It would be fair to say that technological developments have completely changed the way consumers interact with retail companies in recent years. According to the Office for National Statistics, one in every five pounds spent with UK retailers last year took place as an online transaction. And on the two biggest shopping days of 2018 – Black Friday and Cyber Monday – Brits spent upwards of £7 billion from the comfort of their digital device.
As we once again approach the peak spending period for 2019, retailers need to be more on top of their digital game than ever. And in today’s tech-driven society, this means ensuring that customer data is well protected. While there are many factors involved in maintaining a safe and efficient online sales funnel there are two crucial areas that perhaps stand out above the others in 2019.
Getting to grips with GDPR
Introduced in May 2018, General Data Protection Regulations apply to all 28 European Union member states. These regulations are designed to protect consumer data, improving the rights of EU citizens whose personal information is processed and held by organisations like retailers and service providers.
Retailers deal with a huge volume of consumer data when taking online orders – from collecting payment card details to postal addresses, emails to feedback forms. If this data is lost or compromised, the consequences can be catastrophic for both the customer and the business itself.
If a business is found to be in breach of GDPR, severe fines can follow. Prior to the new regulations introduced back in May 2018, these fines were capped at £500,000. Now, fines can be as high as €20 million, or 4% of a company’s annual turnover.
To further complicate things, there is currently no hard and fast process to follow for businesses. In fact, a common misconception is that enterprises need to become “GDPR compliant”. There is no certification or accreditation that signifies a compliant business; rather GDPR is about constantly maintaining data protection best practice through the implementation of rigorous processes and procedures.
A company’s Data Protection Officer (DPO) or Chief Information Security Officer (CISO) are often tasked as the gatekeepers for all data-related decisions, but additional support can be sought from GDPR consultants. A fresh pair of eyes will help to pick up on things that may have been missed, and GDPR consultants are specialists in this area with expert knowledge and experience.
While GDPR was originally designed for EU member states, every company must adhere to the regulations if they deal with data belonging to EU citizens, no matter where they are based. This is particularly relevant for internet-based retailers, as customers from all over the world can buy products from a website. Blocking EU traffic to a site is one way to ensure that only non-EU customers can enter their details and purchase items.
Payment Card Industry Data Security Standard (PCI DSS): bargaining with Brexit
With the Brexit deadline looming ever-closer, businesses across all industries are struggling to understand how to prepare. While the UK will no longer be an EU member state, businesses in Britain will still need to maintain their data protection standards. The UK introduced its own Data Protection Act (DPA) in 2018, covering other areas not currently included within GDPR. But as part of the EU Withdrawal Act, GDPR will be introduced into UK law and run alongside the DPA. This will ensure that UK companies can still trade with EU member states without facing substantial fines.
It is important that retailers are familiar with PCI DSS in 2019, as it will be relevant in the future. Payment Card Industry Data Security Standard applies to all companies that handle card transactions, making it relevant to almost all retailers. Companies must provide evidence to indicate their activity over the last 12 months concerning, for example, how the business has assessed and ranked security vulnerabilities as they have been discovered.
As with GDPR, there are trained professionals to help businesses through the PCI DSS compliance process. QSAs can provide critical support to organisations, guiding the process and providing advice on any changes that need to be implemented. QSAs also identify areas of vulnerability where a security breach is most likely, encouraging businesses to be proactive rather than reactive in their approach to data protection.
Recent incidents like the attack on US website StockX (which saw the release of 6.8 million customers’ personal data) highlight just how damaging a hack can be to retailers. Indeed, data loss can be damaging for both business and customer, but storing personal and payment information is simply part of the retail process. Introducing up-to-date security practices can not only protect against an attack but also provide consumers with peace of mind when shopping online with a particular brand or ecommerce store.