Preparing for GDPR in the Retail Sector Whose job is it anyway and what’s the business case for investment in time for May 2018?
The General Data Protection Regulation, known as GDPR, is coming. The wheels are in motion and it’s a misconception that Brexit has put the brakes on. This long-awaited refresh of data protection legislation brings significant new challenges for the retail sector. The right to be forgotten, scrubbing systems of personal data, and the reporting of data security breaches to the Information Commissioners Office (ICO) within 72 hours are significant areas of focus, with hefty fines of non-compliance. Customers need to be given the confidence that new rules have been applied correctly, comprehensively and quickly, which means new policies and processes to ensure compliance and customer satisfaction.
Simply put, for retailers wanting to achieve GDPR compliance by May 2018, hard work is ahead. But, there is also much benefit. Retailers are at a fork in the road. There are two paths, doing ‘just enough’ to be compliant or embracing a new data led approach and creating significant business value.
From the outset retailers should set up a robust governance model. This should include ownership at board level right from the beginning with very clear accountability. The scope and reach of GDPR covers every piece of personal data held by an organisation, much of which sits outside core IT systems. It follows that much of the work required falls outside of the traditional IT environment and remit. Retail organisations should engage all their business functions, identify and include shadow and maverick data pockets, and scope-in the complex eco-system of contracts, suppliers and partners outside of the organisation. Policies should be in place to handle data requests. The challenge of GDPR shouldn’t just be dumped on the CIO’s doorstep – it needs early engagement and broad leadership across the c-suite.
Alongside the governance model there is a searching discovery phase. It’s time for retailers to find out, ‘Where are we at the moment? Where are the gaps? What are the risks?’ Many retailers who have been around for 20+ years will have numerous legacy systems – some won’t easily cater for the new standards and difficult, expensive changes will need to be made. Over several decades, systems may have been designed around product and stock and perhaps not around the customer. This may make it harder to identify and implement some of the requirements. It’s likely there is a great deal of personal data held in an unstructured way. It could be held in a variety of sources such as – back-ups, test data, archives. They’ll be a need for the capability to have it removed on request and new tools and features may be needed for this.
Evaluate the Risks and Create a Practical Plan of Action
Once the scope and scale of the challenge is understood, it’s time for a strategic board-level dialogue about how to approach this. Considering factors such as the costs involved, impact on other initiatives and the benefits that can be achieved if a more data led approach is considered. This will likely start as a risk-based conversation, followed by reviewing the tasks and considering the risks around damage to reputation and brand, plus the significant financial impacts of non-compliance. Along with understanding the full impacts from a corporate viewpoint, not just the technology. The board should then agree what to do first, and what to prioritise. A key deliverable is the creation of a detailed, realistic plan with expected costs and timescales.
Organisations will need to agree on a policy around data retention, including ownership for all data that is held throughout the business. Adopting the spirit of GDPR in the design of new systems will lead to more manageable, cleaner data. Retailers will move to less, more relevant data and better tools to help inform business decisions.
Don’t underestimate the cultural change and education elements to GDPR. Make no mistake it isn’t just about acquiring new technology. What’s required is significant policy, process and cultural change. Fundamentally retail is a people intensive sector, involving many colleagues and thousands of customers. Responsibilities around the handling of sensitive data should be reviewed and best practice reinforced through an education program.
Ultimately the business case for this is twofold; minimize the financial and reputational risks of non-compliance whilst also maximizing the upsides through creating an environment that can leverage its well-managed data to drive revenue growth and create long term competitive advantage.
Given it’s 2017 your GDPR plan needs to look at what to do first and what has most benefit. If you don’t have one, this should be done quickly. Find creative ways of closing those gaps robustly and speedily. Of course, as part of this retailers will need to consider the technology and tools that will help accelerate their GDPR compliance. Data discovery and data management tools, and tools to help clean and delete data. Think about what tools you’ll want and that can serve a dual purpose, that help you now, and you can use on an ongoing basis. This is an opportunity to cleanse and reduce the data you hold. Consider your existing toolset, some, more customer centric retailers will have some capability that helps achieve GDPR aims already. Managed data will be usable and help you make more informed business decisions. Unmanaged will at best be a millstone.
Missing the deadline increases the risk to the business. It may mean the costs build up and hit over a very short period of time as you rush to complete the program. So, working backwards, May 2018 compliance, means having systems ready for testing before that.
Ideally, you’ve started already, but many haven’t. If you haven’t, start with urgency but don’t panic. Risk mitigation and a pragmatic approach based on prioritising tasks is the way forward, decide where changes will make the biggest contribution to compliance. Get that understanding, develop your plan and engage the board.
Realise the True Value of Your Data
The upside of all this work creates some very positive outcomes for the future. By embracing the principles of data protection in the design of new solutions you’ll create cleaner data, better analysis tools and make better business decisions. By adopting these effective information management practices, retail organisations can not only comply with GDPR but recognise the true value of their organisation’s information. Yes, it’s a daunting costly exercise in the short term and if you don’t do it you risk financial and brand damage. But long term you’ll make better decisions, have more informed and professional staff and create competitive advantage from being a data-led organisation.