It’s obvious that retail e-sales raise issues around personal data collection and processing: Compiling customer lists and preferences, tracking and profiling site visitors and app users, generating revenue from static and mobile ad servers, targeting offers to customers on the right devices at the right time, accurate online order fulfillment and useful after-sales service all depend on personal data processing.

But brick and mortar retailers are also capturing and processing more personal data, such as data from customers, employees, landlords, security systems and multiple service providers, even the neighborhood seamstress. And as these traditional retailers create their own virtual sales networks, the opportunities to capitalize on both in-store and on-line customer data multiply in tandem with the risks associated with hacking and data loss.

The price of getting data protection wrong is high. Retailers may pay dearly if they misuse customer lists, lose employee data, or are “named and shamed” by a regulator for having failed to meet basic data protection requirements. Moreover, Asian and South American countries are adopting European-inspired data protection laws while the EU moves to strengthen its own laws with reforms that will introduce significant new fines for companies that fail to comply.

Retailers’ first step toward compliance should be taking stock of data protection and privacy practices in stores, warehouses, security stations, back offices and the data centers where personal data is continuously processed. Retailers should examine their data handling at every point from collection to processing, replication, storage, transfer and eventual destruction, as well as their obligations under applicable regulations, laws and contracts, with a view to devising compliance solutions that are tailored to the operational realities of the industry, the retailer’s specific needs, and the risks associated with regulatory enforcement.