The EU General Data Protection Regulation (GDPR) is set to increase the rights of consumers over how their personal data is used by retailers. Businesses will face a variety of consequences from 25 May 2018 for GDPR non-compliance, not least the harsh criticism of customers that are increasingly sensitive about how their personal data is handled. Potential fines of up to four percent of turnover or €20m are also in the offing.

Take a look at the major customer-facing provisions of GDPR and it quickly becomes clear that customers will be the first to know if a business is failing to comply. If customer complaints are the early warning signals, that represents a direct threat to customer relationships even if other consequences are avoided. JD Wetherspoons are so nervous they deleted their entire customer email database in 2017.

GDPR for consumer choice

GDPR represents a significant step forward for consumer rights relative to the Data Protection Act that preceded it. Although it has been perceived in some quarters as an increase in red tape for businesses, its main aim is to improve transparency and fairness for individuals.

Consumers are increasingly savvy and sensitive about their personal data which is perhaps not surprising given frequent headlines about data breaches and occasionally poor responses from the companies involved. A recent survey by retail consultants SAS found that around thirty percent of consumers intend to use GDPR to have their data removed by retailers and a similar percentage will opt to prevent use of their data for marketing.

Focusing GDPR on the customer

Customer data is the lifeblood of the modern retail industry; from customer identity, to payment details, online accounts and loyalty cards. All of these stores of information are affected by the new legislation and of particular note to retailers are the following issues:

  • Any data that can identify an individual will be considered personal data including genetic, social, mental, economic or cultural information.
  • The type of information being collected must be clear and the use to which it will be put must be communicated in simple, transparent language.
  • Affirmative consent must be given to the different types of use, including automated uses; silence, inactivity and pre-ticked boxes will not comply.
  • Businesses must remove personal information from databases when consumers ask them to; the ‘right to be forgotten’ means purging their data from every part of the system.

Putting GDPR first

GDPR puts consumers in the front line of data protection. In order to put the customer first, retailers must put GDPR compliance at the forefront of their strategy. Building trust in a brand goes to the heart of retail and proper management of personal data is critical to avoid damaging relationships with customers and tarnishing the brand more widely. Time is ticking on but it is not too late to achieve compliance, even for businesses where the Wetherspoons option is not viable.