The General Data Protection Regulation comes into effect on Friday. Retail Week takes a look at retailers’ readiness.
GDPR has been looming over the UK retail sector for the past two years and finally becomes law on Friday.
Research from Capgemini indicates that UK businesses are not as robustly prepared for the legislation as might be expected. Only 55% say they will be largely or completely compliant by the May 25 deadline.
The UK is the most-prepared country in Europe – businesses in Sweden lag significantly behind on this metric at 33%, while those in Spain and Germany have achieved 54% and 51% near or total compliance respectively.
However the fact that 45% of UK businesses are unprepared for GDPR paints a worrying picture for the retail sector and beyond, particularly against a backdrop of hefty fines of up to 4% of a company’s global revenue, or £17m, from the Information Commissioner’s Office (ICO).
Opinion is divided on how draconian the ICO will be when it comes to holding retailers accountable for non-compliance.
Some fear a handful of high-profile businesses could be made examples of shortly after the legislation comes into effect.
The Co-op’s head of customer services Claire Carroll says: “It does kind of keep me awake at night a little bit.
“Is there a chance we’ll get it wrong? Absolutely. Regulators are going to make an example of a retailer in the first three months”
Claire Carroll, Co-op
“Is there a chance we’ll get it wrong? Absolutely. Regulators are going to make an example of a retailer in the first three months.”
“It’s a new law coming in, so the ICO is going to be looking at people that aren’t conforming,” he believes.
BRC chief executive Helen Dickinson however thinks it unlikely that there will be any sort of ‘witch hunt’ for companies deemed not to be compliant.
She sasys: ”Retailers are clearly very aware of their responsibilities towards the protection of their customer’s data and are working hard to implement the requirements of GDPR.
”Data subjects will make use of their new rights over time and ultimately this is the best test of readiness.”
Similarly, The Entertainer chief executive Gary Grant is sanguine about the ICO’s likelihood of imposing heavy fines in the early days of GDPR.
“I’d be surprised if they did a witch-hunt in six months – there has to be a settling-down period,” he says.
So how robustly has The Entertainer prepared for the legislation?
“We’ve been preparing for six months and have managed to achieve 50% opting in from our database, which is disappointing but a reasonable result,” says Grant.
“This has consumed management time and boardroom discussion time. We’ve had fortnightly meetings to make sure we’ve been making progress, and staff training. It’s consumed quite a lot of time.”
“The half opting back in over the last three months are most likely to be the most active and targeted clients”
Gary Grant, The Entertainer
Carroll says one of the benefits of the legislation has been revealing historic issues in how the retailer operates internally.
“What it’s brought home to us is that GDPR has been the perfect example of how Co-op acts in about 15 different silos,” she says.
“There’s a different IT team for each business and a different set of processes for each team, which is madness.
“It’s been an opportunity to have all our data in one place because I think our customers expect us to have one view of them and right now we don’t.”
The reality is that asking shoppers to actively opt in to marketing emails will have left many retailers’ email databases depleted.
However, Mann argues that is not necessarily a bad thing.
“You’ve got a situation where customers are self-selecting organisations that they want to keep in touch with,” he says.
“As a business you will have a smaller base of people who want to engage with you, but when you look at email engagement your open rates and opt-in rates will go up.”
Grant echoes that sentiment.
“Of the half [of our email database] that we’ve lost, some will not have been active customers and may have been one-off purchases on there by default,” he says.
“The half opting back in over the last three months are most likely to be the most active and targeted clients.”
As the dawn of GDPR approaches, have retailers’ boards treated the legislation as a priority in the run-up?
Grant says he has. Mann says “it’s been high on the agenda of every PLC”.
However, that is not true for all businesses.
“GDPR is an opportunity for forward-looking organisations”
Former Tesco Clubcard director Andrew Mann
Capgemini research found that GDPR implementation is not a priority for 15% of European organisations, while 35% say the sole purpose of their GDPR implementation is simply to comply with legislation.
There also seems to be a disconnect between the extent to which retail executives think customers care about the legislation versus how much they actually do.
According to Capgemini, eight out of 10 executives of European firms say customers trust their organisations with the privacy and security of their data – a statement only 52% of consumers agree with.
May 25 will be the start, not the end, of GDPR, and its impact on the retail industry will continue to reverberate in the coming months and years.
However, Mann is confident that, if handled correctly, it could bring benefits for the industry in the long term.
“GDPR is an opportunity for forward-looking organisations,” he says.
“It is an opportunity for them to reset around the customer and reset their digital transformation.”