Data privacy remains a significant issue for regulators, consumers and businesses, especially within the retail sector. After massive data breaches at some of the largest retailers, more than 70 percent of U.S. shoppers are worried about how brands use and collect their personal data.
READ MORE: Many businesses unfamiliar with California Consumer Privacy Act
As it stands, the big technology giants, like Facebook and Google, are under a strict microscope to comply to consumer privacy and law enforcement. However, many smaller retailers are flying under the radar, even where they are supposed to be complying with 2018’s European Union data privacy law GDPR, according to Lucas Wojcik, CISO at Productsup.
In conversation with Digital Journal, Wojcik explains where brand and retail marketers are in terms of complying with GDPR one year in.
Digital Journal: Why have some of the big retail data breaches occurred?
Lucas Wojcik: When GDPR went into effect a year ago, regulators hoped it would prevent companies from experiencing breaches. However, some retailers have been reluctant to comply with GDPR out of fear of losing data that provides value to their core business and avoiding the costs associated with achieving initial compliance. Additionally, many retailers don’t have a good understanding of the GDPR requirements or know how to implement changes into their processes to achieve compliance. Rather than allocate the money and time to ensure their companies are abiding by GDPR regulations, retailers would rather run the risk of exposing themselves to a breach.
DJ: What has the impact of these breaches been on consumers?
Wojcik: Consumers have had the most to gain from GDPR being enforced a year ago. By knowing which brands they shop with are compliant, they have more control of keeping their personal information safe. For consumers who want to keep their data private, they can choose to shop with retailers that have transparent processes and are adhering to GDPR regulation.
By way of nature, GDPR has forced many retailers to rethink how they collect and store user data, making the customer’s experience with the brand more authentic. Rather than being targeted by brands they’re not interested in, consumers can decide who has access to their contact information and vet which companies can reach them.
DJ: What impact has GDPR had on retailers?
Wojcik: The impact GDPR has had on retailers depends on if the retailer is compliant or not. If it restructured its processes to achieve compliance and is proactively adhering to the regulation, it’s claiming the benefits of building transparent, personalized and intelligent relationships with its customers. Through improved inbound marketing strategies, like content syndication, social media marketing, SEO and branding, GDPR-compliant retailers are advancing the way they reach their customers.
However, many companies have fallen behind in adhering to the requirements out of fear of losing revenue or not knowing how to navigate them. As consumers start to demand stronger data privacy, they lose trust in companies that are slow to release information and down play severities. Non-compliant retailers also put themselves at risk of data breaches resulting in expensive court hearings, administrative fines and subsequent reputational damages.
DJ: Are retailers adhering to data privacy requirements?
Wojcik: GDPR requirements were announced well before the May 25, 2018 deadline, yet most brands identified the need to comply with the regulation only a few months prior to it being enforced. With this delayed reaction, many retailers are still working on identifying, developing and implementing the required technical and organizational measures to achieve compliance, as they underestimated the complexity of changing how they handle data.
DJ: Is there a difference between big retailers and small retailers?
Wojcik: Unlike big retailers who have the spotlight on them to proactively organize themselves to comply with GDPR, smaller retailers have been able to take a passive stance on changing how they collect and store data. This has allowed these companies to observe its larger competitors, waiting to see how the risks of poor compliance play out. Smaller brands don’t have the same resources as big companies, so rather than allocate the funds to become compliant, it seems more cost effective to fly under the radar with regulators’ attention focused on the brands that handle millions of users’ data. But with increasing concerns over data privacy from consumers and the upcoming CCPA, small retail marketers are beginning to take the regulation more seriously.
DJ: What do retailers need to do in order to conform?
Wojcik: For retailers who are still working toward GDPR compliance, they need to assemble a dedicated team that has a good understanding of the business, legal and IT-related processes within the company and will be able to make competent decisions. The team should establish a self-sustaining data protection management framework that will align the company with any new legal requirements, such as the CCPA, to ensure ongoing compliance. The framework should encompass the seven key principles of GDPR and be at the forefront of the approach for collecting, processing and storing user data.
Once a clear path to achieving compliance is determined, the team should conduct a thorough analysis to evaluate where the company currently stands with data privacy. From there, they can define a clear, risk-based approach that avoids tackling the entire backlog and trying to comply with all requirements all at once.
DJ: How can retailers convince consumers to share data going forwards?
Wojcik: Although many retailers see increased regulation around data collection as a threat to their business model, the smart brands see it as an opportunity to deepen their relationships with their customers. Rather than prioritizing the quantity of data, retailers should be focusing on improving the quality of the personal data they collect, which starts with understanding the purpose of collecting and storing the data in the first place.
GDPR compliant companies gain a leg up on their competition by showing their customers they practice transparency and security in their processes. Building trust with consumers in today’s digital landscape is a difficult task, but by communicating you have achieved GDPR compliance, you ensure your customers that their personal information will be safe if shared with you.