This article describes the key themes of the General Data Protection Regulation (GDPR) to help retailers understand the new legal framework in the EU and the UK for the protection of personal consumer data.  Brexit will have no impact, the GDPR will apply in the UK from 25 May 2018, just as it will across the rest of Europe and beyond.  Yes – beyond Europe, where non-European companies are handling data that belongs to EU data subjects. The UK government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.  Anyone in a retailer who has day-to-day responsibility for data protection must be gearing up to be GDPR-ready.

A key takeaway of this article is to see how the GDPR is not just a question of compliance but the legal framework for data protection which will be a platform to generate new business opportunities.  These new business opportunities will help realise the value of consumer data.

As we already know, the use of innovative technology in retailing is transforming the relationship between retailers and customers.  From a customer's perspective, it has never been easier to be connected anywhere, anytime to get product information and compare prices.  From a retailer’s perspective, technology creates new opportunities to sell products and communicate with customers, for example, push marketing and location-based offers.  Mobile technology is another area where retailers can differentiate themselves by offering an improved shopping experience, creating new use cases and generating additional sales.

A constantly connected environment highlights the increased significance of digital channels as sales channels.  Global e-commerce sales are growing at more than 19% a year and are expected to reach nearly US$4 trillion value of sales by 2020 (around 14% of total retail sales compared with 10% recorded today).  The global m-commerce market is also expanding significantly and is expected to account for almost a quarter of overall e-commerce revenues by the end of 2017.

What does this mean for data protection?  GDPR will revamp the way personal data is collected and used.  Retailers must understand the priorities for online and offline retailing.  Consumer consent, the use of cookies, behavioural advertising and mobile devices all must be appraised.  A retailer must be prepared for explicit consent across multiple channels.  After years of creating an omnichannel strategy for your consumers, GDPR now requires you to review how you achieve this.  Your omnichannel strategy may be deploying disruptive technologies, such as iBeacons, virtual reality, facial recognition, digital marketing, etc.  There are both ethical and privacy concerns, especially when considering the roles of the data controller and the data processor.  A proper due diligence of your vendor relationships must be conducted.  There are also implications of the data that you use for protecting against fraudulent purchasing behaviour or the growing area of ‘returns fraud’.

Technology Alone Is Only Part Of The Solution

When Edgar, Dunn & Company provides advice to retailers we generally look at the omnichannel strategy and the customer experience from a payment’s perspective.  Payment is at the heart of every retailer-consumer interaction.  The payments industry is increasingly encrypting consumer data at the point of sale using tokenization as a security technology.  A token has no meaning for a cyber-attacker, rendering the customer’s sensitive card details meaningless.

In Article 25, ‘data protection by design and by default’ and again in Article 32 of the GDPR it is more clearly prescriptive around anonymization and pseudonymization.  The regulation supports that the principles of data protection do not apply to anonymous information (i.e. information that does not relate to an identified or identifiable natural person or to personal data that does not identify an individual).  Pseudonymisation, as in the handling of personal data in such a manner that they can no longer be attributed to a specific person without the use of additional information, such as a token, is positively encouraged by the GDPR.

Retailers that can take advantage of pseudonymization, encryption or anonymising personal data will be able to reduce their risk of non-compliance.  This helps retailers mitigate risk, such as a data breach of personal consumer data.  However, GDPR is not just a question of technology.  Personal consumer data includes the home address (required for home deliveries) and email address (required for marketing communications, e-receipts, loyalty and reward programs).  Retailers (or their solutions providers) who believe that technology is the sole solution to GDPR will be very wrong.

Data Ownership

The regulation gives customers the right to opt out or to stop their data being used by the retailer or by their partners.  In Article 17, ‘the right to be forgotten’, there are potential new scenarios that will enable consumers to edit, extract, transfer and delete any data held on them by any part of the business.  This opens huge opportunities and risks for new propositions and business models.  In Article 20, ‘the right to data portability’, the more innovative retailers which are thinking outside the box are considering how data portability could be an opportunity to access new customer segments.

Data is always considered to be a valued asset but now that ‘personal data’ is the customers to do with as they see fit, it will become a currency which retailers will have to demonstrate they are worthy of holding and looking after on behalf of the consumer.  You could compare personal data held by a retailer with the money held by a bank.  A bank customer can request their bank to return their savings or transfer it to a competitor.  In the future, a consumer could approach Tesco, for example, and request all the data that they have on them, their spending patterns, and shopping preferences, etc. and transfer it to Amazon Fresh because Amazon has made an offer of 20% discount on their first six months of grocery purchases.

Know Your Personally Identifiable Information

The term ‘Personally Identifiable Information’ (PII) is not explicitly used in the GDPR, but it will cause a significant challenge to anyone seeking compliance with the GDPR.  In the GDPR personal data is all about how a person is identifiable as Recital 26 reads:

“To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.”

This may not be the most readable extract of Recital 26 but after a couple of readings of the entire Recital, it is certainly a bullet proof description of the principles of data protection.  Personally Identifiable Information (PII) is a term found in the US but it is loosely defined and varies from state to state.  On the other hand, in the EU, PII may be a term not used in the GDPR but it does more clearly describe what personal data includes.  The regulation is littered with references to personal data and identification of personal data.  One of my favourite Recitals is 4 that reads:

“The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.”

This may be Euro-speak, gender specific and grandiose but the regulation does strongly define a linkage between identification and personal data.  Personally Identifiable Information will have significant implications for retailers and the data processors that serve retailers, such as payment service providers, fraud prevention vendors, credit agencies, coalition loyalty programs, search engines, and any shopping apps that use personal data.  The list keeps going.  The use of social media, Twitter, Google Analytics, Instagram, Facebook, etc.  is another area to consider.  As we all live our lives digitally we interact with interconnected companies, and the GDPR aims to echo that fact.  One of the first steps that any retailer must perform as part of their GDPR program is to create a ‘data map’.  Data Mapping should be performed from three different perspectives:

• Understand who in your ecosystem can connect and which personal data attributes are used with which providers, partners, processors, such as a consumer’s address with a courier for home deliveries
• Understand which personal data attributes and identifiers that you receive to hold or process by other providers/partners/processors
• Assess what personal data you hold within your systems or pass on for further processing. As a ‘data controller’, you are partly responsible for protecting some of the rights that have been granted to individuals in the GDPR

The GDPR does not actually define what ‘Data Mapping’ is or whether you need a data map but any data protection expert will tell you Data Mapping is an essential prerequisite for any privacy compliance strategy.  Data Mapping will help retailers comply with the GDPR obligations.

In general, data mapping requires comprehensive information gathering from all business units and a visualisation of the information gathered.  There are various tools on the market that will help with this exercise.  If you need more information on this topic or creating a GDPR change program please contact Edgar, Dunn & Company and ask for Mark Beresford.

New But Old Entrants

Most people will hold a passport which identifies you as you move from one country to another.  It effectively allows access to different countries.  Just as the consumer shops around, popping into different retailers along the high street, or visiting different stores online, there is no equivalent passport.  Now imagine a third-party offering a ‘data identification passport’ for consumers to shop.  This almost happens today online.  Websites allow you to log-in via third parties such as Google Plus, Linkedin or Facebook.  These third parties are collecting personal data from multiple sources – across different retailers.  After 25 May 2018, under the GDPR, these third parties, with the consent of the consumer, could request the original data sources be deleted.  Thus, removing the ability for the retailer to get to know you as a consumer – just as if you were paying in cash over the counter in the store. No personal data will be retained by the retailer.

Personal information can be ported to any third-party only when needed, such as for an online purchase, and removed once the transaction is completed.  The business that created the data identification passport would be the trusted provider, holding the personal data as the currency.  In turn, the customer would know their data is securely held in one place by a company they trust.  This is very like the Amazon buy button on a non-Amazon website.  The payment credentials and home delivery information is retained by Amazon as the data controller and the retailer merely ships the products or provides the services.  The retailer doesn’t get to see the payment method and is not able to retain any personal data.

Consumers, post-GDPR, will have the ability to and are expected to take greater control and responsibility of their personal data.  Personal data will have a value and consumers will gain more power and benefits based on their transaction history with a third-party data identification passport company.  A third-party provider could aggregate groups of consumers with similar requirements to benefit from a bulk deal.  Imagine, if there were 25 unrelated families wishing to book a ski chalet during the school holidays – traditionally a peak time and notoriously a very expensive vacation.  The ski company would benefit from filling the chalet to its full capacity and in return, the consumers would benefit from a bulk discount.  Another example could be an app that aggregates all the best deals and prices on the consumer’s preferred brands or specific products and services into a single location.  These new propositions could change shopping as we know it today.

Beyond Compliance

GDPR is not just about compliance.  Retailers need to evaluate their role in holding and processing personal data for consumers.  It is time to ask yourself whether you can invest in the extra burden of data protection required for GDPR.  In the Retailer Payments Practice within Edgar, Dunn & Company (EDC) we are assisting retailers to answer the strategic questions around the role of personal data which GDPR compliance is highlighting, for example:

• Can you be the trusted partner for your consumers to manage data protection?
• What is the role and value of personal data within your company?
• How can retailers or brands harness the true power of personal data to create valuable experiences for customers?
• Does your brand have the appropriate brand currency?
• What is your competition doing to be the trusted partner for personal data services?

25 May 2018 is not far away and there will be considerable work to be done within many retailers.  Nonetheless, it is important to recognise that although this may look like a deadline, it is not one that you must cross and then relax when you believe you are GDPR compliant.

Data protection and the role of data in your organisation must follow the principles of ‘data protection by design’ – as the regulation states.  Data protection will be a continuous activity, it will be operational and embedded into everything you do, from the boardroom to the shop floor.  Data protection should be part of your DNA.  At Edgar, Dunn & Company we anticipate that in the future, the responsibilities of the Chief Information Officer or Chief Digital Information Officer will include valuing company data.   The degree to which data will add value to your business, your customers, and your partners is entirely up to you.