Get Ready for Changing Data Regulation - GDPR overview: Personalisation & Preparedness

2017/2018

2

Introduction The on-going evolution in customer expectations demands a more personalised and intelligent approach to customer experience.

In the age of the customer, competitive advantage is dependent on a deep knowledge and understanding of your customer; then acting on the insight to create a unique, and personalised, value proposition regardless of the shopping channel.

The goal is to understand customers, give them the experiences they want and keep those experiences consistent across all touch points (delivering excellence in every single interaction). As Rob Burton, Online Innovation Delivery Manager, Sainsbury’s, says: “It’s about acknowledging customers there and then.”

No doubt, it’s an exciting time for retailers, but there are significant challenges associated with the innovation behind data-driven engagement and personalised experiences across the entire shopping journey. First and foremost, to drive loyalty and revenues through personalisation, it’s important to get your data in order, and then leverage the insight that matters. This is no easy feat.

To achieve the personalisation vision, retailers must better manage and integrate data across the organisation, analyse behavioural data throughout the entire journey, and empower all staff (and partners) with the insight and technology to make meaningful connections.

But it’s not that straightforward, says Brian Hogg, Head of Digital Delivery, Thomas Cook: “In terms of personalisation a challenge we have, which is particularly prominent in the UK, is to deliver a seamless experience for the customer, irrelevant of the channel they choose to engage with.”

In this sense, making personalisation a reality, and instilling customer-centric thinking at the heart of retail, requires a considerable investment of resources as well as a willingness to experiment and make continual improvements. In short, it requires a shake-up of traditional business models.

Undeniably, the future of retail lies in the ability to forge long-lasting and deeper connections with customers in a seamless, authentic and engaging manner. It means knowing customer preferences, and behaviour, with a much finer granularity than ever before, to better serve their needs.

But, if personalisation isn’t tough enough, all this comes at a time of significant change in the laws regarding how retailers capture, store, share and process customer data.

The new General Data Protection Regulation (or GDPR) – which officially applies from 25 May, 2018 - places heavy new responsibilities on retailers when it comes to managing data.

All data collected on customers, and colleagues, (with very limited exceptions) will fall within the scope of the GDPR. Which means, retailers are entering a stricter, more complicated era in which the collection of personal data will be looked upon far more stringently. Such data includes email addresses, cookies, IP addresses and transaction history (among other things).

Any retailer, regardless of whether they are in Europe or not, that processes personal data on EU citizens is accountable.

The non-compliance fines under GDPR are up to 4 per cent of a company’s global revenue - enough to make all retailers pay attention. As Edward Osbourne, John Lewis says: “That’s a sit-up and take notice statement.”

In this light, as retailers move towards GDPR compliance, it brings to the forefront the old adage - who actually wants to have a conversation with your brand?

A sentiment that Seth Godin emphasises in his book Permission Marketing. Although now over ten years old, the book reflects today’s common marketing practices: getting permission to market to your audience, for example via an email list, and then building a relationship, before eventually making a sale. Essentially, Godin says that when people give

3

you their contact information voluntarily and tell you it is okay to send them more, that’s when you know you have permission to market.

But ‘permission to market,’ in this sense, will change under the GDPR. Retailers must carefully re-think each step in the process to ensure compliance; specifically when it comes to fulfilling new consumer rights around consent and relevant marketing content, i.e. ‘Explicit consent,’ the ‘Right to be forgotten,’ and the ‘Right to not be subject to profiling.’

The onus is on retailers to ensure they are fully compliant before 25 May, 2018. And just in case you were hoping Brexit would take it all away - it won’t. Although Brexit will have a potential impact on the UK, UK retailers operating within the EU will no doubt have to comply.

In this backdrop, the real challenge for retailers right now is three-fold: (1) to better understand the customer; (2) leverage data insights to deliver exceptional experiences; and (3) balance all this activity within the mandate of the new data regulations – the GDPR. In the future, retail executives will share common pain points, and opportunities, in wanting to satisfy modern customer expectations head-on with seamless, personalised encounters while adhering to the new regulations.

Therefore, it comes as no surprise that for many retailers, GDPR is a top objective for 2017. Those retailers who plan accordingly and implement changes that align with the host of new regulation will benefit. Those who do not, could not only pay a heavy price financially, but also potentially suffer irreversible reputational damage.

For all retailers, there is now plenty to be done. Good planning from here on in will pay-off to meet the eventual major compliance impact, and keep business going as usual.

What new rules will there be?Four of the ‘core’ new rules retailers need to know:

1. Retailers must obtain active and affirmative consent from customers to store their data – which means no more of those little pre-ticked boxes on retailers’ websites

2. Customers will now have a right of access to all the data retailers hold about them,to erase or amend that data. They will also have the right to insist on data deletion under ‘right to be forgotten’ obligations

3. The definition of ‘personal data’ has been significantly expanded. It now includes any data that could identify an individual, including IP address, cookies and any anonymised data which could be potentially linked back to an individual

4. The definition of a ‘breach’ has also been expanded. Unauthorised access, such as accidental sharing between employees, or any loss, alteration, or destruction of data are all now seen as breaches, not just hacking attacks

What you need to considerGiven the high fines and potential irreversible reputational damage for infringements, the drive for data protection compliance among retailers should be a priority. So, with just a year before GDPR becomes law, we quizzed some retail ‘heavyweights’ on their preparations, concerns, challenges and opportunities relating to the GDPR:

What’s the big deal? Multichannel and Digital Retail Specialist, Puneeta Mongia is hugely experienced in the world of retail data management having previously led multichannel strategies for Vodafone, and most recently O2.

First and foremost, we must understand what ‘it’ really means, she says: “It’s vital to understand what GDPR means, as it encompasses all different things. The big question is what do we mean by ‘data;’ how is it regulated today, and how will it be regulated in the future?”

Safeguarding data and privacy by design will no longer be an add-on, but, instead, will become the standard as retailers must incorporate data protection from the very beginning.

The Chief Data Officer (CDO), Chief Information Security Officer (CISO) or Chief Information Officer (CIO) or most likely, all three working together – must implement appropriate measures and technical solutions to ensure that, by default, only personal data which is necessary for each specific purpose of the processing are processed (according to new regulations). This includes the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.

It’s all about trust, Mongia adds: “The explosion of eCommerce, and then multichannel marked two big steps forward for retail …the third is personalisation. Retailers want to offer personalised services and products, but right now there is a breakdown in trust between retailers and consumers. In terms of GDPR then, the biggest challenge will be how to market on a personalised basis to my customers while remaining compliant and trustworthy. In this sense, the crux of the issue is how do you get customers to trust you?”

Bringing your data into line with GDPR will have cost implications, but there are also opportunities, Mongia concludes: “Bringing data together with a clear understanding of data rights could enable retailers to; redefine and personalise their marketing, driving brand engagement, loyalty and sales; remove the daily drudge and supercharge employee effectiveness; and, with more efficient access to data, better strategic and trading decisions.”

But, underlying all these opportunities is encouraging consumers to allow us to store and use their data, Mongia says: “Don’t ask abstract data questions. Do create compelling reasons for consumers to want to share data (e.g. faster checkout, better offers etc.) Do ask specific data rights when they are most useful to the consumer. And use data responsibly! Trust is the key.”

4

Is my team ready?Anyone responsible for data will have considerably more responsibilities and obligations under the new rules, says Jonathan Armstrong, Compliance and Technology Partner, Cordery: “Processors will now have direct obligations, and, exposure to fines under the new rules.”

The CDO, CISO or CIO must implement technical and organisational measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with the new GDPR rules.

Training will be essential to guarantee all relevant staff – across customer-facing roles, commercial and human resources – understand what’s expected of them, how to respond and how to handle data.

What’s more, the CDO, CISO or CIO will have to maintain records of processing activities, according to detailed criteria set out under the new rules, which must be made available upon request.

As Multichannel and Digital Retail Specialist, Puneeta Mongia, says: “Every retailer should put a data council in place. It’s essential to keep customers safe and secure.”

What do I need to know about customer consent? The requirements for consent have been changed. Retailers will not be able to rely on silence or opt-outs and instead an active process such as box-ticking will have to be put in place.

As Claire Playle, Marketing New Initiatives and Acquisitions, Dixons Carphone says: “The biggest challenge we face because of the GDPR, is aligning all our brands and ensuring strong data capture, but with compliant activity. We plan to make significant investments in terms of processes, systems and people across our multiple brands to ensure compliance. The data side of things will be a huge adjustment, but one which we have already started to begin.”

Michel Koch, CMO, Time Inc. agrees: “The more and more things like ‘social shopping’ gain traction among retailers, more KPIs and metrics for success will need to be put in place… This not only means joining-up the data around different customer touch points, but retailers will need data to justify the initiative in the first place.”

Consent is also a big consideration for UK videogame giant, Game Digital. “We will need to invest significantly in processes, personnel and technology to ensure compliance with GDPR, but the big challenge we face is data discovery,” says Ned Finn, Head of IT Security: “Knowing where it is, who put it there, why, when, and with what authorisation.”

We have a plan in place, but the cost is a burden, Finn adds: “We have planned solutions for this as I am experienced in the field coming from a technical background and having experience of multiple tools, knowing which one’s work, and more importantly which don’t. The issue is the cost of these tools, the man hours conducting the clean-up, and then the ongoing resource to keep it clean.”

In the luxury sector, we have a slightly different challenge, says Andrew Webb, Digital Transformation Director, Jimmy Choo: “There is a lot of informal networking going on, WhatsApp for example, which can be more relevant, personal and in real time. This is what customers really want. But managing that in a world where GDPR is coming is something all of us are going to have to figure out. “Customer segments are increasingly fragmenting. The idea that brands keep ‘pushing’ is something to steer away from. And, rather, brands should become more ‘pull,’ where the consumer can engage as and when they want. But it’s a big mental shift.”

Inevitably, the GDPR will have a huge impact on resources, but it’s a positive step forward overall, Finn concludes: “Obviously, it’s going to be resource hungry, more bodies, more processes. We are all just going to have to be much tighter on why we have the data, what we are doing with it, and how we are protecting it. Whatever way you look at it, it’s a good thing, and the right thing to do, and in the security profession it helps us gain support from the exec team.”

In this light, consent is a feature that retailers will therefore have to pay special attention to under the GDPR.

5

When will we have to report data breaches? Breaches must be reported, no later than 72 hours after the business has become aware of the breach. Retailers then must put in place a clear data breach action plan as a top priority and train staff accordingly.

As Titus Trossel, Senior Project Manager, Dixons Carphone, says: “It’s about how quickly you respond; how good you are at getting back to the regulator. “At Dixons Carphone, we have a program in place, carefully looking at all aspects.

But I think the problem is very few people in the industry understand exactly – to what extent – you need to adhere to the GDPR rules... Is what’s set-out the Gold Standard? Where do you need to be within the rules?”. And it impacts everything, Trossel adds: “…Every customer touch point, everywhere you use customer data (and colleague data). Right now, retailers are in the investigation process; where should we be looking at? …It’s not just the obvious places GDPR will play a role. It’s much wider than just customer data and payment data, it extends to HR systems, CRM Campaign Managers, Commercial Managers and more, it’s really wide.”

What kind of fines do we face for breaking the rules?Under the GDPR, the regulator will have the power to impose high fines for infringing the new rules. The highest level of fine is either a maximum of 20 million Euros, or 4 per cent of the global annual turnover of a business (whichever is the greater).

What should I do now? Key steps to help prepare for GDPRAs seen here, GDPR will bring a high level of compliance obligations, with significant financial, technical and administrative costs.

Overall our research suggests a lack of preparedness for GDPR and confusion over who is ultimately responsible for its adherence and compliance. While every retailer will be at different stage on their GDPR compliance journey, carefully consideration must be given to:

Investment – Specifically, review all key procedures for data collection, retention and destruction – essentially, map your data and determine areas of risk

Policy and procedure – Prepare privacy policies, procedures and compliance statements and keep them up to date. Data protection authorities will be able to ask for these during audits

Process – Implement a notification process to report possible breaches and review incident detection, management and response process and capabilities

Review - Thoroughly review vendor contracts, and the GDPR readiness of partners throughout the supply chain

Training – Implement regular training for all staff to generate awareness

Tackle ‘Rights’ head on – Develop a strategy and process to fulfil the consumer’s ‘right to be forgotten’, ‘explicit consent,’ and the ‘right to not be subject to profiling’

Privacy by design – ensure that privacy by design requirements are included in all strategic and technical thinking and investment

6

Key Challenges In summary, our interviews and broader research, suggest four key challenges in terms of retailer preparedness:

> To ensure all processes are adapted to the new regulations across all departments and brands within the organisation, and then raising awareness within the organisation of those changes

> Loss of visibility, i.e. potentially losing the right to use valuable customer data; and having to bring together data, and re-qualify use of data for existing customer

> Putting the correct systems and processes in place for consent, and access, to ensure compliance across the entire supply chain (i.e. as well as scrutinizing their own position, also carefully monitoring the GDPR readiness of partners and vendors to safeguard that they have met requirements).

> Timelines – Ensure all decision makers are aware of the changes coming and the ‘key dates’ they need to be compliant with

7

“The more and more things like ‘social shopping’ gain traction among retailers, more KPIs and metrics for success will need to be put in place… This not only means joining-up the data around different customer touch points, but retailers will need data to justify the initiative in the first place.”

Michel Koch, CMO, Time Inc

Does GDPR really mean a ‘Great Deal of Pain for Retailers’?The GDPR is great news for anyone that shares their personal data with a retailer and is an essential step to strengthen the rights of customers in the digital age. Not only should consumers have the right to have their personal details kept safe, but they should also have the right to complain and obtain a response if their data is misused. GDPR will give consumers more control over their personal data. It will make it far easier for them to access and manage it, delete it (‘the right to be forgotten’) and to know when their data has been hacked. Most people agree that the GDPR is good news all round for the consumer.

Similarly, most retailers welcome the simplification of rules and regulations applying to their business. For any retailer operating across EU country boarders, it will be far easier to comply with one set of rules instead of 28. But, this alignment comes at a significant cost to retailers. Attitudes, processes and IT policies need to change. Data protection needs to be ingrained into a business by design. But it is important to recognise the challenges retailers face to migrate to data-led solutions that will make sure ‘big data’ can be stored and analysed efficiently without comprising the security of customers during the process. It’s easier said than done when dealing with legacy systems says Charles De Clerck, IT Customer Relationship Manager, Waitrose: “The technology has advanced enough, but our businesses haven’t advanced enough to adopt them and make the big investments.”

Retailers must now be scrupulous when it comes to data management. Systems and products must be built from the bottom-up around privacy and the standard position must only be to collect sufficient data for the precise processing involved. What’s more, many retailers don’t have the expertise or tools to process and handle increased volumes of data and will likely have to consider moving from old payment infrastructure to modern payments systems capable of handling the rigorous demands placed upon them by the GDPR.

Mapping data is vital, Jonathan Scott, Director, Data Science and Analytics, Hitachi Solutions, says: “Maintaining a good data catalogue with lineage is very important. Master data management, data lake and data catalogue type technology can all help.”

8

Conclusions Life is never smooth sailing in the retail industry. The real challenge for retailers is to appreciate the true value of digital, in forging deeper connections with customers to better serve their needs.

Give customers what they expect, but bring the unexpected to drive increased conversion and loyalty. The ability to deliver personalised data-driven experiences, while complying with the GDPR, will truly set the successful apart as we move into the new era of retailing.

Whilst GDPR is perhaps long overdue and much needed, there’s no doubt that it will pose a significant test to multichannel retailers and their partners.

As the GDPR involves various strategic steps, with GDPR awareness being the first step, it’s pretty scary to discover that even in the area of ‘awareness’ about the GDPR there is still a lot of work to be done among retailers.

GDPR is a game changer. Policies, procedures, technologies, training and staff will all need investment to achieve compliance. Retailers that delay assessing the impact of the regulation on their business now are at risk of investing in resources and services that will be obsolete in one years’ time.

If you’re invested in the UK and/or Europe and you haven’t started preparing for GDPR, you’re behind. Don’t let GDPR become a Great Deal of Pain for Retail. Take action now.

To avoid potential regulatory fines or worse, damage to your brand and reputation, you must act now to identify where your data resides and how to protect it. As arduous as the new accountabilities presented by the GDPR may seem, retailers that proactively manage GDPR compliance by advancing their security can increase consumer trust, and are likely to be more resilient going forward.

In this light, it’s worth considering, compliance with GDPR can also be a business opportunity for retailers who get it right to present themselves as trusted, responsible and ethical.

Final ThoughtsEveryone has a right to the protection of their personal data. If retailers don’t protect their customer’s data then not only are there financial implications but trust is lost.

In the age of the customer, the relationship retailers have with customers is the greatest source of competitive differentiation, yet the onset of GDPR has the potential to disrupt all of this – if not managed correctly. To capture customer’s hearts and business, retailers must instil the training, processes and technical solutions necessary to comply with the GDPR, so they can harness valuable data and insights and create a more personalised experience across all channels.

“The technology has advanced enough, but our businesses haven’t advanced enough to adopt them and make the big investments.” Charles De Clerck, IT Customer Relationship Manager, Waitrose

9

One Connected Community is a specialist consultant on the role of technology in customer experience, transformation and outcome-driven innovation. Our partners research and share inspirational stories that highlight how technology and engaging customer experiences make a real difference to the bottom line. Founded on a social enterprise model, business proceeds support London’s young adults who have learning disabilities.www.oneconnectedcommunity.co.uk

Hitachi Solutions is the global leader in delivering success with business applications based on the Microsoft Cloud. We are a trusted provider of vertical industry solutions built on the Microsoft Cloud. Our mission is to help clients compete with the largest global enterprises by using powerful, easy to use and affordable industry solutions.http://www.hitachi-solutions.co.uk/