For years, the retail industry saw its collated customer data as a treasure trove. Thanks to advanced data analytics, coupled with emerging technologies like artificial intelligence (AI) and the Internet of Things (IoT), retailers saw a deluge of data-driven insights coursing through their IT pipelines. These helped them get personal with their customers and drive better conversion — a key challenge as retail continues to pivot online.
This party is now coming to an end. The slew of legislation, like the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), along with the amended California Privacy Rights Act (CPRA), is about to make retail a privacy dilemma.
What many thought was a treasure trove is now a data privacy minefield. And without the proper processes or policies, retailers are not only open to hefty fines that impact top and bottom lines, but also customer brand trust — the very thing they have worked so hard to build.
How Did We End Up Here?
Retail companies never had to deal with the clinical privacy policies that their peers in healthcare and financial services faced daily. This gave rise to large compliance teams often seen as cost centers.
However, much of the regulatory effort focused on fighting fraud and financial crimes. Retailers, which banked on these financial services processes, didn't need to build substantial compliance teams, identify politically exposed persons (PEPs), or fight criminal syndicates.
Their main concern was identity theft (payment fraud), chargebacks, affiliate fraud, and fake retail sites. As retail embraced e-commerce during the pandemic, they started to battle hackers and ransomware attacks, mobile fraud, and increasingly sophisticated retail crime syndicates.
However, retail customers have changed. Fed up with seeing their personally identifiable (PI) data stolen or misplaced, many are demanding their favorite brands strengthen their privacy protection.
Regulators have listened. GDPR and CCPA put the onus of data privacy protection on the retailers. Whether they're small or large, online, brick-and-mortar or hybrid, it's up to retailers to adequately protect data privacy.
But the regulations go further. For example, GDPR requires retailers to follow privacy by design (PbD) principles while giving customers the freedom to forget. Regulations like CCPA and GDPR have some differences and also introduce additional grey areas that future bylaws or amendments will resolve. This creates unwanted uncertainty at a time when retailers are navigating a landscape radically changed by the pandemic.
What Can Retailers Do?
To meet the evolving challenges of data privacy, retailers need to shift their mindset. Employing a chief privacy officer (CPO) or chief information security officer (CISO) may be a start, but not enough. Instead, retailers need to make data privacy part of the app and website development lifecycle — from beginning to end — and make it a collective responsibility.
For example, development engineers need to follow PbD principles as stated in GDPR and CPRA right from the onset — not as a bolt-on, after the fact. Quality assurance (QA) engineers must know how to work with tokenized, obfuscated or masked data as they cannot test with actual PI data. While DevOps or Ops engineers also need to ensure that PI data is kept within customer premises or virtual private clouds (VPCs) with adequate controls.
Retail CISOs and CPOs need the right tools to navigate the increasingly complex world of data privacy regulations across the globe. They also need to make sure that applications and SaaS apps handle PI data according to the jurisdictional needs. Legal professionals need to get involved when onboarding new applications and SaaS apps in order to understand the legal risks and consider extra measures like cyber liability insurance.
One major challenge is reimagining how retailers collect and use data. Often their data lakes are filled with zero-party data from surveys, first-party data from their customer database, second-party data privately shared from affiliates, and third-party data bought from data brokers and social media sites.
In the past, these were done piecemeal and in a siloed fashion. Often the marketing department will have one set, customer service another, and loyalty programs a separate one. This increases data privacy risks exponentially due to duplication and mishandling. And data governance becomes a challenge.
It's why retail chief data officers (CDOs) need to introduce proper data governance policies and workflows for all company data. This becomes even more urgent for retailers to use machine learning algorithms and IoT analytics to create PI data, raising the stakes for data privacy compliance. Meanwhile, IT engineers need to ensure that any new service has the proper role-based access control (RBAC) model and convenient access is provisioned for the right people.
Don’t Just Facelift; it’s Time to Reimagine From Within
Retailers now face a massive data privacy hurdle. And it couldn’t come at a worse time. As many are moving online and looking to survive the pandemic, they'll face an increased cost of business.
The issue is that the fortunes lie with those who are most prepared. And this preparation starts with an honest look at how data is collected, managed and used, and having the right policies.
To unlock the benefits, however, we also need to shift our thinking about data privacy and stop seeing it as a compliance matter. Besides, the current raft of privacy regulations is only a start. As new regulations come about, companies can expect greater scrutiny by consumers demanding better control of their private information.
A data privacy audit can help. Investing in automation can cut through this complexity and manage evolving privacy challenges — especially for companies without privacy teams. A good platform can offer the visibility and the control you need to scale your business without tripping over privacy legislation.
Adequately done, forward-looking retailers can turn their privacy costs into potential revenue drivers as retail customers get more sophisticated and demand better control over their data. In the end, it builds trust that they can convert to revenue. And isn’t that what all retailers ultimately want?
Darshan Joshi is co-founder and chief technology officer at CYTRIO, a SaaS data privacy rights management platform.
Darshan Joshi is co-founder and Chief Technology Officer at CYTRIO. He has more than 20 years of data and data management experience, having held SVP/VP of technology and engineering roles at industry leading data and data management companies such as Informatica, Symantec, and Veritas.