It’s no secret that the role of data in the retail sector has grown considerably with the rise of global e-commerce and mobile commerce. Therefore, the impacts of the LGPD on retail are strongly felt and define much of the data protection strategy in retail in the coming years. Data protection in retail
In this fast-paced and ever-evolving digital landscape, information governance has become a prominent topic, with companies in the retail sector considering how they can modernize their data protection policies.
Failure to comply with these policies or misuse of individuals’ personal data can have severe legal, reputational and financial consequences.
What are the impacts of LGPD on retail?
In this era of personalized communication strategies and targeted online marketing, radical changes in data collection, processing and storage have huge implications for retailers.
The General Data Protection Law (LGPD) came into force in 2020 with some limitations regarding the application of fines and other types of penalties, but in practice it represents a great opportunity for retailers and something they absolutely need to be aware of.
This is because data is the most valuable commodity retailers can have in relation to their consumers, whether they are business-to-business (B2B) or business-to-consumer (B2C).
What you know about your consumers shapes your proposition, your pricing and your supply chain. For this reason, not considering the impacts of the GDPR on retail can be a big mistake.
There are four main aspects of the GDPR that retailers should be aware of, and that they should act fast enough to deal with all of them
Firstly, privacy notices will be much more prominent. These are the statements you put on your website telling consumers what you will do with their data.
The familiar checkboxes will still feature prominently, but consumers will have to activate it proactively.
This means that retailers must provide detailed information, allowing consumers to make fully informed decisions about whether they want to allow the retailer to retain and process their data.
New privacy notices need to explain why the data is needed, how it will affect the consumer, the criteria used to decide how long the data is retained and the consumer’s right to withdraw their consent.
The second key area is accountability and record keeping. Again, compliance will be a challenge, but retailers will also have to demonstrate that they have kept their records up to date and compliant with the GDPR.
Thirdly, you must have a written agreement with any third party processing the data for you.
If a retailer outsources information collection, which many large companies do, then they need a robust written contract that sets out the terms and conditions between them and the outsourcer.
In addition, there are contractual clauses prescribed by the LGPD, which means that many agreements between retailers and the parties collecting and processing their data will have to be scrapped and processed from scratch at significant cost.
Finally, retailers should address enhanced individual rights in relation to information held about individuals.
This includes the right to be forgotten and the right to data portability, which is linked to data use.
This is because data is the most valuable commodity retailers can have in relation to their consumers, whether they are business-to-business or business-to-consumer.
How can retailers implement an effective data protection program and reduce the impacts of LGPD on retail?
LGPD compliance needs vary from retailer to retailer, based on how well their business activities support the personal data privacy rights of individuals in Brazil.
Implementing an effective LGPD program can be particularly tricky for retailers, especially those who have a variety of customer touchpoints across channels, as well as those who have franchises.
These various touchpoints range from points of sale to e-commerce and call centers, as well as mobile apps, kiosks, ERP systems and even email.
To start, retailers should consider some common questions when it comes to implementing their data privacy program:
- If a data subject wants to delete their data, how do I locate all their information? How will the company determine what can be excluded and what is required for regulatory or legal retention purposes?
- If the consumer data subject wishes to obtain access to his personal data, what can the business provide to him? What format will be delivered?
- What personal data does the company retain and for how long?
- Do we need to work with third party suppliers to obtain copies of personal data?
- Do we have employees who may make similar requests and does the company know how to respond to these requests?
- Can the company meet the deadlines set by the GDPR?
Data subject requests are by far one of the most complicated aspects of GDPR compliance because consumers want to know:
- How your personal data is protected;
- Where your data is located and who has access to it;
- How to correct personal information;
- Whether the company has consent to use or share your personal data.
In general, the LGPD requires retailers to take a holistic approach to data privacy governance.
Remember that data protection law was established with the understanding that data privacy will continue to evolve, and the enforcement of personal data privacy rights will need to change.
Effective data privacy programs should be aligned with retailers’ business, operations, legal and technology functions, helping to drive a culture of privacy and data protection across the enterprise.
Retailers who confirm that their current policies meet LGPD requirements and establish robust and responsive corporate data privacy philosophies will be better equipped for the new era of data privacy.
The possible unviability of the business as one of the main impacts of LGPD in retail
Retail companies need to reframe the way they think about customer data and their own accountability. So, if implemented properly, the GDPR can be an opportunity for improvement for organizations.
Adopt a risk-based approach. Privacy has to be a component that you are prepared for and believe in.
Fines will be levied based on what is provided for in the GDPR, which puts companies at significant risk.
The values assigned to each situation can make the organization’s existence totally unviable or compromise its credibility in the eyes of the market and consumers.
Please contact us. Our experts will be able to help you, contributing to the development of your data protection projects and the continuous improvement of your company.
Eval has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.
With market recognized value, Eval’s solutions and services meet the highest regulatory standards for public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.
Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.
Eval, safety is value.