How is the European Union’s General Data Protection Regulation (GDPR), like a car speeding down the highway?
This was the question posed to Retail Technology Insider by Doug Harrell, Vice President, Retail at Pitney Bowes in a recent conversation. While this might seem like a nonsensical question, or a really bad joke, there is, in fact, merit in this analogy.
As Harrell explained, “Is the highway patrol really going to pull somebody in a family sedan over for going 61mph in a 55 mph zone? In all honesty, they’re not; they’re looking for the guy who’s going way over the speed limit in that bright red sports car,” said Harrell. In much the same way, in the early days of GDPR, EU regulators will be on the look out for global retailers (the red sports cars) that are in violation of the data standard long before they look for U.S.-based organizations (the family sedans) that may only handle a small amount of EU citizen data.
To that end, there is less pressure on retailers based outside the EU to be compliant immediately. While they are more likely to be subject to audit, Harrell points out that companies may decide not to comply due to cost. “No one wants to justify to their management that they have to spend $1 million to solve a problem that may have a $100,000 fine.” In these early days of GDPR, organizations are “testing the limits,” shared Harrell. He continued, “Retailers know that fines are based on a percentage of worldwide revenue, so there’s a risk calculation that needs to happen. If the fine costs less than becoming compliant, is it a worthwhile investment?”
Until GDPR regulations are strictly enforced, which will take quite some time it seems, U.S. organizations will most likely continue to test the limits. “These retailers are more likely to say, ‘you know what, the fine isn’t more than it’s going to take me to be compliant so, I’m not going to invest in those solutions, when I could put that money into my business,” explained Harrell.
But for the global giants, the risk calculation is vastly different. Not only are the fines larger, based on relative size of revenue, but “the regulatory authority definitely wants to ensure that market leaders, like Amazon, are in compliance early on.” shared Harrell. “From there, attention will turn to the next tier of retailers and so on. While smaller U.S. retailers will not feel the impact of these audits – and possibly fines – for a while, it’s worthwhile for them to begin to comply with the spirit of the regulations, if not the actual letter of the law.”
In Harrell’s opinion the best place for U.S.-based retailers to start is to discover where customers’ personally identifiable information (PII) is being stored. “Not knowing where PII is being held is the biggest source of risk for retailers,” Harrell explained. “Even if retailers do nothing else, in knowing where PII is they can step up their security protocols to provide better data protection and improve risk mitigation.”
From there retailers can start on the next stage of preparation – improving data accuracy and minimizing the amount of data held about each customer. “Retailers typically hold multiple records about the same customer – this can include full name, nicknames, home address, work address and so forth,” Harrell said. “By using reference data, trusted algorithms, and advanced analytics to overcome name variants, nicknames, and other differences, retailers can unify these records and create unique identifiers.”
Ultimately, of course, the goal for all retailers doing business with European-based customers is to be in compliance with the EU’s GDPR regulations. While it’s meeting the law for EU based customers, it has the added good will benefit for U.S. customers who’ve shown a distinct interest in – and appreciation for – the protection of their data and privacy in recent months.
Get started on your organization’s journey to GDPR compliance here.
Do you have thoughts about how GDPR can and will affect the retail industry? Reach out to our editorial team here and share your thoughts.