A Rapid Road to GDPR Readiness in Retail
GDPR is a fundamental shift in personal data ownership—and it’s not just happening in Europe. The adoption of similar privacy legislation is growing around the world. A case in point is the recently adopted California Consumer Privacy Act and Brazil’s General Data Privacy Law, both of which require companies to swiftly and fully respond to requests from individuals for access to personal data held about them. Other jurisdictions are considering comparable legislation or updating their privacy laws to include similar obligations as well.
Although companies have had two years to prepare for GDPR, many remained in the dark about the impact of the new rules on their business until those rules took effect on May 25, 2018. Others chose to take a “wait and see” approach pending enforcement and more regulatory guidance. The first significant GDPR fine was by France’s CNIL against Google, revealed in January 2019. “It hasn’t been a reality until now,” explained Jerrod Bailey, chief strategy officer for Truyo, an enterprise compliance solution.
“We have companies that have come to us since the May 25th deadline and in some cases, they have received 10,000 requests in the first week. These companies were prepared for ten, maybe a hundred requests. They weren't prepared for 10,000,” Bailey said.
This problem is exacerbated with large retailers, who have to comb through hundreds of data sources looking for a single person’s data.
The punitive risks for material noncompliance with GDPR’s provisions on individual data subject rights can be substantial, with fines up to €20 million or 4 percent of annual global revenue, whichever is higher. Especially in the retail industry, the search is on for a path to meet at least the minimum GDPR regulatory requirements, one that is effective, quick, causes minimum disruption, and is capable of addressing future changes in both the regulatory and system environments.
Giving Retailers the Edge on Compliance
In response to this need, Truyo offers a unique solution designed specifically to address requirements of the GDPR regulation. The system relies on highly secure blockchain technology to protect data and enable compliance throughout multiple touchpoints, which can be especially important to retailers.
“One of the major areas where retailers are collecting data is at the point-of-sale,” explained Bailey. “A lot of retailers just don't have any compliance solutions for point-of-sale. We have the ability to integrate about 98 percent of the point-of-sales systems out there.”
The company was able to help one online-only retailer automate compliance across all its brands in the EU. In eight weeks, the retailer had three primary and independent systems feeding diverse customer information into a single data lake. As consumers interact with the brand online and make purchases, transactions receive a unique tag, so they can be easily found. The process allows the retailer to demonstrate compliance with critical elements of the GDPR, with a minimal burden on operations and at a fraction of the cost of developing a custom solution.
Sometimes the system can be set up even faster. Some deployments have started processing access requests and deploying workflow management and reporting tools in less than a week and at a service cost of under $5,000 a month.
Centralized Data—Automated Process
At the core of the system are four key elements—a data lake, block chain ledger, customized portals, and APIs, as shown in Figure 1.
Data in the lake is protected by a blockchain ledger that maintains a forensically valuable history of system activity. Data from interactions is transferred to the ledger, where information is certified as un-tampered, and then to the data lake where interaction records live. When a consumer request is made, a record is kept of the interaction activity.
The lake plays a key role in compliance because it can be made available to data protection authorities, auditors, and data governance professionals, as well as any other data collector or processor. This results in increased accountability, information transparency, accuracy, efficiency, and ease of audit.
Users of the system can access information in the lake through custom portals. For example, individuals can review their collected personal information, modify it, or request its removal. If individuals make updates to their personal information within the portal, it kicks off a series of automated workflows on the back end that record those changes and confirms them with the individuals.
Bailey explained: “You go to a portal. You create a login. You validate that you are who you say you are, and then you get access to your data in the data lake. That’s very unique.”
Portals can be configured so administrators and others with compliance responsibilities can see what they need to see in the lake. For example, the CRM system manager could use the portal to monitor privacy activity related to that system. “Through their portal, they'll be able to see all the access requests they need to react to or the requests automated at the back end of the system,” Bailey said.
Auditors and regulators, too, can have a portal into the system. “In the EU, every country has their own privacy authority, so the likelihood of having to show a third party what you're doing is fairly high,” Bailey noted. The portal, though, can limit what they see to just the ledger.
The APIs also connect to consumer touchpoints and retailer services. Touchpoints include point-of-sale interactions, website traffic, and interaction with mobile applications. Retail services include loyalty and customer management programs.
What's more, the APIs are a two-way street. Not only can they be used to ingest data, they can be used to alter it, too. “We can anonymize or delete a record without a human being having to get involved,” Bailey said. “It’s that automation and centralization, those two components together, that make Truyo very unique.”
Streamlined Solution for Complex Environments
Even though the realities and complexities of the GDPR and CCPA are only now hitting home, some solutions help streamline the compliance process.
Truyo offers a system geared for highly complex retail environments thathave an array of data sources, customer touchpoints, and multiple point-of-sale systems. By leveraging Intel® technology, the company has built a unique solution to a multifaceted problem.
“These new privacy regulations can be a big challenge, but meaningfully protecting individual privacy rights is an even bigger one,” Bailey said.