“We’ve done GDPR”
As we settle into 2019, the dust seems to have settled on GDPR and retail is looking towards the next range of challenges; the ‘B’ word anyone?
However, and perhaps we would be expected to say this, there is increased activity from the ICO as they start focusing on key areas of compliance. For now, most of the activity appears to be on the ‘basics’ of GDPR compliance. Registering as a data controller, use of privacy notices, clarity of consent mechanisms and of course, comments on breaches and cyber-security.
It is easy to become isolated in a view on subjects like GDPR. After all, how often did industry talk about the previous data protection regime? Often only as a result of a major breach and then only really in terms of I.T. budgets.
So, in order to provide you with a wider view on what is happening, here are a few areas that we have encountered with clients or wider industry:
Our clients have been asking us to assist them with managing customer expectations in response to customer requests when exercising their rights (such as Subject Access Requests, Right to Erasure) and requests regarding how their data was originally collected.
We have witnessed some confusion surrounding the customer's understanding as to how consent and legitimate interests sit together and how they are applied. There have been situations where the customer believes that unless they have given consent, the brand can no longer use their personal data for marketing purposes. Whilst managing your customer's expectations is of the utmost priority, it is also important for your business to be able to continue to build relationships with your customers through marketing and positioning this positively.
There is a tendency to envisage a 'data breach' to be the result of an external 'hack' or sophisticated phishing exercise. In reality, breaches occur more readily than may be perceived and many times are due to lapsed housekeeping.
One persistent area of weakness is the password management of internal staff access to your operational platforms. We have been assisting customers in reviewing password management processes and protocol as well as documenting these details in policy and process documentation. With the peak season coming to a close, a review of all access points to personal data would be beneficial now that the seasonal staff intake phase has completed. It is also a good time to review data maps; have you really captured all the databases the business is responsible for? These aren’t always redundant ‘legacy’ systems.
Managing data capture in store has always been challenging, and the DPA (2018) expects greater clarity between data collection for the provision of an e-receipt from ongoing marketing communications activity. With well-structured processes and training for the sales professionals, the conversation at the till point can be engaging and effective as well as adding value to your marketing lists through relationship building. Anecdotal evidence suggests that the instore experience doesn’t match the ‘trained’ expectations.
Data is the lifeblood of digital enabled businesses, especially in the consumer space. Whilst GDPR presented challenges, it provides us with the opportunity to gain consumers trust, build better relationships and review the value we place on their information. Whatever the political outcome of the coming months, there is a global move to better understand and control what happens to consumer data. GDPR is being held up as an evolving global standard; that puts UK retailers in a strong position in international markets.
Most business now have a broad handle on the data protection position; now is the time to make sure this is both maintained and prioritised. Legally, your status should be under regular review and you must be able to prove this.