Add a bookmark to get started

26 November 20185 minute read

Fashion retailers: Data protection as a tool to ensure confidence and increase competitiveness

In the context of digital transformation, customerexperience is the future of brand differentiation. Customerinsights have never been more critical to retailers workingto satisfy rising demands, offer a more personalized andmeaningful cross-channel experience, and effectivelyengage with hyperconnected customers.

The trick for retailers is to know the customer betterthan they know themselves by tracking their end-to-endjourney, both online and offline, using mixed data frombrowsing, purchases, in-store visits, biometrics fromwearable devices, facial recognition in stores, etc., whichwill allow retailers to create granular customer profiles.This sounds like a customer-relationship management(CRM) dream come true. But retailers should not forgetthat GDPR is the new black and, more than the risk offinancial sanction, it is a retailer’s image and reputation thatis at stake.

Customers are often in a privacy paradox: while theycertainly want a customized experience, they also wanttheir privacy to be respected and to be able to trust theirfavorite brand.

In a marketing environment, confidence is key and GDPRincludes several tools to inspire more confidence for betterCRM and thus more competitiveness:

  • Privacy by design should be a key pillar of any modern CRM strategy or marketing project. It should be incorporated in all projects that are based on universal identifiers, use cookies or other tracking technologies, follow customers (both in the online and offline worlds), measure retail conversion, or offer on-time advertising. The same goes for other emerging technologies, including AI, virtual and augmented reality (such as avatars or virtual fitting rooms), sales assistant bots, and in-store facial recognition. This approach will allow customers and brands to benefit from such new technologies, while at the same time reducing their intrusiveness.
  • Compliance with the key principles of data protection (lawfulness, fairness and transparency by an appropriate information; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability) is key to maintain trust and confidence in a brand. Such compliance is easy to achieve by implementing user-friendly technical solutions which allow retailers to keep (i) visibility on the data provided by customers themselves or through tracking technologies and (ii) to control how customer data is used or shared. Such solution may also facilitate the collection of customers’ free, specific, informed and unambiguous consent when required. GDPR is not the only applicable regulation, and retailers should keep in mind the upcoming e-Privacy Regulation, which will add to these requirements.
  • Conducting a data protection impact assessment (DPIA) also helps determine the appropriate technical and organizational measures depending on the categories of personal data processed and the risk of exposure. A DPIA is also helpful to anticipate and contain the possible adverse effects of a security breach.

Another interesting trend is the increasing enthusiasm forthe use of blockchain technology in the fashion industry,from supply chain and inventory management to brandprotection, crypto-currency payments, and returns andrefunds process management.

Blockchain, however, is a technology which processespersonal data in a way which may be incompatiblewith GDPR requirements because of the conditions ofprocessing (eg, no deletion of the data processed, datavisible by all the users of the blockchain).

In its recent publication, the French Data ProtectionSupervisory Authority (Commission Nationale del’Informatique et des Libertés or CNIL) provided practicalrecommendations on how blockchain use may becompatible with GDPR and with data protection law moregenerally, accounting for the constraints imposed by suchtechnology, and demonstrating that blockchain technologycan be compatible with GDPR.

The CNIL, among others, clarifies the role of the differentstakeholders involved in the blockchain (eg, participants,miners). According to the CNIL, blockchain is not meredata processing, but a technology that supports dataprocessing, just like the cloud does. Choosing to useblockchain is choosing a certain technological means ofdata processing. The data controller, therefore, is the onewho writes and stores data on the blockchain a participantaccording to the CNIL. Where there are multipleparticipants, they may either make arrangements regardingthe responsibility of the processing and appoint a uniquecontroller or act as joint controllers. Miners who validatethe recording of the personal data in the blockchain wouldqualify as processors.

The CNIL also provides recommendations on how tominimize risk and ensure the effective exercise of the datasubjects’ rights in the context of the blockchain. To learnmore, please read our article on our blog Privacy Matters.

In conclusion, compatibility with the GDPR principlesshould always be possible, even if innovative solutions arenecessary.

Now that you know, you can bring your GDPR game withstyle.