Following our article Data trends to watch for the Retail, Hospitality and Leisure sector in The Collective annual business report (download available here), we thought we would give more insight into data privacy considerations for organisations that want to better understand their customer base.
The world has moved in a direction where it is imperative to fully engage with your customer base online, especially in the luxury retail industry where footfall isn’t what it used to be.
There are a few ways that retailers can use data to better understand their customers, but there are some tricky legal issues to navigate.
The primary approach that a number of retailers are taking is to analyse the their own first party data that they receive from various customer touch points (including websites, apps and in-store) to gain a better insight into their customer base. This is known as ‘profiling’ and from this activity retailers can ensure that digital experiences are personalised and marking is suitably tailored.
From a data privacy perspective this is a relatively low risk activity, provided the right compliance steps are taken. In particular, luxury retailers need to:
• Be transparent with customers about what data they are collecting, how it is collected and what it is being used for (i.e. that data will be used for customer insight purposes, to create a personalised experience and to tailor marketing).
• Ensure data is lawfully collected – this is more relevant particularly where data is collected on websites or apps via tracking technologies (think consent). This can be difficult to achieve in an app environment, so will require some thought.
• Ensure there is a lawful basis for each processing purpose. Gaining insight into customer behaviour and using data for direct marketing outreach (e.g. via email) should be considered separately. GDPR complaint consent can be difficult to achieve, so many luxury retailers tend to prefer to rely on legitimate interests for marketing personalisation and profiling, but specific consent-based rules apply to outreach via email (and other electronic communications). If retailers want to rely on legitimate interests to build a picture of their customer’s interests, retailers need to ensure they are extremely transparent (don’t simply bury information in privacy policies) and ideally give customers easy rights to opt-out. Also, don’t forget to carry out a legitimate interest assessment (LIA).
• Complying with other GDPR principles, e.g. the purpose limitation, data minimisation, data accuracy, data retention, data rights and (last but by no means least) data security principles. These principles lie at the heart of the GDPR and should govern an organisation’s approach to data protection. Practically, this means that profiles should be used for clearly defined purposes (e.g. marketing), should not be unduly intrusive (think amount and type of data), should be kept up to date and not kept for an unnecessarily long period of time. Individuals should be given control – and access – to information that’s stored about them. Security measures must be ‘appropriate’ – so, the more data (and the more intrusive a profile) the greater the security burden.
In addition, we are seeing more and more of our clients working with thirty party providers or ‘data brokers’ to enrich existing data sets. For context, data broking for direct marketing purposes involves collecting data about individuals from a variety of sources (for example, third party suppliers and publicly available data), then combining it and selling it to other organisations (in this case retailers). The benefit for retailers is a much better insight into their customer base, allowing customers to be further profiled and segmented to a greater extent than is possible through first party data. These profiles can then be used to engage with customers online and through direct marketing communications.
However, the UK’s data protection regulator has been particularly active in respect of data broking (see The ICO takes action in the offline data broking sector and Watch out data brokers, the ICO is taking action!) so, if you are thinking of doing this, much care should be taken. In particular data broking is a very legally challenging area for various reasons including:
• Transparency: data subjects may not be aware of how their data was obtained or may not have been informed about the fact it would be shared with a retailer for the purposes of gaining insights etc. Retailers will need to take care to make sure that individuals are aware that the retailer has received data about them from third party sources.
• Lawful basis for profiling: retailers will likely need to rely on legitimate interests for use of third party data, which will mean making sure that it is within the reasonable expectations of the individual to use the data to place them into interest based segments and to tailor marketing to the individual. If retailers cannot be sure that such use is within the reasonable expectations of the induvial, consent will be the only other option.
• Lawful basis for outreach: If third party data is used to send direct marketing communications to new prospects (as opposed to simply building profiles of existing customers), consent will be required (and is extremely difficult to obtain in this context).
These are just some high level considerations to be aware of when dealing with first party data and more risky third party data. Retailers should not be discouraged from using such data, but it is ever more important to ensure that organisations put in place a comprehensive compliance programme and to ensure that robust due diligence is carried out on any third party data sources.
You may also be interested in our recent AdTech article (here) which discusses some of these issues in slightly more detail. Please do reach out to the Lewis Silkin Data and Privacy team if you have any questions.
Want to join The Collective, and contribute to the debate?
Email us at: The.Collective@lewissilkin.com