Want a TWENTY MILLION Euro fine? Thought not!
Earlier this month, I attended a seminar hosted by our friends at Inside Outcomes about GDPR—short for “General Data Protection Regulations” just in case you were wondering. Now you may not think this is something that affects you, because hey—that’s for the internet, brick-and-mortar retail shouldn’t have a problem, right?
No. Not right. So not right, it’s left. And retail’s among the largest offending and targeted industries.
There is huge concern that retailers and the retail industry as a whole have typical business practices that will no longer be acceptable under new regulations, at least not without fines somewhere between €20 million and 4% of your annual turnover… whichever one ends up being the bigger of the two. The EU is not messing around this time and these rules will still apply to the UK even when they leave the European Union. The worst part is that many in retail don’t think they’ll even be affected…
What to Expect when you’re Expecting… GDPR
Coming into play in May 2018 (mark your calendar for the 25th folks), the new regulations have big implications for all organisations. One of the most obvious changes revolves around consent and the ability for consumers to have their data deleted. For marketing activities especially (i.e direct mail, email, or unexpected cold calls), a consumer must have given consent actively and freely whilst being fully informed of what they are agreeing to.
So what does this mean on the floor? Well if your store collects customer data that’s fed into the POS, you better hope they double opted in before contacting them again—otherwise your company’s in direct violation of GDPR’s main purpose: to protect your customer’s privacy. This includes any email, phone number, credit card (obviously), and physical address you may have stored somewhere.
When you have collected an email or other contact information from a customer, ensure they’re being sent a follow-up email asking the individual to confirm their subscription to any list you may have added them too. This way you have a record of consent that has been actively and freely given. “Double opt-in” will show the Information Commissioner’s Office (ICO), the governing body who will pursue GDPR violators, you have clear and given permission to carry on with your marketing activities.
As mentioned above, the potential financial implication of breaches of GDPR can be crippling to your business. Ensuring your staff are aware of the importance of keeping personal information and payment information secure is still as essential as it has ever been. Though many of your security systems will be built into your IT infrastructure, there can still be data leakage from staff that are inexperienced or untrained in GDPR. Recently, retail data breaches in the UK and other parts of the world have doubled every 12-month period. Are you next?
Whilst it is unfortunate for retailers to come under attack, it is also commonplace that breaches occur through pure mistake and ignorance:
‘’Contrary to some headlines making the news, this [increase in data leakage in retail] doesn’t necessarily mean an uptick in malicious activity by third parties; breaches can commonly be caused by employee error, negligence or deliberate actions’’- Phil Muncaster of Info-Security magazine.
Whether through malice or mistake, employees can often be unaware of ways of keeping data secure within your company. From not properly logging out of computers to failing to update and review security and data protection procedures, retailers have been some of the biggest offenders of leakage (think Target in 2013, where 41 million credit card numbers were stolen).
Right to Erasure
Similarly, the new regulations reinforce an individual’s “right to be forgotten” and the erasure of any personal consumer data that you may have hold of after such a request and the informing of other organisations of a consumers’ erasure request in the case that you have passed that personal information on to other businesses.
This will be particularly important when considering customers who may previously have been auto-enrolled onto marketing lists following purchasing. Not only does the consent now have to be directly given for such things, but those on your list who ask to be ‘’forgotten’’need to be fully removed from yours, and any third party databases.
For the most accurate, up to date and relevant resources on GDPR, check out the ICO website where everything is laid out for you. For comprehensive coverage of the regulations or any actions you need to take to become GDPR compliant, please consult a data protection specialist.