Is GDPR an opportunity or a threat to retailers?

May 30, 2018

Mike Capizzi, Director of Education and a Member of the Board of Regents at The Loyalty Academy

Through a special arrangement, presented here for discussion is a summary of a current article from The Wise Marketer, a website and newsletter serving the global loyalty industry.

A new study from IBM reveals that 59 percent of organizations surveyed are embracing the General Data Protection Regulation (GDPR) as an opportunity to improve privacy, security and data management.

Among other findings from the survey of 1,500 business leaders responsible for GDPR:

  • Eighty percent believe that proof of GDPR compliance will be a positive differentiator to the public;
  • Seventy-six percent said that GDPR will enable more trusted relationships with data subjects that will create new business opportunities.

Companies’ preparation for GDPR comes in the wake of increased scrutiny from consumers on businesses’ management of personal data. A separate poll of 10,000 consumers, conducted by the Harris Poll on behalf of IBM, found that only 20 percent of U.S. consumers completely trust organizations they interact with to maintain the privacy of their data.

Another key finding of the IBM study is that organizations are using GDPR as an opportunity to streamline their approach to data and reduce the overall amount of data they are managing. According to the new study:

  • Eighty percent say they are cutting down on the amount of personal data they keep;
  • Seventy-eight percent are reducing the number of people who have access to personal data;
  • Seventy percent are disposing of data that is no longer needed.

Despite this opportunity, only 36 percent believed they would be fully compliant with GDPR by last week’s (May 25) deadline. Challenges associated with GDPR implementation include locating all the personal data in disparate databases and systems, verifying the accuracy of the data collected and stored, complying with rules for how data is analyzed and shared, handling of cross-border data transfers and getting consent from data subjects, and meeting the requirement for companies to report data breaches to regulators within 72 hours.

IBM’s Cindy Compert, CTO for data security and privacy, said the arrival of GDPR amid the “huge distrust” from consumers has “created a perfect storm for companies to rethink their approach to data responsibility and begin to restore the trust needed in today’s data-driven economy.”

DISCUSSION QUESTIONS: Does GDPR represent a wake-up call for U.S. retailers and companies by putting a spotlight on personal data protections here? What should be the minimum steps U.S. retailers should take in response to heightened privacy concerns and anticipation of similar regulations that may be likely for this country?

Please practice The RetailWire Golden Rule when submitting your comments.
"For the time being, GDPR represents a great 'brand moment,' in that full compliance gives you an 'up' over your competitors."
"GDPR has made walled gardens higher, which NO MARKETER WANTS. Ultimately, this will lead to less relevant advertising to consumers..."
"How many consumers have the time to read a new data policy from every retailer?"

Join the Discussion!

16 Comments on "Is GDPR an opportunity or a threat to retailers?"

Sort by:   newest | oldest | most voted
Mark Ryski

I do believe that GDPR is an important step and U.S. companies should take this opportunity to reevaluate and enhance their current data management processes. I believe that data management will play a larger role in how consumers decide who they trust and so all businesses should think carefully about how they manage personal data today. At minimum, retailers should have clear data management policies, including what information is being collected and how it is being used and make any data collected on individuals available to them upon request. Transparency is key.

Lyle Bunn (Ph.D. Hon)

Privacy threats due to data breaches or business practices that exploit consumer information without their knowledge have eroded consumer trust. While at the same time, customers want the benefits that data application can enable through suitable retailer and brand management. General Data Protection Regulation (GDPR) offers enough of a framework to somewhat satisfy each, with the onus of acceptance placed on the consumer and the responsibility for data security being on the vendor. The use of data for consumer service holds the greatest of potential for mutually satisfying commercial relationships.

Art Suriano

GDPR might be the solution to solving the many problems that have developed over the years with protecting consumer data. It seems like almost every day, we read about another retailer who had their system hacked and consumer information stolen and, as a result, more and more customers are getting concerned. GDPR is an improvement and all retailers need to take notice. The problem with too many retailers is that they choose not to spend the money. Yes, they want the consumer information so they can target customers which helps sales, but when it comes time to invest in protecting that information, they choose to put their money elsewhere. Long-term that will only hurt their business as they get hit with bad press, unhappy customers and lawsuits.

Lyle Bunn (Ph.D. Hon)

Great point Art.. every publicized breach of data security erodes consumer confidence in areas like providing information, including for credit card transactions and loyalty programs. When commerce must have an element of trust, breaches deter the potential for relationship-based retail.

Neil Saunders
For European retailers, GDPR has diminished mailing and customer lists. However, the residual names are all ones that have specifically affirmed they wish to engage with the brand. As such, while the quantity of marketing interactions may go down, the quality should go up! This gives retailers an opportunity to more carefully analyze marketing effectiveness. That said, I think GDPR is an overly complex piece of regulation which is typical of the EU It is unclear in parts, places undue burdens on business in others, and solves some problems that never really existed. Ultimately, it may encourage more consideration of data security; but I don’t see it as bringing an end to breaches or security problems. As to how it affects U.S. retailers and businesses, this depends on the situation. Companies with some presence in the EU will have to abide by the law. However, companies with no nexus in the EU, who are merely online and used by EU citizens have more leeway. The EU has asserted in the legislation that it applies to… Read more »
Lee Peterson

For the time being, GDPR represents a great “brand moment,” in that full compliance gives you an “up” over your competitors. Somehow it reminds me of the organic food movement where, at first, if you had organics you could blow your horn all day about how your selection was the best and everyone else was a laggard. Sooner or later many caught up, but it was a boon for people like Whole Foods for quite a while.

The expression that today, “a good brand has to be a GOOD brand” also comes to mind, i.e. doing the right thing. And GDPR is definitely the right thing.

David Weinand

First off, in the current administration, I highly doubt regulations similar to GDPR will be put into place. We’re in a highly deregulatory environment vs. a regulatory one.

Second, we as an industry have been professing for years the value of leveraging customer data to get smarter about business and we’ve seen companies like Alibaba gain huge competitive advantage by mining customer data. Retailers clearly have to walk a fine line here as there is a huge balancing act between leveraging data to provide a more personalized experience and maintaining the trust of the shopper by keeping the data secure.

As the study showed, certain types of data are being culled more often, which is good. The GDPR regulations are a good roadmap for even domestic retailers to review and utilize to put the right measures in place.

Kevin Simonson

Great post, thanks.

GDPR is a significant wakeup call.

Medium to long term, there’s a risk for retailers who sell on Facebook, Google, and other advertising platforms whose regulations and consumer preferences will limit what they can track and use for advertising purposes.

Digital advertising will still be incredibly powerful under these GDPR regulations, but ultimately it will weed out bad actors who don’t believe in transparency. It will raise the tide for all ships involved.

Ralph Jacobson

This study shows that GDPR is a good bar that is now set for the world to embrace. Whether many consumers see what this means for their privacy is yet to be determined, however, these regulations definitely present great opportunity for brands to secure data like never before.

Cynthia Holcomb

Customer data. What U.S. retailers will invest in a comprehensive strategy? How many consumers have the time to read a new data policy from every retailer? The best data policy is a paragraph even a 5th grader can understand. More than a paragraph and it is a “slice and dice” game leveraging legal jargon as a word cloud, protecting the retailer rather than the consumer.

Christopher Jordan

Absolutely, though what interests me most (and I see this is a massive opportunity) is how this will impact the general approach retailers take to data.

Having to be very explicit to consumers on how their data will be used should be a forcing factor causing retailers to look inward on how they’re using data.

It’s an common trap for retailers to amass terabytes of data, thousands of metrics/segments/etc. and to declare themselves “data-driven” without actually having a concrete plan for how this data will create practical outcomes to move the business forward. Meeting the requirements of GDPR naturally forces organizations to catalog the “what?” and moreover, evaluate the “why?” with respect to data-driven programs.

Joel Rubinson

In terms of media, IMHO, GDPR is a disaster. It is generating billions of dollars of unproductive legal fees, has already led to frivolous lawsuits in the billions, has cut programmatic activity substantially, and perhaps worst, has led to changes in business practices that harm marketers’ ability to optimize their media spending. In particular, it has led Google to no longer share Doubleclick IDs, the cornerstone of multi-touch attribution modeling. There is currently a battle between Google and all of its publishers who think Google is putting on a power play. Google is setting up a clean room inside its ad hub, but it is not yet understood. GDPR has made walled gardens higher, which NO MARKETER WANTS. Ultimately, this will lead to less relevant advertising to consumers which will lead them to like advertising less, not more. The latest legal opinions I have heard is that no one knows what GDPR compliance really is and so businesses will take ultra-conservative stances in the face of uncertainty.

James Tenser

“Walled gardens” indeed. It’s high time for digital marketers to admit that their customer databases are very costly assets to maintain and nearly impossible to protect. As consumers, how comfortable can we possibly be knowing that numerous duplicate instances of our personal data are stashed inside dozens of data warehouses — every one a tempting target for relentless digital thieves? GDPR, while noble in intent, is little more than a finger in the dike.

I’m looking ahead to the day when merchants get out of the business of accumulating and storing customer data. Instead, shoppers will own their personal data profiles individually, secured via the blockchain, and expose them temporarily to merchants on a per-transaction basis. This is not a pipe dream — there are multiple tech startups working on solutions now.

Try to imagine a future reality where personal data profiles prevail and, customer databases could well be outlawed!

Min-Jee Hwang

I definitely see GDPR as a wake up call for retailers, but it certainly is not a welcome change across the board. Consumers are trusting them with their sensitive data and having regulations in place gives retailers a framework in which to maintain that trust. I agree with those here who have discussed the need for transparency. Consumers don’t want their contact and other information going into a black hole. Knowing how retailers will use it and giving consent will strengthen relationships between the two sides.

Craig Sundstrom

I think enhanced security, or more precisely the perception of such, could be a competitive advantage for a business, albeit a small one, but it would have to be readily understood (which is no small hurdle to clear). Alternately, tech illiteracy could be used to advantage to create that perception, even if the reality is different.

I don’t think most companies in the US (whose business is concentrated here) need to worry about future developments, since it seems axiomatic that no regulation would be enacted if no one would be compliant with it, but eventually standards will be tightened and it could be a problem for laggards. Companies that struggle just to stay in business will have one more problem to deal with … which may prove one too many for some.

Shep Hyken

Regardless of GDPR and any other regulations protecting data, retailers should be proactive and be in compliance before they are forced to do so. We all know the right way to use data, and what is considered abuse. So don’t wait to take the high road. Treat data with respect. Don’t abuse the privilege of the data the customer has provided — or that has been acquired from another source. Do the right thing in advance and you have nothing to worry about when new laws and regulations are made.

"For the time being, GDPR represents a great 'brand moment,' in that full compliance gives you an 'up' over your competitors."
"GDPR has made walled gardens higher, which NO MARKETER WANTS. Ultimately, this will lead to less relevant advertising to consumers..."
"How many consumers have the time to read a new data policy from every retailer?"

Take Our Instant Poll

What’s the likelihood that similar regulations to GDPR will be instituted in the U.S. in the future?

View Results

Loading ... Loading ...