Digital Transactions Authoritative, insightful and timely information for payments professionals
Now that the massive regulation is in force, there’s no time to waste on getting compliant, says Greg Sparrow.
The General Data Protection Regulation (GDPR) has raised a number of questions for U.S. businesses since its inception on April 27, 2016. After the bill was passed, it was allotted a two-year grace period for businesses to strategize and implement their compliance approach. Even so, one month before the May 25 compliance deadline, it was reported that an estimated 61% of U.S. businesses were not ready for the regulation, and only 67% of European-based businesses had begun moving into the implementation phase of their GDPR compliance program.
The potential fines have many U.S. executives concerned about compliance. But businesses are struggling with fully understanding the regulation and thus have failed to launch a comprehensive plan.
Turning our focus to the retail industry, several chains have displayed international influence with the presence of not only brick-and-mortar stores in several nations, but through international marketing efforts. A well-known example is Whole Foods, an American supermarket chain that previously held over 477 stores in North America and the United Kingdom. After Amazon’s acquisition of the natural-foods company in June 2017, the e-commerce giant became America’s fifth-largest grocery retailer.
Outside of the benefit of concrete locations near its customers, the marketing data obtained through the acquisition provided Amazon valuable behavioral statistics on grocery-buying habits, patterns, and product preferences. It is estimated that over 80 million individuals are Amazon Prime members and, with this new data, Amazon can build accurate predictive analytic models that can suggest to prime members what they will want, how much they will want, and when they will want it.
The GDPR places Amazon’s acquired Whole Foods business unit under scope for not only its presence in the United Kingdom, but also due to its monitoring of European Union (EU) data subjects and attempts to offer them goods and/or services.
Amazon’s practices most likely include the use of automated individual decision-making against EU data subjects, requiring explicit consent under the GDPR. Processing is broadly defined in the regulation to include most actions that can be performed with data and can specifically refer to collection and storage, which Amazon in this case would be doing. The massive retailer must therefore have processes in place to honor nine distinct rights awarded to EU data subjects, and be able to operate under the guiding privacy principles defined within the GDPR.
‘Expansive Requirements’
The regulation further dictates appropriate security efforts for the protection of personal data, establishes breach-reporting requirements, and increases the risk associated with vendors processing this data. These expansive requirements make the process of marketing and vendor outsourcing much more complex for anyone with a direct consumer relationship with EU data subjects.
More specifically, retailers that use customer information from operations such as payment histories must also be careful with the use of this information. This can not only affect these retailers directly, but also any vendor partners that share in the use of this type of customer data for target-marketing intelligence purposes.
Many smaller agencies may not be considering the new regulations as seriously as they should be, but it’s clear they could pay a high price for that neglect. Past enforcement actions point to enforcement risk even with smaller agencies. The GDPR states that non-compliant companies posing a risk to EU citizens and their privacy can be fined up to $20 million, or 4% of their global turnover for the previous fiscal year, whichever is greater.
Big companies like Amazon, with net revenue around $178 billion in 2017, could potentially face a fine of $7.1 billion. It is important to note that this fine would be per violation. It can certainly be assumed that larger repercussions would be likely in this hypothetical case, since case law suggests similar types of violations do not stand alone, and typically occur with others.
Risk Mitigation
If they haven’t already, there are several steps that companies must immediately embark on to mitigate their exposure to risk. A solid start is to understand GDPR’s applicability to various parts of the business, which includes understanding each unit’s risk profile to establish priorities for the initiative. Once risk and priorities have been identified, it is critical for organizations to identify and establish their lawful basis for processing customer data.
Every industry has its own unique risk and operational challenges, and every business within has its own maturity relative to industry peers. The unbiased eyes of outside counsel may help to quickly identify both industry and organizational risks that are often otherwise overlooked.
Things could soon get more complex. Some have suggested the GDPR will set a global precedent for data privacy and security regulations. Brazil and China have both shown interest in forming similar requirements to protect the privacy of its citizens’ personal information from businesses that store data and transfer it across borders.
To adequately prepare for the GDPR and similar regulations likely to be introduced in the future, businesses must begin educating themselves on these regulations and work out how they will choose to conquer the requirements. Applicable processes and procedures can obviously help minimize exposure to fines. But an added benefit is that they also provide an opportunity within the market to reassure customers and, in return, earn their trust.
—Greg Sparrow is senior vice president and general manager at CompliancePoint, Duluth, Ga.
