The deadline for companies to comply with the European Union’s (EU) new General Data Protection Regulation (GDPR) is finally here—but American retailers likely still have more questions than answers concerning strategies and challenges around the most momentous and complex data management reform in decades. U.S. and European retail trade organizations want to change that.
Though GDPR is being enacted in the EU, businesses with customers who reside in any of the 28 member states must also follow the new regulations. That means hundreds, if not thousands, of retailers in the U.S. will be affected, given the prevalence of cross-border commerce today. Given GDPR’s focus on data, any retailer with an e-commerce site, mobile application or other digital touchpoint collecting data from shoppers living in the EU must update their data privacy practices or risk millions of dollars in penalties.
A recent IBM survey revealed that just 36 percent of global businesses expected to be “fully compliant” with GDPR by the enforcement deadline.
To aid retailers in navigating the many changes and challenges required for GDPR compliance, the National Retail Federation and EuroCommerce, a retail trade group serving the EU, co-released a 14-page paper that provides retail-specific guidance on understanding and interpreting the new legislation.
“These are European rules but they have significant implications for many U.S. retailers,” NRF president and CEO Matt Shay said. “This effort will help inform EU regulators as well as retailers on both sides of the Atlantic about an effective retail approach to compliance with critical elements of the GDPR. It is particularly important for U.S. companies that might not be fully versed in the EU’s new privacy requirements.
“In the world’s growing global economy, U.S.-based retailers’ consumer privacy and data security programs increasingly need to reflect worldwide obligations, not just national or state requirements,” Shay added.
The paper speaks to a wide range of topics, including consumers’ right to erase their data or take it elsewhere, what constitutes consent and the “legitimate interest” required for businesses to engage with a customer, and rules stipulating how to properly manage and respond to a data breach. The document also addresses the requirements necessary for customer profiling.
EuroCommerce is lending its insight and expertise on the EU landscape to the joint document. “Protection of consumers’ data is a top priority for retailers around the world,” Christian Verschueren, EuroCommerce Director-General, said. “We are pleased to be working with our U.S. counterparts to ensure that Europeans and Americans alike can be confident about the protection of their data, helping our members understand these new rules, and how to deal with them.”