45% Of Retailers Still Lag In GDPR Compliance Ahead Of May 25 Deadline

Retailers targeting consumers in the European Union (EU) are counting down the days until they must comply with the General Data Protection Regulation (GDPR) deadline of May 25. The regulations will introduce more stringent provisions for organizations processing consumer data. But while 55% of retailers say they were largely or completely GDPR-compliant as of April 2018, that leaves 45% that say they are lagging behind or only partially compliant, according to Capgemini.

In April 2016, the EU adopted GDPR, a new set of business rules and regulations designed to protect the individual rights of European citizens, including those relating to data access, automated decision making, profiling and the right of the consumer to restrict processing. As many as 57% of European consumers will reduce spending and delete data with organizations that they perceive to be in breach of GDPR, the Capgemini study noted.

While GDPR is specifically EU legislation, the mandate’s ramifications certainly go beyond just European retailers — it’s a global and issue, especially with the continued growth of cross-border e-Commerce.


“The regulatory disconnect between geographies will test the global nature of the Internet,” said Greg Portell, a Lead Partner in the Consumer Products and Retail practice of A.T. Kearney, in an interview with Retail TouchPoints. “The promise of commerce — linked to goods and content — without physical borders becomes a bit more distant. GDPR enforcement is likely to heighten concerns about who can access a web site, and from where. This dynamic creates a counterbalance to the movement of equal access for all.”

Preparing For GDPR: Last-Minute Tips And Beyond

With uncertainty about what data customers can consent to share via a web site, noncompliant or partially compliant retailers must keep adjusting to the regulations. The penalties associated with regulatory changes will force retailers to be more diligent in how they manage, process and execute programs, increasing risk and potential costs. There are significant monetary penalties involved: the GDPR states that noncompliant companies posing a risk to EU citizens and their privacy can be fined up to either $20 million, or 4% of their global sales for the previous fiscal year, whichever is greater.

First retailers must understand whether their tracking technologies fall under the provisions of the GDPR. For example, some uses of RFID can be considered as tracking product movements in-store, rather than customer behavior. In those cases, the use of RFID could be exempted from the regulation.

Russell Marsh, a Managing Director for Accenture Digital, noted that retailers must reinforce the benefits of these changes within their channels of communication.

“Consumers have been deluged by privacy policy update emails in the past few weeks,” Marsh said in an interview with Retail TouchPoints. “The brands that will be successful in obtaining this consent are those that view the GDPR ‘process’ as an opportunity to engage with people. Reminding your customers about the benefits of the regulation will help to avoid frustration.”

This communication is crucial, especially since there realistically isn’t much a business can do in terms of operational measures to make a dramatic impact this close to the deadline.

Ahead of the May 25 date, retailers also must create preference centers within their e-Commerce sites that give consumers direct access to their profiles and preferred options of consent.

Retail Marketers May Have Bright Future Given Current Shopper Tendencies

Portell of A.T. Kearney said that he doesn’t expect the regulations to have a long-term negative impact on retail marketers and advertisers, citing four “certain established realities”:

  • Consumers have shown a willingness to trade personal information for free content and connectivity;
  • The best marketers already act in ways that are consistent with GDPR, by maintaining current lists and profiles, contacting targets with relevant offers and protecting customer information as an asset;
  • Most marketers already have more data than they can leverage actionably — the regulations will force them to focus on what really matters; and
  • Marketing effectiveness should increase as advertisers and media companies can no longer act on the less relevant, inexpensive data tail in hopes that something will convert.

Regardless of how the post-GDPR landscape plays out, consumer trust is still going to be the centerpiece that drives whether retailers can make the most out of their shopper data.

“This legislation has been brought in because companies have been hoarding and misusing data,” said Marsh. “People are now starting to realize the power of the data, and how it can actually be used. The underlying thing that’s going to come out of this — either brands will not be trusted and consumers will take their business elsewhere, or brands will show that they’re trustworthy and have value, and consumers will be happy to share that information. We’re at a tipping point in that the world has now changed and it recognizes the power of data, and that the right people will have to be trusted with it. There will be no just giving it away in the future.”

Featured Event

Join the retail community as we come together for three days of strategic sessions, meaningful off-site networking events and interactive learning experiences.



Access The Media Kit


Access Our Editorial Calendar

If you are downloading this on behalf of a client, please provide the company name and website information below: