How The GDPR Affects American Retailers, And What Businesses Can Do To Minimize Their Risk

0aaGreg Sparrow CompliancePoint

The General Data Protection Regulation (“GDPR”) continues to be an important topic of conversation for U.S. companies and retailers nationwide. Since its inception, the GDPR has raised a number of questions as to whether businesses are properly ready to comply. The GDPR was adopted on April 27th, 2016 and allotted a two-year post-adoption grace period for retailers to strategize and implement their compliance approach.

With only three months remaining, it has been reported that an estimated 61% of U.S. businesses are not ready for the regulation, and that only 67% of European-based businesses have begun moving into the implementation phase of their GDPR compliance program1. The potential fines have many concerned about compliance as the May 25, 2018 date of enforcement approaches, but businesses struggle with fully understanding the regulation and thus fail to launch a comprehensive plan.

When analyzing the retail industry, several chains have displayed international influence with the presence of brick-and-mortar stores in several nations and international marketing efforts. One example includes Whole Foods, an American supermarket chain that previously held over 477 stores in North American and the United Kingdom. After Amazon’s acquisition of the natural-foods company in June 2017, the e-Commerce giant became America’s fifth-largest grocery retailer. The marketing data obtained through the acquisition provided Amazon with valuable behavioral statistics on grocery-buying habits, product preferences and patterns. It is estimated that over 80 million individuals are Amazon Prime members and that with this new data, Amazon can build accurate predictive analytic models. This enables Amazon to make buying suggestions to prime members. Amazon tells the consumer what they will want, how much they will want, and when they will want it.


The GDPR places Amazon’s acquired ‘Whole Foods’ business unit under scope for not only its presence in the U.K. but also due to its monitoring of European Union data subjects and attempts to offer them goods and/or services. Amazon’s practices likely include the use of automated individual decision making against EU customers, requiring explicit consent under the GDPR.

Processing is broadly defined in the regulation to include most actions that can be performed with data and can specifically refer to collection and storage. In this case, Amazon would be utilizing this processing. The retailer must therefore have processes in place to honor nine distinct rights awarded to EU data subjects, and be able to operate under the guiding privacy principles defined within the GDPR. The regulation further dictates appropriate security efforts around the protection of personal customer data, establishes breach reporting requirements and increases the risk associated with vendors processing this data. These requirements make the process of marketing and vendor outsourcing much more difficult for anyone with a direct consumer relationship with subjects in the EU.

Many smaller agencies may not be considering the new regulations as seriously as they should be, but past enforcement actions point to enforcement risk even with smaller agencies. The GDPR states that noncompliant companies posing a risk to EU citizens and their privacy can be fined up to $20 million or 4% of their global turnover for the previous fiscal year, whichever is greatest. For companies like Amazon, with a net revenue around $178 billion in 2017, they could potentially face a fine of $7.1 billion. It is important to note that this fine would be per violation. It can certainly be assumed that larger repercussions would be imposed in this hypothetical case, since case law suggests similar types of violations do not stand alone, and typically occur with others.

There are a few important steps that companies must immediately take to mitigate their exposure to risk. One way to start begins with understanding GDPR regulation and its applicability to various parts of the business, while understanding each unit’s risk profile to establishing priorities for the initiative. Once risk and priorities have been selected, it is critical for organizations to identify and establish their lawful basis for processing of this data.

Every industry has its own unique risk and operational challenges, and every business within that industry has its own maturity relative to others in the same industry. Using the trusted counsel of a compliance firm helps to quickly identify both industry and organizational risk that, as a non-biased third-party, are often otherwise overlooked. A risk management and compliance consulting firm can help businesses to quickly identify their risk, formulate a plan to eliminate this risk, and set up ongoing monitoring programs to maintain valuable records of compliance.

Some have suggested the GDPR will set the global precedent for data privacy and security regulations. Brazil and China have both shown interest in forming similar requirements to protect the privacy of their citizens’ personal information from businesses storing and transferring data across borders.

To adequately prepare for the GDPR and similar regulations likely to be introduced in the future, businesses must begin educating themselves on these regulations, and how they will choose to fulfill the requirements. Applicable processes and procedures can not only help minimize exposure to fines, but also provide an opportunity within the market to reassure customers and in return, earn their trust.

Greg Sparrow is Senior Vice President & General Manager, CompliancePoint. He has enjoyed over 17 years’ experience in Privacy, Information Security and Risk Management. Sparrow has had the pleasure of working on both U.S.-based and international projects. He was responsible for the development and implementation of the security programs responsible for protecting billions of dollars in annual transaction volume. Sparrow’s most recent work includes security and certification work for Samsung Pay, enterprise risk management for multiple NFL and MLB sports teams and helping to secure critical infrastructure at some of the nation’s largest transit hubs. He holds multiple IT and security certifications covering the health care and payment card industries and federal banking standards.

1 Source – “Survey: 61 percent of companies have not started GDPR implementation”

Feature Your Byline

Submit an Executive ViewPoints.

Featured Event

Join the retail community as we come together for three days of strategic sessions, meaningful off-site networking events and interactive learning experiences.


Access The Media Kit


Access Our Editorial Calendar

If you are downloading this on behalf of a client, please provide the company name and website information below: