GDPR and US Retail
In 2016, the European Union (EU) adopted the General Data Protection Regulation (GDPR), which updates and consolidates the data protection laws of the separate EU Member States. The GDPR will go into effect in May 2018, and practices under the new Privacy Shield are just beginning to develop. For the retail industry, the GDPR represents a new set of restrictions in the management of consumer data which is increasingly being used to create more personalized shopping experiences and wrapping customized services offerings around consumer purchases.
Simply put, we have nothing even close to this in the US. In spite of our numerous data breaches, most American retailers still take limited steps to protect customer data that is not associated with a payment. Compliance with GDPR would represent an expensive and time-consuming change in the management and protection of customer data, as well as a dramatic uptick in the security requirements of systems that process such data.
So why did the Europeans create such an overarching set of regulations? The answer lies in the recent history of the EU itself. Totalitarian Communist regimes ruled a large number of EU states up until about 25 years ago. Just 75 years ago, nearly the entire European continent was under Fascist rule. Unlike the US, where we have been blessed with a stable and democratic republic for nearly 250 years, the Europeans have fairly recent experience with governments and large organizations exploiting their privacy to preserve power and persecute certain citizens. Just imagine, for example, what the Nazi regime would do with access to Facebook or what the Soviets would do with GPS records from your cell phone. In short, European citizens have good reasons be concerned and this is why the EU embarked on such an ambitious data privacy undertaking.
Key features of the GDPR (and this is by no means an exhaustive list) include a broadening of the definition of sensitive data, significant restrictions on the management of such data from any organization that possesses it, and dramatic expansion of the rights of EU citizens with respect to management of their personal data. The following provides a very high-level summary:
• The definition of Personal Data, which is subject to GDPR protection, has been broadened substantially to explicitly call out “identifiers” such as device IDs from devices such as smartphones, IP addresses, cookies, RFID tags, location data and genetic data and “Sensitive personal data” has also been widened to include genetic data or biometric data.
• The GDPR applies to any organization that is essentially doing anything with Personal Data including storing, processing or transmitting it in any format. Such organizations (which is just about everyone) have an obligation to have a “lawful” and “legitimate” purpose to collect personal data, notify individuals that their data is being processed, minimize the amount of data they retain based on documented business need, take “appropriate measures” to protect Personal Data, and notify government authorities and individuals in the event of a breach. Finally, organizations must structure their data in a manner that allows them to comply with the GDPR as typical data architectures may not provide the agility required for data management.
• EU citizens will have many of their rights related to the third-party management of their data significantly broadened. These include the right to transparency meaning that any organization processing their personal data must disclose how this data is being used. Additionally, they have the right to receive their Personal Data from processors in a machine-readable format such that the data is portable between processors. In other words, consumers can easily move their data to another processor if, for any reason, they don’t like the way the current processor is handling it. Finally, the GDPR gives consumers the Right to be Forgotten or to opt out entirely and have all their data (regardless of where it is stored) securely deleted at the consumers’ request.
The GDPR are backed up by substantial fines that can be levied by government authorities and can amount to 4% of global sales or €20,000,000, whichever is higher.
One can imagine the impact such a law would have on retailers in today’s environment. Integrated POS and CRM systems collect enormous amounts of data that would be considered “Personal” under the GDPR including customer contact information, consumer credit data and payment card numbers, or tokens. The problem for retailers is that this data is often highly distributed amongst legacy, store-based systems that were never designed with the GDPR in mind. Imagine, for instance, having to restructure individual POS databases to comply with the GDPR across hundreds of retail locations while ensuring that store can conduct business at all times.
We at Reliant believe that systems automation will be the key to GDPR compliance since data will require significant and frequent management. Retail systems will need to be managed to strict policies under a templated approach and retailers will need to build complex orchestration frameworks to flexibly manage those systems. Additionally, much higher levels of security controls on par with those required for PCI DSS compliance will be needed. These controls will need to be demonstrably effective and flexibly deployed when and where they are needed.
The GDPR applies only to EU citizens though It is worth noting that foreign organizations engaged in processing Personal Data of EU citizens must still comply. In the current climate of business deregulation, such a sweeping change is difficult to imagine. While there is no comprehensive US Federal law addressing data privacy, State legislatures have passed increasingly restrictive data privacy laws over the past 20 years. For example, Massachusetts enacted Standards for the Protection of Personal Information in 2010 which is considered to be the most comprehensive state privacy law, while California, the first US state to address data privacy, continues to pass increasingly restrictive legislation.
The jury is out as to whether the US will someday enact anything comparable to GDPR, but we recommend that US retailers, particularly those taking an aggressive approach in their collection and use consumer data to optimize marketing and enhance the buying experience, start architecting more secure retail systems that allow for flexible and secure data management.
What do you think?