perhaps even class action lawsuits.
The good news is that the GDPR also represents an opportunity for retailers. Although the fines are onerous, it at least provides clarity and uniformity and provides the rationale for streamlining business processes and achieving buy-in both at board level and from the IT department. The GDPR, then, should be taken as an opportunity to “clean the house”, by looking carefully into what data is collected, processed and stored, as well as how, where and why it is done.
The first step is to deal with business risk by doing what it takes to protects your revenue and protects your brand. In order to easily comply with the GDPR, the clearest method is the consolidation of data. Put simply, data should be held only in a single, accessible and manageable repository in order to facilitate the inevitable requests about what data is held or to erase it.
Consolidation of data has made sense for some time, but without the impetus of the GDPR, there has been a reluctance to consolidate and migrate. Approximately 90 per cent of all Irish retailers have separate systems for retail and enterprise resource planning (ERP). This means they are losing out on valuable insights in their business, but, today, it also means the creation of a new “pain point”.
Offline retailers and those dipping a toe into online retail can also benefit significantly from using ERP to get ready for the GDPR. Though few retail businesses have no online presence today, there are those that are predominantly “bricks and mortar”. These businesses are no less data controllers, thanks to loyalty programmes, payment card processing, sharing of data between sites and online and SMS-based marketing.
Gavin Peacock, Group CEO of TRC Solutions, says that the clearest approach to GDPR readiness is to consider ERP. “You need to bear the GDPR in mind when looking at ERP and make it compliant by design,” he said.
TRC Solutions has developed a bespoke GDPR compliance module that works with industry leading ERP solution SAP Business One. Central to this is keeping all company data in a single controllable, manageable repository.
“The pragmatic issue is: it’s all in one place so it can be managed. Separate CRM, EPOS, loyalty programmes and so on, create multiple silos with personally identifiable information in it,” said Peacock. This is a major step toward embracing the concept of privacy by design, and certainly toward complying with requests to erase data.
With the GDPR on the horizon, mismanaged data will result in more than a nuisance or loss of sales: it could put retailers out of business, so now is the time to look at ERP as the first step to highly defensible GDPR strategy.
[cta link=”http://www.trc-solutions.com/?page_id=232″ colour=”grey”]Arrange a call with one of our Retail Industry Consultants[/cta]