At no time in history has customer data and privacy protection been a greater concern for consumers, businesses and regulators alike than in the current pandemic environment. The massive shift to online commerce and contactless payments that began in early 2020 spurred by confinement measures to contain the spread of COVID-19 has dramatically escalated security and privacy risks associated with the financial and personal data of millions of customers.
Even as they accelerate their digital presence and capabilities to accommodate the e-commerce surge, consumer products and retail organizations fear they will not be able to sustain privacy compliance and effectively respond to consumer data security requests. Their concerns increase each day with the proliferation of emerging technologies, sophisticated cyberattacks, online fraud and data breaches.
Rattled by these events, lawmakers and regulatory agencies worldwide are introducing new privacy regulations and imposing aggressive enforcement measures. In October 2020, for instance, the second largest General Data Protection Regulation (GDPR) fine of €35 million (roughly $41 million) was imposed on a multinational clothing retailer for allegedly violating the EU directive’s principle of data minimization. This is the rule prohibiting organizations from processing personal information, particularly sensitive data about people’s health and beliefs.
In the United States, Virginia passed the Consumer Data Protection Act in March 2021, joining states like California, Maine, Massachusetts and Nevada, which have enacted robust data privacy laws. These laws allow consumers to access, delete and stop the sale of their personal information and obligate companies to obtain consumer permission before collecting, using or disclosing sensitive information, among other provisions. A number of other U.S. states, including Washington, New York, Texas, Minnesota and Oklahoma, are considering similar laws. And, at the U.S. federal level, there is an effort to establish uniform national standards for privacy law, a goal long sought by retailers, particularly national chains that operate in multiple states.
These maturing privacy and data protection regulations clearly expose global retail and consumer products organizations to a greater degree of penalties, compliance risks and private litigations than ever before. But there is a silver lining. Consumer products and retail organizations have an opportunity to turn the growing angst among consumers and regulators into a business advantage by engaging with these stakeholders directly and openly and building trust through transparent data collection, handling and sharing practices. In their pursuit of emerging technologies and digitization, retailers also have a unique opportunity to ensure that privacy is designed as a default setting in every aspect of data-enabled products and services.
To take advantage of these opportunities and build an effective future-state privacy program, consumer products and retail organizations need to reexamine their current privacy practices and understand their level of maturity. This, and related advisory assessments, can help organizations identify weaknesses in data privacy compliance and protection efforts.
How Organizations Currently Address Privacy
For the past several years, consumer products and retail organizations have gathered huge amounts of consumer data using advanced technologies (i.e., location tracking, facial recognition and artificial intelligence [AI]). With these data and tools, these organizations have been able to create deeper relationships with frequent buyers and communicate in more personal ways with individual customers – capabilities that have proven to be particularly crucial with the rise of omnichannel shopping during the pandemic.
Our experts have observed three distinct privacy maturity levels and strategies across the consumer products and retail industries:
- Privacy leaders – These are organizations that have implemented a data-driven consumer journey that focuses on experience and where data is managed. These privacy leaders have succeeded at creating a holistic view of the consumer by giving customers greater access to and control over their personal data. Consumer trust, transparency and consumers’ privacy rights are core focuses, and the companies have an established privacy policy that is a prominent part of the corporate strategy. In essence, there is an intentional focus on protecting consumer privacy and building and maintaining trust with consumers.
- Privacy adopters – These organizations have started to explore a data-driven consumer journey and are changing how they view data. They aspire to be leaders but have not yet allocated the attention and resources necessary to create a mature privacy program. These privacy adopters are working to increase their focus on privacy but the level of focus still varies within the organization.
- Privacy laggards – These organizations are process-focused rather than customer-focused and have not addressed privacy as part of their business model. They mostly practice a wait-and-see approach, believing that it would be difficult for regulators to enforce requirements. They may have privacy policies on paper, but their capability to maintain effective privacy controls is immature and highly tactical. These organizations have not made consumer privacy a business priority, thinking of privacy as largely a legal and compliance issue, and this is reflected in the way they operate.
Not all organizations fit neatly into these maturity levels, and some have made great progress on various privacy fronts in recent years while lagging in others. Overall, developing (and maintaining) a mature global privacy function continues to be a struggle for laggards, adopters and leaders alike.
What Organizations Can Do Now to Address Privacy
Establishing a baseline to capture the totality of the organization’s privacy commitments to determine exactly what customers have been promised and whether or not the company is delivering on its commitments is critical. Additionally, organizations must have a clear understanding of privacy regulations within the respective jurisdictions where they operate, to ensure that those commitments are aligned with regulatory expectations. Following the introduction of GDPR in 2018 more than 60 jurisdictions around the world have enacted or proposed postmodern privacy and data protection laws. And as indicated earlier, in the United States, more states are enacting stricter data privacy measures.
Global retailers should continually monitor and stay on top of multiple and competing privacy rules across their geographic footprint. This global approach to privacy compliance can be achieved by focusing on implementing the most restrictive data privacy model (e.g., GDPR) across the enterprise, and then working with legal counsel to develop and maintain an inventory of other privacy regulations that apply to individual offices around the globe. Multinational organizations would also need to reconcile all the various laws in the background and take a risk-based approach to compliance starting with priority jurisdictions, which may vary depending on the organization.
Retailers that are venturing into the use of advanced digital technologies and cloud computing to collect and use personal data must put specific measures in place to manage the increased risk exposure. These internal measures will be easier to implement if business leaders ensure that a culture of compliance around data privacy is established and maintained across the organization.
Enhancing privacy and data protection practices with limited resources continue to be one of the main challenges faced by global consumer products and retail organizations today. The need for knowledgeable, experienced data privacy professionals has increased, creating a market shortage of data privacy expertise. Consumer products and retail organizations recognize that the data protection officer (DPO) role has limited privacy resources to implement, manage and supervise on privacy compliance efforts across their global footprint. Clearly, organizations need to invest in data privacy expertise and/or partner with organizations that can help them build and maintain an effective privacy program.
A managed services approach to data privacy — privacy as a service, or PaaS — is another solution consumer products and retail organizations may want to explore. How can a company determine if it needs to pursue a PaaS strategy? The following questions can help with the decision-making:
- Do we know exactly which data privacy and protection laws apply to our operations?
- Have we found it challenging to comply with data privacy regulations in the various jurisdictions where our business operates?
- Are we confident we know of and/or have a plan to address any data privacy compliance gaps?
- How are we currently addressing consumer privacy requests? How many such requests are we receiving?
- Are we using any or the evolving tools and products to inventory and classify personal data to comply with all applicable data privacy requirements?
One thing is clear in the current risk environment: Consumers view respect for privacy as a core value of the brands with which they seek to do business. They consider the way their private data is managed to be a reflection of how they are treated as customers and they expect consumer products and retail organizations to exhaust all means to protect their personal information.
Muazzam Malik, Managing Director with Protiviti’s Security and Privacy practice for the consumer product and services industry, contributed to this content. Learn more about Protiviti PraaS™ and our data privacy consulting solutions here.