What if the CEO asks me about… using customer personal data to achieve our commercial objectives?
As a society, we are increasingly able to collect, store and use large volumes of personal data. For retailers and consumer brands, this can provide a valuable source of intelligence around customer behaviour and market trends. While using personal data for these purposes undoubtedly provides opportunities, it can also potentially create risk due to the heavily regulated privacy landscape.
New technologies, shifting priorities?
Retailers and consumer brands are more driven than ever by the digital transformation that was turbo-charged by the pandemic-driven shift to online. Organisations are becoming increasingly willing to invest in programmes that enhance the online customer experience, or provide intelligence to support operations or strategy, in order to remain competitive in their industry. This can include technologies that will be more obvious from the customer's perspective, such as personalised advertising, or those used behind-the-scenes to perform analytics and spot trends.
This is not to say that in-person shopping has not experienced similar technological developments. More and more retailers and consumer brands are using data-intensive technologies that rely on monitoring the behaviour of customers in their stores, such as to review footfall in certain areas of the store or surveillance technologies to promote staff and customer safety. Organisations are also increasingly syncing in-person and online shopping, for instance allowing individuals to be directed online to purchase a product that they are passing in a store.
What these online and in-store programmes often have in common is the processing of personal data, so you will need to comply with the legal requirements around that data's use, storage, transfer and deletion.
What are the practical ways to mitigate data risk?
You should ideally begin assessing personal data risks at the start of the project and before a supplier has been appointed. At this stage, considering the key data protection principles early can form a useful framework for assessing and mitigating risk, satisfy legal requirements such as "Privacy by Design" and reduce the risk of having to move the goalposts at a point when leverage is much reduced. Issues to consider include:
- Type of data processed: Will this be "personal data", which includes both conventional identifiers such as name and email address but also, for example, IP addresses and Bluetooth IDs? Additional care should also be taken where special category data is involved (e.g. health data, data on someone's ethnicity), or the personal data of employees.
- Transparency: What will you communicate to the individual in relation to how their personal data is being processed, and how will this information be conveyed? Is in-store signage or verbal notice required?
- Purpose limitation and security: How will you make sure that the personal data collected by your tool will not be used for any other purpose besides that which was intended? How will you secure the data internally and make sure that it is protected from unauthorised access and deleted when no longer required?
- Contract: If a third party vendor is engaged, how will you ensure the personal data transferred to the vendor (and if applicable to its subcontractors) is adequately protected? Has the vendor assumed an appropriate level of liability for any data breach situation, and can you walk away without an early termination penalty if you have legitimate security concerns? Contracts with third party processors must include mandatory baseline provisions under UK and EU GDPR.
- Accountability: What internal guardrails and employee training programmes are necessary based on the privacy risk of the proposed technology? What steps need to be taken to document the activity internally, such as impact assessments?
Taking a step back
Beyond the deployment of specific technologies, if you are starting to use tools or processes that process customer data for purposes, or using methods customers might not reasonably expect, it is vital that you put processes in place to anticipate these potential risks. This can include introducing early warning systems in the parts of the business that are most likely to generate commercial strategies that create a particular privacy risk, such as innovation, sales and marketing.
You should also take particular care to make sure your internal data protection accountability processes are in order. The use of innovative tools that process personal data on a wide scale, particularly where third party vendors are concerned, may trigger requirements such as impact assessments. Putting the right procedures in place ahead of new and commercially enticing uses of personal data, and ensuring staff are alert to the risks, can both reduce the risk of regulatory scrutiny (and potential reputational damage) and prevent projects from being halted or delayed.
Disclaimer: The information in this publication is for guidance purposes only and does not constitute legal advice. We attempt to ensure that the content is current as at the date of publication, but we do not guarantee that it remains up to date. You should seek legal or other professional advice before acting or relying on any of the content.