Thales Blog

What Does The GDPR Mean For The Retail Industry?

August 29, 2017

Thales Thales | Cloud Protection & Licensing Solutions More About This Author >

As the May 2018 deadline for implementing the EU GDPR draws closer, retail data breaches remain unacceptably high.

In fact, according to our own research, as many as two in five retailers across the globe have experienced a data breach in the past year.

Given the sheer quantities of data that retailers possess, whether it is sensitive personal information, or details of consumer-purchasing habits; it is no surprise that the retail industry is a prime target for cyber criminals.

Though the forthcoming GDPR has led to greater awareness of the need to invest in data-centric protection, issues around data privacy and sovereignty remain at large.

As an industry that relies on data - perhaps more than any other - in order to continuously tap into consumer trends and tease out opportunities for growth, the heavy burden of the GDPR now looms large for retailers.

The industry’s challenge is a unique one. The ever-evolving digital age means that retailers cannot rely on simply understanding the general principles of the GDPR, they must now shoulder the responsibility of knowing where customers’ personal data resides across their organisations, as well as how it is managed and protected.

Knowing where your data is

The mark of a good retailer is good customer service. Retailers need to be able to access their data as quickly and efficiently as possible in the event that a customer requires it within a short timeframe.

However, the possession of customer data does not necessarily mean that it has landed first-hand in retailers’ laps.

Data can originate from a multitude of sources. Whether acquired via third-party vendors, mobile apps, or other relevant customer contract processes, retailers must break down the silos and make customer data as secure as possible.

Even customer images captured by in-store cameras are subject to the GDPR. Retailers must exercise vigilance.

The overriding challenge facing the industry will be instilling a set of processes and a structure that can help retailers to understand where data is being captured, and categorizing it to ensure that it can be disclosed to customers at any given moment.

Ready, set…go!

Our latest Data Threat Report – Retail Edition highlighted how the vast majority of retailers (88%) consider themselves to be ‘vulnerable’ to data threats, with 37 percent stating that they are ‘very’ or ‘extremely’ vulnerable.

A retailer found to be in violation of the GDPR faces the risks of reputational damage and customer attrition, in addition to any fines levied by the supervisory authority. Even if fines do not reach the millions of euros so widely publicized, the administrative burden of disclosing a breach to each affected data subject is the epitome of “death by a thousand cuts” and can irreversibly damage a retailer’s image in the public eye.

Conversely, retailers can use the GDPR as an opportunity to present themselves as stewards of personal data, thus highlighting just how seriously they are taking the issue. Consumers’ privacy is important, and businesses across the retail industry who show that they care will gain favour with their customers.

Given the complexities and rapidly approaching deadline, retailers need to understand the GDPR, and act on it – fast.