It was reported recently that Amazon will open 10 till-free UK stores, with shoppers scanning items as they go and paying via their Amazon accounts. Similarly, Sainsbury’s has announced a trial virtual queuing system using a third-party app, and an expanded mobile payment scheme offering increased availability of till-free shopping. This brings “omnichannel” data to the shop floor – truly digitising the customer experience and creating even richer consumer behaviour datasets.
The insights could be phenomenally valuable.
But what about the legal risks of creating these combined datasets? We know that Gen Z, the shoppers of the future, are values-driven and demand authenticity and transparency. How then can retailers meet the demands of their current and future customer bases and manage data-related risks, whilst maximising opportunities? Here are some suggestions.
Data protection regulators see themselves primarily as upholders of individuals’ rights. Market testing or other dialogue with consumers will therefore help to mitigate risk.
For example, ask your customers what they understand about retailers’ use of online/offline data, their feelings about one use versus another, what choices they’d expect, and so on. Ask again from time to time too, as consumer expectations shift quickly in response to the digital retail experiences on offer. A consultation could mitigate risk practically – through insight into your audience’s level of understanding/comfort – but also help demonstrate to regulators that you designed your practices with audience feedback in mind.
Tone at the top
Data risk isn’t just a job for IT, Legal, or any other single team. To avoid the ‘bear traps’ associated with innovative, consumer-facing digital practices, this needs to be (and be seen as) led by a senior management team. GDPR essentially sought to stop data protection being a last minute ‘bolt on’ issue for Legal to address before launching new digital products.
To make defensible decisions about data protection, particularly large-scale use of consumer data, you’ll need to ensure that the right stakeholders are accountable.
Don’t hang your hat on a competitor’s hook
More than almost any other sector, lawyers see retailers pointing us to their competitors’ data protection approaches. We get it. But when managing your own risk, this isn’t the best idea. Nor are competitors’ websites real indicators of good (or even current) practice behind the scenes.
Your marketing teams will know that consumers that look alike might have different expectations or levels of understanding. Your risk appetite might differ, or you might be making a longer play for strategically valuable data – think Amazon, with its accumulated knowledge about online behaviour, wanting to track consumers ‘on the ground’.
Copying competitors and hiding in the crowd to reduce the ‘likelihood’ of regulatory action can seem an appealing short-term fix, but could actually be an aggravating factor leading to more material consequences following any enforcement.
Data Protection by Design and Data Protection Impact Assessments (DPIAs)
Before starting anything in this space – licensing third-party apps, developing retail tech in-house, location tracking, building data lakes – you’ll need to follow robust processes to comply with your obligations around “data protection by design and default”. Essentially, build it with the consumer’s data protection rights in mind.
DPIAs can be a great tool – they are flexible and useful for getting teams working together on tricky data issues. Don’t be afraid of DPIAs and don’t try to avoid them, as you risk undermining the value of the resulting datasets by wrapping them up in unidentified or unmanaged risk. You may end up facing some hard decisions (no-one really wants to have to consult the ICO about managing risk!), but ultimately it then becomes as much about who you want to be to your customers as it is about data protection risk.
Alexandra Leonidou, partner in Foot Anstey’s data protection team