No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

The GDPR’s Impact on American Retailers

by Greg Sparrow
April 25, 2018
in Data Privacy, Featured
side view of three levels in a shopping mall

How Businesses Can Minimize Their Risk

It is estimated that well over half of U.S. businesses are out of compliance with the GDPR regulations set to take effect on May 25. Businesses are simply unprepared because they struggle with understanding the regulations and whether or not they are affected. Greg Sparrow touches on issues of GDPR, why businesses fail to meet compliance and what they can do to mitigate their risk.

The General Data Protection Regulation (“GDPR”) is one of the most important topics of conversation for media, along with how it will affect U.S. companies. Since its inception, the GDPR has raised a number of questions as to whether businesses are properly prepared to comply. The GDPR was adopted on April 27, 2016 and allotted a two-year post-adoption grace period for businesses to strategize and implement their compliant approach. With only one month left, it has been reported that an estimated 61 percent of U.S. businesses are not ready for the regulation, and only 67 percent of European-based businesses have begun moving into the implementation phase of their GDPR compliance program.[1] The potential fines have many businesses and professionals concerned about compliance as the May 25, 2018 date of enforcement approaches, yet businesses continue to struggle with fully understanding the regulation and thus fail to launch a comprehensive plan.

Turning our focus to the retail industry, several chains have displayed international influence with the presence of not only brick-and-mortar stores in several nations, but through international marketing efforts. A well-known example includes Whole Foods, an American supermarket chain that previously held over 477 stores in North America and the United Kingdom. After Amazon’s acquisition of the natural foods company in June 2017, the e-commerce giant became America’s fifth-largest grocery retailer. Outside of the benefit of concrete locations near its customers, the marketing data obtained through the acquisition provided Amazon valuable behavioral statistics on grocery-buying habits, patterns and product preferences. It is estimated that over 80 million individuals are Amazon Prime members and, with this new data, Amazon can build accurate predictive analytic models that can suggest to Prime members what they will want, how much they will want and when they will want it.

The GDPR places Amazon’s acquired Whole Foods business unit under scope for not only its presence in the United Kingdom, but also due to its monitoring of European Union (“EU”) data subjects and its attempt to offer them goods and/or services. Amazon’s practices most likely include the use of automated individual decision-making against EU citizens, requiring explicit consent under the GDPR. Processing is broadly defined in the regulation to include most actions that can be performed with data and can specifically refer to collection and storage, which Amazon in this case would be doing. The massive retailer must therefore have processes in place to honor nine distinct rights awarded to EU data subjects, and it must be able to operate under the guiding privacy principles defined within the GDPR. The regulation further dictates appropriate security efforts around the protection of personal data, establishes breach reporting requirements and increases the risk associated with vendors processing this data. These expansive requirements make the process of marketing and vendor outsourcing much more complex for anyone with a direct consumer relationship with EU data subjects.

Many smaller agencies may not be considering the new regulations as seriously as they should be, but past enforcement actions point to enforcement risk, even with smaller agencies. The GDPR states that noncompliant companies posing a risk to EU citizens and their privacy can be fined up to €20 million or 4 percent of their global turnover for the previous fiscal year, whichever is greatest. For companies like Amazon, with a net revenue around $178 billion in 2017, they could potentially face a fine of $7.1 billion. It is important to note that this fine would be per violation. It can certainly be assumed that larger repercussions would be imposed in this hypothetical case, since case law suggests similar types of violations do not stand alone, instead typically occurring with others.

There are several steps that companies must immediately undertake to mitigate their exposure to risk. A solid start begins with understanding GDPR regulation applicability to various parts of the business and understanding each unit’s risk profile in order to establish priorities for the initiative. Once risk and priorities have been identified, it is critical for organizations to identify and establish their lawful basis for processing of this data.

Every industry has its own unique risk and operational challenges, and every business within has its own maturity relative to industry peers. Using the trusted counsel of a compliance firm helps to quickly identify both industry and organizational risk that are often otherwise overlooked for non-biased third parties. A risk management and compliance consulting firm can help organizations quickly identify risk, formulate a plan to mitigate this risk and set up ongoing monitoring programs to maintain valuable records of compliance.

Some have suggested the GDPR will set the global precedent for data privacy and security regulations. Brazil and China have both showed interest in forming similar requirements to protect the privacy of their citizens’ personal information from businesses storing and transferring data across borders.

To adequately prepare for the GDPR and similar regulations likely to be introduced in the future, businesses must begin educating themselves on these regulations and forming a strategy for how to conquer the requirements. Applicable processes and procedures can obviously help minimize exposure to fines, but they can also provide an opportunity within the market to reassure customers and in return, earn their trust.

[1] Source – Iapp.org “Survey: 61 percent of companies have not started GDPR implementation”


Tags: GDPR
Previous Post

New PwC Report: Age Diversity in the Boardroom

Next Post

EY Survey: More Than $11 Billion in Fines Fails to Deter Global Corruption

Greg Sparrow

Greg Sparrow

Greg Sparrow is Senior Vice President and General Manager at CompliancePoint. Greg has enjoyed over 17 years of experience in privacy, information security and risk management. Greg has had the pleasure of working on both US based and international projects. He was responsible for the development and implementation of the security program’s responsible for protecting billions of dollars in annual transaction volume. Greg’s most recent work includes security and certification work for Samsung Pay, enterprise risk management for multiple NFL and MLB sports teams and helping to secure critical infrastructure at some of the nation’s largest transit hubs. Greg holds multiple IT and security certifications covering the Healthcare Industry, Payment Card Industry and federal banking standards.

Related Posts

gdpr

UK Resurrects Data Protection Reforms, EU Court Rules on GDPR in Civil Cases

by Jonathan Armstrong and André Bywater
March 15, 2023

Recent courtroom and legislative action in Europe will likely have ripple effects around the world for companies subject to regulations...

eu flag

Preparing Your Company for the Latest GDPR Data Transfer Developments & Upcoming Deadlines

by Kevin L. Coy
November 30, 2022

An EU court decision and legislative moves in the U.S. and UK make compliance with privacy regulations increasingly difficult. Arnall...

minidata_b

Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

by Parker Poe
November 30, 2022

It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations...

uk ico data access

UK’s Data Protection Regulator Signals Crackdown on Access Request Violations

by Jonathan Armstrong and André Bywater
October 5, 2022

Data privacy laws in the EU and UK established the right of individuals to find out what personal information organizations...

Next Post
EY Survey: More Than $11 Billion in Fines Fails to Deter Global Corruption

EY Survey: More Than $11 Billion in Fines Fails to Deter Global Corruption

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT