Retail organisations have often considered themselves to be unregulated, unlike financial services or healthcare providers. This is, however, untrue. They process substantial amounts of personal data, exploring personalisation techniques to support business activities. This requires them to comply with data protection regulations. Here are 10 tips to identify and address compliance requirements.

1. Know where you are
Most retail organisations say that a big part of their sales comes from online activity. Often, online sales entail cross-border deliveries, which may trigger the applicability of local data protection laws. To navigate these, it is critical to understand where you “are” in every sense of the term—for example, do you have your products listed in Euros or US Dollars, and therefore would there be an assumption that you are targeting individuals in those jurisdictions?

2. Understand who your customers are and what they value
What is the value your customers place on their privacy, their personal data? It may be an issue that is far from their minds or something that is starting to determine their consumer choices. Whatever the case, make sure you meet your customers’ expectations in relation to how you use their personal data.

3. Consider personal data within your strategy
If your organisation’s strategy is to focus on digital expansion, you need to prioritise e-privacy and how to comply with direct marketing and cookie rules, probably along with surveillance of delivery drivers and warehouses. If, on the other hand, you are focused on international expansion, increase your international privacy expertise.

4. Personalising? Make it personal
If you are increasing your personalisation activity, ensure that you can give options to your customers—do they want personalised experiences or not? Allow for that option, make personalisation personal.

5. Think creatively
There are more privacy and security rules beyond the GDPR. For example, if you are starting to operate an online marketplace in the EU, you must consider how your target jurisdictions implemented the NIS Directive.

6. Train your first line staff
Customers are more likely to call customer services or go to the store if they have a complaint about you. Ensure your customer services team they can recognise a personal data or security concern when they arrive and can direct them accordingly.

7. Think about all your processes
Delivery drivers, warehouse staff, cleaners, till operators, customer services: everyone in your organisation is likely to somehow handle personal data. Consider their processes and how to ensure that they are compliant.

8. Engage with industry groups
Groups such as the British Retail Consortium are reliable sources of information and support when dealing with data protection. Reach out to them and take part in their events.

9. Democratise personal data but also compliance
If you are democratising access to personal data, ensure that you also democratise compliance. This means, amongst other things, role-based access, limited visibility only in response to justified requests, copying and downloading restrictions and relevant training given to the right teams.

10. Recognise the layers
Most retail organisations have grown organically, which means that there are many legacy systems that will need to be reviewed and either decommissioned or fixed. Address this realistically and with courage, as a costly and often contentious initiative, but which will save you significant resources and customer good will in the long run.

Please contact us at HewardMills if you want to discuss any of the points in this article, or to find out more about our services.