GDPR and retail, what’s the big deal?
Written by Alan Douglas, director, Talisman Innovations
The General Data Protection Regulation (GDPR) comes into force in May 2018. The GDPR builds on the Data Protection Act by setting out the rights of individuals and the responsibilities of organisations who generate and store information about those individuals. Should modern retailers be concerned?
Anyone involved in today’s digital retail environment will know only too well that data about customers is constantly being created, processed and inferred. This customer data is used across an increasing range of platforms and channels, including personalised marketing to individual customers.
As customers interact with this personalised messaging, more data is automatically generated, collected and stored in a range of systems, such as content management systems and customer relationship management (CRM) systems. At the heart of this activity is usually an integrated single customer view (SCV) or whole customer profile.
Take, for example, a retailer who can generate tens of millions of pounds per year through email marketing to existing and potential customers. Those customer details will have been collected by a range of business systems and processed into a SCV in a CRM to drive these marketing campaigns.
What will the arrival of GDPR mean to this retailer? Perhaps the two most significant additions in GDPR are the right related to automated decision making and profiling, and the ‘right to be forgotten’. These two rights are likely to cause a major problem for the retailer.
Complying with the customer’s ability to challenge automated decision making and profiling will involve unpicking the multiple, inter-connected systems and algorithms that contributed to the generation of the customer’s profile. Where did all the customer’s data come from? How was it processed at each stage? What inferences were used at each stage? How did those inferences affect the subsequent stage of processing? Responding to any ‘subject access request’ is going to be very time consuming for all, and almost impossible for some, in this scenario.
Supporting a customer’s ‘right to be forgotten’ could be even more complicated. It’s not as simple as removing the customer record from the CRM. Customer details in each record must be traced back through all business systems and removed from those systems as well. If the CRM doesn’t know where the data came from originally and how it has been processed, then how can the organisation track back and provide assurance that it has removed all copies and versions of the customer data in the multitude of source systems?
There are no easy answers here, as Wetherspoon’s recently reported decision to delete all customer email addresses shows. However one thing is for sure; retailers who replace black box systems used to process, profile and augment customer data can protect themselves by generating transparent and traceable single customer views. These retailers will be in a better position to continue their marketing campaigns, automated or otherwise, safe in the knowledge that they are both compliant and can demonstrate that compliance.
So, what do retailers need to be able to do to comply? Transparency and traceability is the answer:
• You need to know where all customer data has come from.
• You must be able to show how all data was processed and what automated processing (algorithms) were applied.
• You must be able to prove that you have the customer’s consent to use each piece of their data for each specific purpose.
• You need to be able stop using a specific piece of their data for a specific profiling purpose, whether one, 1,000 or 10,000 customers ask you to.
GDPR is not to be taken lightly. With up to four per cent gross revenue fines for non-compliance, perhaps the Information Commissioner’s Office will be looking a scalp to make a point? Make sure it’s not you.