The EU-wide implementation of the stringent General Data Protection Regulation (GDPR) will come into effect next May. Why should retailers care and what are the silver linings?

It takes just a quick Google search of GDPR to be inundated with articles about the new data protection laws that veer from stern to downright fear-mongering.

The Financial Times described the incoming law a as “burden” for business that will lead to “more protection and bigger fines”.

On the surface it is easy for retailers to regard the regulation as nothing short of grim reading. The legal boss of one UK retailer says the situation is exacerbated by “the lack of clarity around what is expected of us” from government legislation or the British Retail Consortium (BRC).

One of the requirements of the GDPR is the need for businesses to get explicit opt-in permission from consumers to hold and use data on them across all channels.

Retailers will have to communicate specifically about how they intend to use all their customer data and gain permission to use it or delete it – which could sound the death knell to the single customer view, for which most in the industry are striving.

They are also required to report in-depth breakdowns of any data breach that has impacted customers to the Information Commissioners Office (ICO), ideally within 72 hours.

Had these regulations been in place during 2016 the value of fines brought by the ICO against UK companies would have increased an eye-watering 79-fold to £69m

Failure to comply with any of these regulations comes with hefty fines of up to 4% of a firm’s global revenue or £17m, whichever is more.

Had these regulations been in place during 2016 the value of fines brought by the ICO against UK companies would have increased an eye-watering 79-fold to £69m, according to research by information security consultancy NCC Group.

This is particularly bad news for the retail industry, which was the biggest culprit in global data breaches in 2016, accounting for 22% of all data hacks worldwide, according to cyber security firm Trustwave.

The number of retail data breaches in the UK reported to the ICO doubled year-on-year in 2016. This figure is even more worrying when you consider it doesn’t paint a full picture of the number of cybersecurity breaches in UK retail – current legislation does not oblige retailers to report breaches to the ICO, but under GDPR they must.

Knowing the value of your data

Combine stringent regulations, hefty fines and less-than-robust standards of cybersecurity and GDPR could easily be seen as a ticking time bomb for retailers.

But it’s not all bad news according to Russell Marsh, managing director of Accenture Digital UKI, who says GDPR compels retailers to do things they should be prioritising anyway.

“This legislation means retailers get to overhaul processes to make them more efficient and streamlined, get people off their database who are of no value to them and are a drain in terms of storage and communication costs, and delete a load of information that adds more complexity to their businesses and that they never use,” he says.

“It forces retailers to assess what data is of genuine value to their business, which has been on a lot of UK retailers’ to-do lists for a while now anyway.”

So how can retailers ensure they are GDPR-ready, and even turn the legislation into an opportunity?

The first step is to ensure that GDPR is prioritised throughout the organisation.

Christopher Coughlan, head of data protection and privacy at law firm Ashfords, says: “This should be retailers’ number one priorities because it’s not just a legal thing, it’s a transformation project.

“They need to get buy-in from the board because it will take resource and it should be a board level issue because of the consequences of getting it wrong.”

Marsh argues that it is essential for retailers to rigorously assess the data they have stored.

“Retailers need to do an audit or review of what data they have got, where it is and how it is being used,” he says.

“Once done they can start to look at the policies they have in place to make sure there is compliance and think about what technologies they need to mitigate holes in existing systems or platforms.”

He adds that one way retailers could get consent from customers to use their data is by compiling all the necessary permissions into a preference centre on their website.

This would allow shoppers to click where they are comfortable for their data to be used – be it in an app, using cookies on online shopping journeys or marketing emails, or purchases in store.

Is retail prepared?

How prepared is the UK retail sector to adapt to this shift in less than a year?

A spokeswoman for Tesco says the grocer’s data teams are in the process of ensuring they are compliant for next May and the head of legal for one UK retailer said she expects to kick off any necessary restructures by this November to ensure the business is compliant by next year.

In May, Amazon said that its AWS platform, which is used by retailers ranging from Kurt Geiger to Maplin, had been made GDPR compliant.

However, Coughlan says these examples are not indicative of the level of readiness throughout the sector.

“I’m not aware of anyone in the retail sector that can say they’re fully prepared,” he says.

“Some of bigger organisations will have thought about it; others will only be starting to think about it now; some won’t have thought about it at all and will think that they can wait and see what happens, which is a mistake.”

Remodel or start again?

Deloitte’s cyber risk services partner Peter Gooch agrees that there is “a mixed bag in terms of preparedness”.

JD Wetherspoon revealed in June it would delete its entire customer email database in order to be GDPR-compliant

“The real decision for retailers is to establish where they need consent to legalise the processing of data,” he says.

“It’s giving organisations a really difficult choice about how they get consent: do they go back and try and re-establish consent from their shoppers for historical data they are already using and risk alienating their customer base?”

One business that has sidestepped this all together is pub chain JD Wetherspoon, which revealed in June that it would delete its entire customer email database in order to be GDPR-compliant.

Wetherspoon said that keeping customers’ emails did not deliver sufficient return on investment to justify the operational costs associated with ensuring it as compliant with new data regulations. Could there be retailers that decide the same in the months to come?

One UK retailer’s head of legal was skeptical that this tactic would be mimicked across the sector.

“Our data is far too valuable. We’ve built it up over years and it is a huge driver of our sales and our loyalty programme, so we have to make sure we’re compliant,” she says.

The head of legal added that the business had drafted in an external advisor to assess its use of data and “get a clear roadmap” on how to ensure it was GDPR-compliant.

Unexpected upsides

Although deleting siloed data may be untenable for many retailers, Deloitte senior manager Craig Palmer says that GDPR may actually help retailers’ marketing efforts, not hinder them.

“We have seen some retailers thinking down the lines of whether it’s more valuable to target their best customers to know them better, rather than to have masses of information on a wider audience,” he says.

“There are some retailers that are adapting their business model to reduce the amount of data they retain in favour of a more high value approach.”

Coughlan agrees that cutting down siloes of data in preparation for GDPR can have some unexpected upsides.

“I know a lot of organisations that have worried about deleting contact details but have then found that once they streamline they have a more effective marketing division that adds value to the business,” he says.

There is no denying that GDPR will have a significant impact on how retailers communicate with their shoppers, and the risks of not having your house in order by next May are high.

However, for retailers grappling with how to properly mine their data, this legislation could be a silver lining rather than a looming storm cloud.