There has been a lot of buzz around the General Data Protection Regulation (GDPR) and how it will impact various organizations. The GDPR is a legal subject with wide scope. The following blog post describes how the GDPR will impact online retailers who sell products and services and manage customer data and discusses how such retailers can comply with the GDPR.

 Background

The EU designed the GDPR, which will come into force this May 25, to harmonize data privacy laws across Europe. The GDPR applies to all organizations that process and hold the personal data of data subjects residing in the European Union, regardless of where they are based.

The GDPR introduces significant new requirements that impact how organizations handle customer data. The repercussions for non-compliance include multi-million euro fines, both for organizations located within the EU and for those that handle data corresponding to EU citizens but are located beyond its borders.

About the GDPR

The key purpose of the GDPR is to give back customers control over their personal data. While there are several requirements which, taken together, determine whether an organization is compliant, the following essential, interrelated, points limit the scope of the discussion.

  • Consent: The data subject’s consent to process data is requested in clear and plain language
  • Processing limitation: The data is processed solely for the purpose for which it is collected
  • Right to be forgotten: The data subject can withdraw consent anytime and request that their personal data be deleted.

Impact

These requirements mandate that most organizations significantly update their business processes, technology, and solutions. The financial penalties for non-compliance reach up to 4% of a company’s global turnover, and this is bringing data protection compliance to the top of many a boardroom agenda. For retailers, the bigger challenge is retaining customer trust.

 The way forward – Business capabilities for the GDPR

Most retailers will seize this opportunity to improve customer experience by handling customer data in a more organized way. This will not only increase overall customer satisfaction, but also raise brand identity with respect to trust and transparency.

In due course, retailers will build or update their business solutions and come up with stringent processes with respect to privacy impact assessments. Online retailers need to build capabilities like:

  • Notifying customers in a clear and transparent way when there is a need for additional customer data processing
  • Creating an easy way of capturing customer consent and request with respect to handing their own data
  • Presenting a snapshot of their entire profile information and provision for customers to change and update their consent, toggle back and forth with respect to their preferences, and enhance their journeys
  • Providing data retention services where the customer has the right to request that their information be removed from the enterprise or that their data no longer be processed.

All these business capabilities require significant changes in the application landscape, processes, tools, and technologies.

Preparing IT for the GDPR

The journey from defining business capabilities with respect to the GDPR to building IT solutions will be long. Looking at the GDPR and ever-demanding customer experience, long-term IT solutions that are holistic and account for customer data security are the way forward. For instance:

  • Building a customer data privacy framework
  • Procuring or building a customer data integration solution that enables organizations to centralize customer information from different applications within the enterprise; creating a single view of the customer that is leveraged across the enterprise
  • Procuring or building best-of-breed industry frameworks, platforms, and products that provide security and customer identity access management
  • Building services (or micro-services) that provide a 360-degree view of customer information (consent management, customer data capture/update/deletion)
  • Setting up a CDI (customer data integration) solution that can trigger events to halt, pause, or remove customer information upon customer demand.

Conclusion

Online retailers must build or procure standard products that can identify, secure, and manage customer data. This should be followed up with holistic IT solutions that comply with different aspects of the GDPR. Some product vendors have already started offering new tools or frameworks that enable enterprises to become GDPR compliant. The challenging journey for online retailers has begun.

We surveyed 1,000 executives and 6,000 consumers across 8 markets to explore attitudes to, readiness for, and the opportunities of GDPR. Download the report to read the complete findings: Seizing the GDPR advantage.