How Grocery Retailers Can Work Towards GDPR Compliance

The General Data Protection Regulation (GDPR) is an important topic of conversation for U.S. companies as they prepare to comply with the new international regulations. The GDPR was adopted on April 27, 2016, and allotted a two-year post-adoption grace period for food retailers to strategize and implement their compliance initiatives. With only three months left it has been reported that an estimated 61 percent of U.S. businesses aren't ready for the regulation, and that only 67 percent of European-based businesses have begun moving into the implementation phase of their GDPR compliance program. With the threat of implemented fines surrounding compliance as of May 25, 2018, many businesses struggle to fully understand the regulation and thus fail to launch a comprehensive plan.

Specific to the grocery industry, several chains have displayed international influence with the presence of not only brick-and-mortar stores in several nations, but through international marketing and outreach. A popular example is Whole Foods, which had stores in the United Kingdom. After Amazon.com's acquisition of the natural foods company in June 2017, the e-commerce giant became America’s fifth-largest grocery retailer. The marketing data obtained through the acquisition provided Amazon valuable behavioral statistics on grocery-buying habits, patterns and product preferences in addition to the benefit of concrete physical locations. It's estimated that over 80 million individuals are Amazon Prime members and, with this new data, Amazon can build accurate predictive analytic models that can suggest to Prime members what they will want, how much they will want, and when they will want it.

The GDPR places Amazon’s Whole Foods’ business unit under scope for not only its presence in the U.K., but also due to its monitoring of European Union (EU) customers in its attempts to offer them goods and/or services. Amazon’s practices most likely include the use of automated individual decision making against EU data subjects, requiring explicit consent under the GDPR. Amazon would be collecting and storing data, which is broadly defined in the regulation to include almost all actions under the term “processing.” The retailer must have processes in place to honor nine district rights awarded to EU customers, and be able to operate under the privacy principles defined within the GDPR. The regulation dictates how to implement security efforts around the protection of personal data, establishes breach reporting requirements, and increases the risk associated with vendors processing data. These requirements make the process of marketing much more complex for businesses with direct consumer relationships with EU customers.

Although larger agencies seem to be taking the regulations most serious, it’s apparent that smaller agencies should be taking the enforcements just as serious. Past enforcement actions point to enforcement risk even with smaller agencies. The GDPR states that noncompliant companies posing a risk to EU citizens and their privacy can be fined up to $20 million or 4 percent of their global turnover for the previous fiscal year, whichever is more. For companies like Amazon, with a net revenue around $178 billion in 2017, it could potentially face a fine of $7.1 billion. It's important to note that this fine would be per violation. It can be assumed that larger repercussions would be imposed in this hypothetical case, since case law suggests similar types of violations do not stand alone.

There are several steps that companies must immediately consider to lower their exposure to risk. A solid start begins with understanding GDPR regulation applicability to various parts of the organization, and understanding each unit’s risk profile to establishing priorities for the initiative. Once risk and priorities have been discovered, it's critical for businesses to identify and establish their lawful basis for processing of this data.

Every industry has its own risk and operational challenges, and every organization has its own maturity relative to industry peers. Using the counsel of a compliance firm helps to quickly identify both industry and organizational risk that, as a nonbiased third party, are often otherwise overlooked. A risk management and compliance consulting firm can help organizations quickly identify risk, formulate a plan to reduce this risk, and set up ongoing monitoring programs to maintain valuable records of compliance.

Some have suggested the GDPR will set the tone for data privacy and security regulations of the future. Brazil and China have both shown interest in forming similar requirements to protect the privacy of its citizens’ personal information from businesses storing and transferring data across international borders.

To adequately prepare for the GDPR and similar regulations likely to be introduced in the future, businesses must begin educating themselves on these regulations and how they will choose to meet the requirements. Applicable processes and procedures can help minimize exposure to fines, but also provide an opportunity within the market to reassure customers and, in return, earn their trust.

Greg Sparrow is senior vice president and general manager, CompliancePoint, a company that provides compliance consulting and audit services for direct marketers.