Retailers underprepared for new EU data laws

A recent report reveals retailers often mishandle customer data and run the risk of being unprepared for the recently agreed EU General Data Protection Regulation (GDPR).

Compuware administered a survey on GDPR preparedness to 79 CIOs at large retail, distribution or transportation companies in France, Germany, Italy, Spain, the UK and the US. The resulting findings and report, “Underprepared for the GDPR?”, indicate as much as 77% of businesses don't yet know how they will respond to the new EU GDPR, while less than half (47%) are well briefed on the regulation and how it will impact on how customer data should be handled.

“To comply with the GDPR, retailers need to keep stricter control of where customer data resides,” Compuware technical director Elizabeth Maxwell said.

Historic background
After a long 2 year process, the EU GDPR was adopted in April 2016 to unify previously fragmented mandates that protect the use of EU citizens’ Personally Identifiable Information (PII) and their “right to be forgotten.”

Any company with European customer data, regardless of its country of origin, must demonstrate its ability to remove every instance of customers’ PII across all systems or platforms at the customer’s request. The GDPR also demands customer data used in processes like application testing be masked to protect identities, even data shared with outsourcers, developers and testers.

GDPR is now being transposed into the national laws of the 28 member states, with the regulation set to come into force from April 2018. All enterprises in the EU or other countries that capture PII relating to EU citizens will be expected to comply with the new regulations. Failure to comply exposes enterprises to fines of as much as €20 million or 4% of global turnover — whichever is higher.

Grossly unprepared
Despite the risk of high financial penalties and potential damage to brand reputation resulting from non-compliance, the Compuware study found a full two-thirds (68%) of survey respondents either did not currently have comprehensive GDPR compliance or were unsure about the existence of such plans.

Compliance challenges
According to the report, four factors exacerbate difficulty of GDPR compliance.

First, retailers apparently struggle to control their data, with only 16% of retailers indicating they ask for the proper consent before using customer data and over two-thirds stating they would find it hard to comply with the EU GDPR if asked to exercise a customer’s “right to be forgotten”.

Second, as much as 71% of respondents said the complexity of modern IT services means they can't always know where customer data is while little more than a third (38%) CIOs can locate all of an individual's personal data quickly and nearly a quarter (23%) admitted they could not guarantee they would be able to do so at all.

Third is the relentlessness speed of digital change and expansion also makes GDPR compliance an ever-moving target according to 53% of respondents. And finally, the report also points to retailers’ use of outsourcers (81%) and mobile technology (66%) a factor in making it even harder to keep track of where customer data resides.

Dr Elizabeth Maxwell said if retailer, "don't have a firm handle on where every copy of customer data resides across all their systems, retailers could lose countless man-hours conducting manual searches for the data of those exercising their 'Right to be Forgotten.' Even then, they may not identify every copy, leaving them at risk of non-compliance."

Access more facts and figures with the related infographic.

Tags: Europe, Policy, Data Protection

Leave your comments

Post comment as a guest

Your comments are subjected to administrator's moderation.
terms and condition.
  • No comments found


  • allegro
  • asendia
  • bpost
  • ccc
  • centiro
  • copernica
  • crucial
  • demandware
  • digitalriver
  • gfk
  • hybris
  • ideal
  • instartlogic
  • katoennatie
  • metapack
  • moduslink
  • neopost
  • ogone
  • paysquare
  • post-nl
  • posten
  • postur
  • qubit
  • salesupply
  • shoppingminds
  • sofort
  • spring
  • stibo
  • swisspost
  • symantec
  • threatmetrix
  • ups
  • wndirect
  • worldline
  • worldpay