Skip to content

The perils of GDPR non-compliance for retailers

Join our mailing list

Signifyd regularly publishes free reports packed with business insights, commerce trends and data from our massive Commerce Network. We’ll only email when we have something meaningful to share, no more than once per week. And of course you can unsubscribe any time.

As the sweeping data regulation known as GDPR continues into its second month, it’s becoming apparent that retailers’ readiness for the transformation in how they handle customers’ data varies widely, depending on the size of the organization and on which side of the Atlantic the enterprise’s headquarter lies.

Large merchants, both in Europe and beyond, appear to have a handle on their new responsibilities. That is not to say, according to some experts, that they have the practices in place to fully comply with new customer data rules.

dunnhumby, a British customer data science platform for business, surveyed grocery retailers globally and beyond and concluded that the focus so far has been on achieving compliance. Bigger picture issues, such as serving customers in the new environment and finding ways to build deeper relationships with customers based on transparency have been a lower priority.

“Compliance is the big, short-term thing, without a doubt, and the bigger picture has been neglected,” one European retailer told dunnhumby researchers.

“Our legal team, aided by consultants, are creating use cases and auditing us against new requirements. However, there is still nervousness around the impact,” said another. The retailers were not named in dunnhumby’s report.

GDPR calls for fines of €20 million or more

The reason for nervousness stems from both the complexity of the regulation and the fines faced by those those who do not comply with the customer data regulations. GDPR, which stands for General Data Protection Regulation, calls for a fine of up to €20 million (about $24 million) or 4 percent of worldwide revenue, whichever is more. That’s obviously a big hit for a multinational corporation and a death sentence for a smaller business.

Who's Handling Your Customers' Data

Who's Handling Your Customers' Data

Sure, you’ve done everything you need to, to protect your customers’ data. You’re PCI, SOC2, Data Shield and GDPR compliant. But what about your vendors? Are they certified? Have you asked? Learn more in “Retail’s Data Breach Risk.”

The 261-page regulation, years in the making, is, as you might imagine, complicated. The short version: GDPR says that consumers must be in control of their personal information, meaning they can ask to have it deleted. It means that companies need to quickly inform authorities and affected parties of any data breach. It requires most companies to name a data protection officer.

Those are the highlights. But there are other significant provisions that aren’t talked about as much. For one thing, the rules apply not only to European-based retailers, but to any retailer that does business with European Union residents. And the rules apply not only to the retailer, but to any partners or vendors the retailer works with. If they are not GDPR compliant, than neither is the retailer, leaving the merchant open to hefty fines.

If your vendors aren’t GDPR compliant then neither are you

Bernard Marr, a British author and business consultant, who studies business-related data practices and who has written about GDPR, told me by email that he’s fairly confident that large, multinational retailers in the United States have a clear understanding of their responsibilities under GDPR.

“However, my sense is that smaller retailers might not fully understand the GDPR implications and many are insufficiently prepared,” he said.

The same variation in understanding likely exists when it comes to the requirement that any vendors handling data — for marketing purposes or for screening orders for potential fraud etc. — must also be GDPR compliant, he said. Marr said in Europe, its fairly well understood “that retailers must ensure any data that is passed on to suppliers has to be handled in a GDPR-compliant manner” in order to avoid violations and fines.

But again, that understanding might be shakier outside of Europe, where it’s possible retailers haven’t asked every entity in their data supply chains whether they are GDPR compliant. Retailers based outside the EU will regret ignoring GDPR, Christy Wyatt, CEO of Dtex Systems, said recently on NBC Bay Area’s Press Here program.

“I think it would be a mistake for a U.S. business to look at GDPR and think it doesn’t apply to them,” said Wyatt, whose San Jose, Calif.-based company works to prevent internal data-related attacks. “In fact, I think they should see it as an early warning. You’re going to see more (regulation) and you’re going to see it get tougher.”

And while retailers are still settling into the new reality of GDPR, consumers and consumer watchdogs are availing themselves of its provisions. On May 25, Day 1 of GDPR, complaints with fines potentially totaling $9.3 billion were filed against Facebook and Google. Meantime, in the first two weeks of the regulation’s existence, the agency that oversees enforcement received 1,300 complaints, according to the Irish Examiner.

Even with all that activity, Marr says he doesn’t know of any business that has actually been fined, yet.

“But this could change very quickly,” he said. “I am sure the regulators are looking into cases and if they want GDPR to be taken seriously, they must demonstrate that they are willing to enforce it with fines.”

In other words, in the life of GDPR, it’s still early.

Photo by iStock

Contact Mike Cassidy at [email protected]; follow him on Twitter at @mikecassidy.

Mike Cassidy

Mike Cassidy

Mike is the head of storytelling at Signifyd. A former journalist and a retail geek, he covers ecommerce and the way technology is transforming digital commerce. Contact him at [email protected].