Q&A—As deadline for EU data regulation draws near, 87% of North American companies are unprepared

Data leaving the EU will be highly regulated starting May 25. (Image: CC0 Public Domain)

The General Data Protection Regulation (GDPR) will come into effect on May 25, 2018, transforming how retailers handle consumer data. Under the new law, created by the European Parliament, EU and the European Commission, personal data leaving the EU will be closely regulated. Unfortunately, many companies are ill-prepared. According to a recent study by Ernst & Young, only one-third of global companies and 13% in North America have a plan in place to comply with GDPR.

Sarah Taylor, SmartFocus
Sarah Taylor

FierceRetail sat down with SmartFocus Chief Marketing Officer Sarah Taylor to talk about how retailers can triage new personal data processing requirements under GDPR and steps they can take to transform this watershed regulation into the ultimate digital marketing opportunity.

FierceRetail: How will the GDPR affect how retailers and manufacturers are currently doing business?

Sarah Taylor: GDPR has far-reaching implications for any organization that handles EU citizens’ personal identifiable information (PII) such as names, addresses, contact information, payment methods, IP addresses and anything else that can be used by a company to identify an individual that it interacts with. Most notably, the new law will transform digital marketing for retailers and brands, as companies must now comply with new, stricter requirements for different aspects of data security, retention, collection and disposal. For example, companies that collect data on citizens in EU countries will now have to seek the explicit consent of individuals to store and use their personal data. Companies must also keep data securely stored and only for as long as it needs to be held. Complicating matters, GDPR has a very broad definition of what constitutes a reasonable level of protection for personal data and PII and contains new and clarified rights for EU citizens regarding their information—including Article 17 (the right to be forgotten) and Article 21 (the right to object), among other rights and requirements. And, with record fines of up to $20 million or 4% of total annual revenue if regulations are not met, GDPR is poised to have a significant impact on retailers around the globe.

FierceRetail: Do you think it will have more of an impact on domestic or international retail?

Taylor: The reality is any company that stores or processes personal information about individuals resident within the EU must comply, even if they do not have a business presence within the EU. This will have a significant impact on digital marketing practices for all retailers. More importantly, while GDPR may seem like a compliance tick box for some and a burden to others, it should be embraced as the ultimate marketing opportunity—a chance to improve the use of data to engage the right customers, with the right message, at the right time in order to gain trust and loyalty, influence purchases, and lead to more profitable business revenue.   

FierceRetail: And, how will it specifically affect U.S. merchants?

Taylor: The scope of GDPR is extensive and impacts all industries. Specifically, it changes the way that companies handle audience and customer data. Under the new law companies will have to seek the explicit consent of individuals to store and use their personal data for processing and marketing purposes. Consent must be informed and made by the consumer through a clear mark such as ticking a blank box or moving an on-screen slider. It must also be clear what the person is giving permission for (a newsletter, telephone contact, direct and email and data processing) and be freely given. Companies will also need to be able to justify why they are holding each piece of personal information and the basis on which is it being used for marketing.

FierceRetail: Why are so few retailers ready with the date just a few months away? 

Taylor: In North America, many companies have not, up until recently, realized that the GDPR applies to them. Understandably so, there is a lack of clarity around specifics of what constitutes personally identifiable information (PII). For example, some companies don’t realize that email-marketing databases contain PII, and so some companies have avoided preparation due to lax assumptions. Some of the largest companies feel the risk of fines do not outweigh the investment to get their data cleansed and in compliance. Other, smaller organizations simply do not have the resources to manage it.   

If you cannot prove that informed consent to store and act on personal data has been freely given, it’s time to clean and consent your databases. Very few businesses will have had the foresight to predict the GDPR, especially if based in North America. It, therefore; makes the approach to cleaning and then consenting a priority. 

FierceRetail: So let's say a retailer does want to comply but has not started yet, what are the immediate steps to start taking in order to be done by May 25?

Taylor: The top priority is to assess what types of information is held by different parts of the organization. If data is based on consent that cannot be proven, seek re-permission. Send opt-in newsletters to existing customers and request they 'opt in' or be removed from the list. While this approach will result in some removals, it will pay off in the long run by establishing a more qualified list. Give ownership of GDPR to an executive such as a Data Protection Officer. Also, ensure your marketing platform and tools enable you to assess, justify and audit what and how information is used, facilitate re-permissioning and reveal if a breach has occurred. If not, it’s time to reinvest or expand your toolbox.

FierceRetail: Are there any steps you anticipate being the most challenging? Any advice for getting over these hurdles?

Taylor: The first step is to accept that if you do nothing, the data you have invested in is becoming worth less and less every day, to the point where in the very near future it will be a corporate risk. One of the biggest challenges with GDPR  is transparency with regards to seeking consent. Businesses need to fully embrace GDPR and be up front and clear about wanting to connect with their audiences, across all channels, and offer them the option of signing up for continued contact. If it is not forthcoming, that individuals’ personal data should be removed.

Next, it’s important for companies to start now. There is a huge imperative to get moving, not only for compliance but from a competitive standpoint as well.  GDPR levels the playing field, affecting all businesses that access and store information belonging to European residents. The sooner you start to engage your audience built upon trust, the sooner you are able to differentiate from your competitors by building engaging campaigns that build trust. While GDPR is often first viewed as an extra compliance hurdle, there is a positive side. Improved regulation which offers more control to consumers over who can contact them and for what purpose, can only lead to better relationships with customers.

FierceRetail: What else can you tell us about preparing for the ‘last mile’?

Taylor: GDPR is a challenge but it is also an opportunity to rebuild relationships with consumers based on informed consent and mutual trust. Using and collecting data more effectively for brands—and in a way that complies with the GDPR—will ensure that marketing programs can operate globally rather than just in or out of the EU region.