In spite of Brexit, the General Data Protection Regulation (GDPR) is now a hot topic for many retailers in the UK as the British Government introduced a new Data Protection Bill incorporating the European regulation. However, only 54% of UK businesses expect to be compliant by the time the regulation comes into force according to a survey by the Direct Marketing Association (DMA).
As a major update to the Data Protection Act – unchanged since 1998 – the Data Protection Bill aims to extend the rights of individuals to their own data as well as ensuring all personal data is secure. More importantly, the new EU legislation gives individuals control over their data including the right to request their stored data, to know exactly how it will be used or to request its removal.
In fact, any business in the UK handling customer data will need to be fully compliant by the 25th May 2018 when the GDPR officially comes into effect. Failure to comply would incur a fine from the data watchdog of up to £17 million or 4% of the company’s global turnover – a considerable increase from the current £500,000 maximum for breaching the current Data Protection Act.
In the first instance, businesses will need to review current data processes and must be confident that any customer data held or processed is secure. Retailers that outsource parts of the business to a third-party for services such as IT, marketing, cloud-based services or payments, can no longer shy away from the responsibilities of data security.
Retailers will need to ensure that these third-party agencies freely share information regarding the storage and processing of customer data, as well as share internal processes to ensure everyone in the data processing chain is GDPR compliant.
Data access and transparency
Providing clear and transparent information to users regarding the collection of data is a common theme in the GDPR. Chapter 3 of the EU regulation will require UK businesses to take further steps to ensure individuals are explicitly aware of how and why their details are being stored and processed.
eCommerce retailers will need to ensure users are provided with information including company contact details, the purpose of processing personal data and how long data will be stored for. Where data is shared with third-parties, details of each partner should be made available to the user at the same time personal data is collected.
In the lead up to the GDPR deadline, we will soon see uniformed UX changes in the way eCommerce sites display privacy policies, terms and conditions and contact permissions. Retailers will need to ensure their online customers are met with a more granular view of all available options they’re agreeing to with regards to the submission of their personal data. These communications should be ‘concise, transparent, intelligible and easily accessible form, using clear and plain language’ before customers consent to their data being collected.
Customers will also have the right to a copy of their personal data held by businesses and should be available in a commonly used downloadable format with the right to move data between companies should they wish to.
While the GDPR stipulates that the ‘controller’ should provide information to data subjects within a month, it’s imperative that retailers optimise their data management process and keep detailed records of all consents, in order meet the requirements of their customers when they make requests for access to their personal data.
Retailers are encouraged to ensure that customer service teams are trained to respond to such requests and have access to detailed information on how customer data is processed within the business. This could potentially boost consumer confidence with retail brands who manage requests regarding personal data in a proactive and timely manner.
Implement privacy by design
At its core, privacy by design in the GDPR requires data protection to be at the forefront of design as opposed to a secondary element. eCommerce retailers, in particular, will need to be explicit about what actually happens with customer data, including where data is sent and who is responsible for storing and processing it.
For example, with regards to taking payments, this could take the form of updating basket and payment pages with clear statements of which payment gateway provider will processes payments and how personal details – card details, email address and physical addresses – are processed and stored when a customer makes a payment.
Online retailers will also need to openly request consent from users if they wish to share their data, including sharing browser history with third-party companies. Retailers will be required to provide users with clear ‘yes’ or ‘no’ options for consent, provide the names of the companies their data will be shared with, how long data will be stored, how to withdraw consent and how to access their data to be amended or deleted – the right to erasure – all before a user confirms their consent.
This may seem like a daunting UX design task, however, the sketch below by PageFair shows a simple solution retailers could use be using in the future when requesting consent on behalf of a third-party.
As previously mentioned, contact permissions will also be affected by these new request consent rules. Retailers who contact their customers through multiple channels – email, phone, SMS, post – will need to give the option for customers to select each channel before providing consent, plus an option to change these in the future. Privacy policies, terms and conditions and contact permissions should also have automatic opt-ins removed, be unbundled and highlighted to ensure explicit granular consent.
Data breach notifications
According to a survey by YouGov, commissioned by law firm Irwin Mitchell, only 37% of marketing and advertising companies said they would be equipped to notify relevant stakeholders within the business about data breaches. The survey also concluded that only 30% of the businesses surveyed would be able to detect a data breach within their organisation.
Under the GDPR, data breach notifications will become mandatory. Retailers and their partners will need to have processes in place to ensure that breaches are able to be detected within a 72-hour window and notify a ‘supervisory authority’ within the business.
Where a data breach is ‘likely to result in a high risk to the rights and freedoms of natural persons’, retailers will also need to notify their customers ‘without undue delay’ after becoming aware of the breach. This communication will need to inform at-risk-users of the consequences of the breach and the measures a retailer has taken to address the data breach – including measures to mitigate its possible adverse effects.
It’s essential that retailers and external partners within the data processing chain have procedures in place for data breaches – at all levels of severity – and have tested their data infrastructure with mock breach scenarios.
With digital transformation now at the forefront of the retail sector, senior management in digital roles need to ensure staff are fully trained and understand what constitutes a data breach as well as understand the implications of the new EU regulation on data management to the wider business.
For marketers who carry out behavioural targeting on a large-scale, a Data Protection Officer will be required to formally oversee all aspects of the data management process.
The increased territorial scope of the GDPR will involve a lot of work from retailers, not just in the UK and EU, but any company that processes or stores personal data from individuals within the EU – ultimately affecting multinational eCommerce business who trade in the region.
It may seem like an excessive strain for retailers in the short-term, but the EU regulation will ultimately have long-term benefits for businesses in the future. Giving individuals greater control over their data has the potential to allow business to build genuine loyalty and create more opportunities to better serve their customers.
International businesses can also benefit from a simple set of cohesive rules regarding data handling, as opposed to dealing with multiple regulations from each EU country they operate in. A customer-focused approach to data processing and management as well as standardising in-house procedures could also lead to a more simple and streamlined onboarding process when adopting new technologies.
While retailers in the UK are under pressure to meet the new standards for privacy and data management and with less than a year until the new Data Protection Bill will be enforced, retailers will need to be ready sooner rather than later in order to implement these radical changes.