GDPR compliance – the biggest challenges for merchants

This editorial was first published in our Online Payments and Ecommerce Market Guide launched on 1 November 2017. The 8th edition of the guide is a must-read for anyone trying to understand how the ecommerce and payments market is developing, whether you are a merchant, a PSP, or active in the market in any capacity.

The General Data Protection Regulation (GDPR) will enter into full force in the UK from 25 May 2018, just as it will across the rest of Europe and anywhere non-European companies are handling data that belongs to EU citizens. The regulation aims to create a new legal framework in the EU and the UK for the protection of personal consumer data.

Therefore, retailers will have to review the way personal data is collected and used. Consumer consent (across multiple channels), the use of cookies, behavioural advertising and mobile devices must all be evaluated and redesigned to achieve GDPR compliance. Furthermore, ethical and privacy concerns, especially when considering the roles of the data controller and the data processor, come into play. There are also implications of the data that retailers use for protecting against fraudulent purchasing behaviour or the growing area of ‘returns fraud’.

Technology alone is only part of the solution

Pseudonymisation is a key term found in the GDPR. It refers to the handling of personal data and attributes in such a manner that they can no longer be assigned to a specific person without the use of additional information, such as a token. Pseudonymisation is positively encouraged by the GDPR and retailers who can take advantage of pseudonymisation, encryption or anonymising personal data will be able to reduce their risk of non-compliance.

Personal consumer data, for example, will include the home address (required for home deliveries) and email address (required for marketing communications, e-receipts, loyalty and reward programmes). However, GDPR compliance cannot be achieved solely by technology, it must include a review and amendment to the operational procedures and processes. This will include the need to properly train staff that handle personal consumer data.

Data ownership

The regulation gives customers the right to opt out or to stop their data being used by the retailer or by their partners. ‘The right to be forgotten’ (Article 17) and ‘the right to data portability’ (Article 20), allow new scenarios that will enable consumers to edit, extract, transfer and delete any data held on them by any part of the business.

Data has always been a valued asset but now, since customers will be able to handle data as they see fit, it will become a currency which retailers will have to demonstrate they are worthy of holding and looking after on behalf of the consumer. You could compare personal data held by a retailer with the money held by a bank. A bank customer can request their bank to return their savings or transfer it to a competitor. In the future, a consumer could approach Tesco, for example, and request all the data that they have on them, their spending patterns, and shopping preferences, etc. and transfer it to Amazon Fresh because Amazon have made an offer of 20% discount on their first six months of grocery purchases.

Know your personally identifiable information

In the GDPR, personal data is all about how a person is identifiable. Personally Identifiable Information (PII) is a term found in the US and although it is not used in the GDPR and in the EU, it does describe what personal data includes. Thus, PII will have big implications for retailers and the data processors that serve retailers, such as payment service providers, fraud prevention vendors, credit agencies, coalition loyalty programs, search engines, and any shopping apps that uses personal data.

One of the first steps that any retailer must perform as part of their GDPR programme is to create a ‘data map’. Data Mapping should offer a comprehensive overview of the following:

• What personal data attributes are shared between providers, partners and processor
• What personal data attributes and identifiers you have to hold or process via other parties
• What personal data you retain within your system or pass on for further processing

Data Mapping is an essential prerequisite for any privacy compliance strategy and will help retailers comply with the GDPR obligations.

New but old entrants

Imagine a passport for the retail industry: something to track and identify consumers popping into different retailers along the high street, or visiting different stores online. This is happening today online. Websites allow you to log in via third parties such as Google Plus, LinkedIn or Facebook. These third parties are collecting personal data from multiple sources – across different retailers. After 25th May 2018, under the GDPR, these third parties, with the consent of the consumer, could request the original data sources to be deleted, thus preventing the retailer to get to know you as a consumer – just as if you were paying in cash over the counter in store.

Personal information can be ported to any third-party only when needed, such as for an online purchase, and removed once the transaction is completed. This enables a third-party provider to aggregate groups of consumers with similar requirements to benefit from a bulk deal, similarly to the way an app that aggregates the best deals for the consumer’s preferred brands or specific products and services into a single location.

Beyond compliance

25th May 2018 is not far away and there will be considerable work to be done within many retailers. Nonetheless, it is important to recognise that although this may look like a deadline, it is not one that you must cross and then relax when you believe you are GDPR compliant. Data protection will be a continuous activity; it will be operational and embedded into everything you do, from boardroom to shop floor. The degree to which data will add value to your business, your customers, and your partners is entirely up to you.

About Mark Beresford

Mark Beresford is a Director at Edgar, Dunn & Company (EDC) and has over 20 years of experience in the payments sector. He is responsible for the firm’s practice working with Omnichannel merchants and payment service providers across the globe.

About Edgar, Dunn & Company

Edgar, Dunn & Company (EDC) is an independent global payments consultancy, founded in 1978, the firm is widely regarded as a trusted adviser, providing a full range of strategy consulting services, expertise and market insight. EDC clients include the payment brands, issuers and acquirers, processors and the merchants.