Data-Driven Retail in the Shadow of GDPR

Marks & Spencer recently revealed it is looking to data analysis to turn its fortunes around, combining information from its Sparks loyalty scheme, online interactions, and M&S Bank to offer personalised experiences to its customers. Lindsay McEwan, VP and managing director EMEA, Tealium, here writes exclusively for RetailTechNews, to highlight the importance of data-driven retail in the face of impending data regulations. 

M&S is far from the only retailer using data to drive personalisation. Tesco and Sainsbury’s have long used purchase data to deliver bespoke offers to their loyalty scheme members; while earlier this year John Lewis announced an extension of personalisation experiences on its website to optimise the customer journey. Boden, a retailer well known for its personalised clothing catalogues, recently boosted its add-to-basket rates by 18% by tailoring the mobile shopping experience to individual users.  

In today’s hyper-connected climate, retailers are increasingly turning to data insights to gain an advantage over their competitors. By unifying multiple data streams, retailers can obtain a 360º view of individual consumers, understanding who they are, what they are interested in, and how and where they shop. This enables them to deliver the engaging personalised experiences that lead 80% of consumers to choose or recommended a brand.

But, with the General Data Protection Regulation (GDPR) coming into force in May 2018, the rules around collecting and processing consumer information are about to get a lot tighter, potentially making data-driven personalisation more challenging. With 77% of retailers admitting they don’t yet have a comprehensive GDPR strategy plan, there isn’t much time left to prepare for the new laws. So, how will the regulation impact retailers and what can they do to prepare?  

The GDPR’s impact on retailers

Retailers across the world will be affected by the GDPR, even if they are not located within the EU, because the regulation applies to any company that collects and processes the data of EU citizens. This gives the legislation far greater reach than any previous data laws, effectively covering the global marketplace. One of the key focuses of the regulation is enshrining the rights of the consumer, giving them more control over the information that is stored about them and allowing them to request that data is updated, deleted, or even transferred to another company.

For retailers, one of the key changes will be the obligation to obtain explicit consent from consumers to collect, store, and process their data. They can no longer rely on implied consent, which is currently assumed when a consumer doesn’t opt out, but instead need consumers to specifically opt in, and must also provide those consumers with a mechanism for revoking permission. Retailers must clearly explain the purpose for which data is being collected and only use information for that purpose, ensuring it is deleted once no longer needed.  

The GDPR has a particular focus on profiling, which is defined as automated data processing intended to analyse or predict personal aspects of an individual such as their preferences, behaviour, location, or economic situation. As this practice is widely used by retailers to understand the consumer and deliver personalised experiences, they will need to ensure appropriate safeguards are in place when processing data for profiling purposes.

Preparing for GDPR enforcement

The first step retailers should take in preparing for the GDPR is performing a data audit to understand all the information that flows through the business, where it comes from, where it is stored, and what it is used for. They should determine which information is business-critical, professionally and securely deleting any redundant data to guard against unauthorised recovery.

The next step for retailers is to evaluate their internal systems and technology partners, potentially upgrading systems to ensure compliance with the privacy-by-design aspect of the GDPR. Because consumers have the right to access, amend, or delete their data, retailers should consider implementing a central data hub that bridges all internal systems and allows them to easily extract consumer information at any given time. This strategy has additional benefits, as it enables retailers to demonstrate ‘privacy by design’ without entirely replacing their systems, and also provides a single, unified view of the consumer, which can be used for targeted marketing and enhanced personalisation, without compromising privacy.     

Finally, retailers should review their data policies and processes, including implementing a watertight method for obtaining and maintaining explicit consumer consent. They should assign responsibility for data governance, appointing a Data Protection Officer if they carry out online behaviour tracking, and put in place a robust procedure for reporting data breaches. Once policies and processes are updated, they must be communicated internally, to customers, and to tech partners, to ensure a streamlined approach to data protection.

The imminent arrival of the GDPR will tighten the rules around data-driven personalisation; but rather than restricting the ability of retailers to tailor interactions to individual needs, it may well enhance it. By obliging retailers to review their data processes and encouraging them to adopt data-led solutions that unify data streams, it will enhance retailers’ understanding of the consumer and allow them to deliver ever-more individualised experiences.