By Natalie Coolbergen, Principal Consultant
The May 2018 deadline for GDPR, the EU directive on data protection, is just around the corner. And as it approaches, retailers are scrabbling to get it right. Or they should be.
The swinging changes to data protection law impact everything from marketing to the end-to-end supply chain. The supply chain in particular is causing retailers problems, as the complex network of processes, systems and human interactions that support it has to be addressed in order to ensure retailers are compliant.
In the run up to the GDPR deadline of 25 May 2018, what are the issues keeping retailers awake?
- The marketing conundrum: avoiding a swathe of customer complaints on data collection and usage and a large fine from the ICO, whilst supporting the commercial imperatives of the business, is at the top of the list. Explicit “opt-in” consent – with affirmative action – has to be apparent and proven. If you can’t prove customers have “opted in”, you have a problem. The waters are muddied as many large retailers have different divisions and it’s unlikely they have had the same model across all parts of the business. This means the GDPR adherence task is much bigger than they think. But they need to get their ducks in a row and quickly if there are to meet the 25th May deadline.
- Audit trail: traceability is key if retailers are to be in a position to demonstrate GDPR compliance by May. And the complex flow of data via a web of internal and third party controller and processor networks is an auditing nightmare that isn’t going away any time soon. Retailers need to act.
- It’s crunch time: on the whole, retailers have been slow to mobilise GDPR compliance initiatives. There are no magic money trees to pay for large compliance programmes, and with data stored within complex IT systems, retailers have identified the need to leverage existing IT investment programmes to address GDPR compliance. By doing this they can see where the gaps are and put in the right plans to address those gaps. It is time to firm up those plans and move into delivery mode.
- What does good GDPR compliance look like? No one really knows. Levels of compliance are open to interpretation – further guidance will be issued in the spring. The risk appetite of the business will drive the scale of their change, meaning that if retailers want to avoid fines and reputation damage at all costs, they need to invest heavily in compliance. The Information Commissioner’s Office (ICO) is taking a pragmatic approach – they assume compliance programmes will run on long after May 2018, but by the deadline they expect retailers to demonstrate they understand their existing data landscape, have delivered high priority changes and have clear plans in place.
Their obligations are hazy. And balancing the rights of customers and the integrity of the data and IT architecture with the commercial viability of the business across a complex supply chain is a huge challenge. But by May, retailers have to be seen to be complying with the spirit, if not immediately every letter, of the GDPR. There are opportunities amongst the obligations of course– compliance initiatives can be a force for good, as they accelerate digital initiatives and streamline processes. And as online retail proliferates and customer loyalty is more and more precious, retailers who take their roles as guardians of personal data seriously could tap into an emerging priority for customers. It’s not all doom and gloom – but time is of the essence…