November is one of the busiest months for ecommerce online traffic, starting with China’s Singles Day (known as 11:11 in other regions); the biggest retail event worldwide since it first began in 1993. November also means Thanksgiving and Black Friday, followed swiftly by Cyber Monday, with retailers amplifying their marketing online and in stores. This means a vast quantity of personal data is collected and processed, more than at any other time, and therefore heightened risks of data privacy incidents.   

While the peak activity period is November, data protection officers (DPOs) will be particularly busy throughout the last quarter of the year ensuring the right governance structures and privacy operations are aligned with relevant regulations to minimise the risk of incidents and potential fines, should an issue occur.  

Implement learnings from past data breaches and prepare for the worst 

Several data breaches have targeted shoppers during this busy month in the past. From shoppers being sent fake discount offers via different social media platforms, to spam emails with malicious attachments disguised as holiday e-cards, and e-skimming attacks, where attackers inject malicious code into the checkout pages of online stores to capture credit card and personal information.  

To reduce the impact of these incidents, retailers adopt cyber security approaches such as multi-factor authentication, end-to-end data encryption and strengthened firewalls. Working closely with the cyber team, data protection officers additionally conduct privacy impact assessments for new campaigns, technology or processes involving personal data and implement an incident response plan, ensuring teams are ready to act swiftly in the event of a data breach.  

Furthermore, regular data protection audits help identify vulnerabilities in the data handling process and ensure that systems and processes comply with relevant data protection regulations. Data protection officers are then crucial to the implementation of up-to-date governance policies, which can address compliance gaps and support areas at risk of potential breaches.  Table-top exercises with different functions of the business also boost everyone’s capacity to recognise outside attacks, minimising incidents triggered by human error.    

Know the regulations in the market you operate in 

For data protection professionals in retailers with operations in multiple markets, reviewing the varying global data protection laws begins far ahead of the busy shopping period. The data protection team will work closely with the marketing and IT teams to put processes in place to ensure compliance with the EU GDPR. If the business has employees or customers in Europe, they will be aware that some regulators are stricter than others in enforcing rights for individuals, such as accessing, deleting, and transferring data, and requiring strong safeguards for international data transfers.  

China’s Personal Information Protection Law (PIPL) grants similar rights but enforces stricter cross-border data transfer rules, often requiring regulatory approval. Meanwhile, US State Laws such as the California Consumer Privacy Act (CCPA) emphasise transparency, allowing residents to opt out of sales of their personal data and delete their information, though it lacks explicit rules on international transfer.   

Review, refine and continuously improve 

Post-sales, retailers should thoroughly review their data storage and transfer practices to ensure compliance with regulations and reduce security risks. Key actions include retaining only necessary data (aligned with GDPR’s data minimisation principle), ensuring compliance for cross-border transfers (using Standard Contractual Clauses where needed), encrypting stored data, and limiting access to essential personnel.  

Would your business benefit from expert support on global data protection laws relating to retail? HewardMills’ experienced team can support with the review of existing policies and procedures to ensure processing and control of personal data is done in line with specific regional laws. 

 

If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at dpo@hewardmills.com.