Last year, “GDPR” was without any doubt one of the most hyped boardroom buzzwords, and a popular topic at conferences. This European-wide General Data Protection Regulation aims at harmonizing European data protection legislation and empowering EU-based individuals by enhancing their rights and the protection of their personal data. It was without any doubt the huge potential fines for infringement (up to 4% of an organization’s worldwide turnover) that put the GDPR on the C-suite’s agenda.

One year after its go-live it is time to look back and determine what this first GDPR year has meant for the retail sector. Did it disrupt well-established business models? Were there any fines and if so, were they as huge as many expected? Was the budget allocated to GDPR-compliance money well-spent? Or was it a lot of fuss about nothing?

Those who saw GDPR as a mere tick-the-box compliance exercise and just wanted to avoid a fine might be disappointed that huge GDPR fines have not been the standard front-page story in the last couple of months. This does not mean, however, that no fines have been issued. The European Data Protection Board recently reported total fines of nearly 56 million euro. To put things in perspective, however, it should be mentioned that the three most important fines (€50M in France, €400K in Brazil and €220K in Poland) account for most of that sum.

While the fines mentioned above were issued to a major technology company, a hospital and a data broker respectively and, thus, not to retail companies, there is no reason to believe that retail companies should consider themselves exempt from regulatory investigations or other actions. With a total of 144,376 queries and complaints submitted to European data protection authorities and with a total of 89,271 reported data breaches, it is indeed very unlikely that any sector can get away with non-compliance.

Investigation and enforcement procedures take time, so given these numbers there is more to come for sure. GDPR’s impact on the retail sector is highlighted by the fact that most of the complaints related to telemarketing, promotional emails, and video surveillance/CCTV. So while the sleepless nights were not as numerous as expected, we should still be keeping a close eye on this one-year-old.

Those who saw the GDPR as an opportunity to get their data-house in order and to enhance the quality of the personal data stored under their supervision are certainly reaping the benefits of last year’s GDPR efforts. With data increasingly becoming a liability, and with the move from Big Data strategies to Smart Data strategies, knowing where your data resides and what you can use them for is not only a GDPR requirement, but absolutely crucial for any data-driven business development initiative.

Additionally, GDPR efforts are being leveraged by many companies to prepare for compliance with recent and upcoming data-centric legislation in other jurisdictions. The California Consumer Privacy Act (“CCPA”) in the United States and the General Data Protection Law (Lei Geral de Proteção de Dados Pessoais or“LGPD”) in Brazil are just two of the most important examples.

Furthermore, organizations that embraced the GDPR as an opportunity have enhanced the quality – and thus value – of their data, used them for well-considered loyalty programs and built crucial bridges between their Legal, Compliance, Sales and Marketing departments.

After one year, GDPR’s impact on the retail sector demonstrates that a key strategy to success seems to be linking GDPR compliance efforts to business-specific customer-centric initiatives, creating a win-win with true business value on the one hand and regulatory expectations on the other hand.