As we approach the first anniversary of the General Data Protection Regulation (GDPR), it feels like a fitting time to reflect back over the past twelve months and to look ahead to the future. There is no doubt that we have seen a huge step change in data protection practice and maturity as organisations have moved from their GDPR transformation programmes into business as usual.
However, the work doesn’t stop there. We are now seeing the impact of the first fines issued under the regulations, adverse scrutiny from privacy activists and regulators, plus the power of the consumer as they become increasingly aware of and actively exercise their strengthened rights under the new law. Organisations can learn from these cases and use the outcomes to improve their business practices, ultimately strengthening their brand and reputation in the marketplace.
It has long been recognised that marketing is a key focus area for privacy regulators. In our 2017 Enforcement Tracker we highlighted that close to 50% of the enforcement actions taken in the UK alone related to marketing infringements. Nothing has changed since the introduction of the GDPR, except the significant increase in the level of fines which, at up to 4% of annual global turnover, now have the potential to really bite.
We discussed all of these issues and more in our webcast with the BRC: ‘GDPR one year on: what should retailers be considering now?’ with Stewart Room and me, Emily Sheen from PwC’s data protection team, We were also joined by Prof. Dr. Srechko Kontelj OAM, Group Legal Director at Specsavers.
In addition, we have outlined some key areas that retailers can focus on to improve their data protection practices while positively impacting the online customer experience.
1. Review your online customer journey - Take the time to review your website, including your privacy and consent notices, to ensure you are being truly transparent with users about how their personal data will be used.
2. Put yourself in your customers’ shoes - Make it easy for customers to find and digest the information about how you will use their personal data. Don’t make things difficult by splitting information across different pages or areas of your website and then expecting your customers to piece together the information. Layered privacy notices can be used but they should be designed to provide a clear pathway through different levels of information.
3. Avoid the pre-ticked box - Make sure customers need to take a positive action when giving their consent to the use of their personal data. Stay away from using pre-ticked boxes. Ensure the consent you collect is separated for each different purpose and not tied to other conditions of your service.
Emily Sheen //
Data Protection Strategy, Legal and compliance services
In partnership with PwC, we review what we’ve learnt from the first twelve months of the GDPR, and areas that retailers should be focusing on now to balance the use of customer data for transformation and growth against the need to place privacy.