We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:

X

Risk in Context

General Data Protection Regulation – What Does It Mean for the Retail, Food, and Leisure Industry?

Posted by David Tate 04 August 2017

High-profile cyber incidents around the world are a stark reminder of how dependent we all are on technology, the importance of managing personal data, and the need for comprehensive cyber security. With the new General Data Protection Regulation (GDPR) due to become directly applicable in EU member states on 25 May 2018, companies must now be meticulous when it comes to data management.

New technology continues to drive risk across the sector as the use of personal data has become a valuable asset. Retailers collect a myriad of data, from customers' contact and payment detail to information collated via loyalty cards, competitions, and online accounts. In recent months, the hotel and food sector has also been targeted, with several high-profile data breaches reported.

As a sector which collects significant amounts of data about customers, including names, addresses, dates of birth, and credit card details a data breach is likely to occur at some point. It is not only customer data that is at risk, as organisations across the industry will also hold significant historical and current employee data.

THE CHALLENGE

Understanding your customers and knowing their preferences is crucial in order to provide the personalised experience that consumers now expect.

The challenge will be for organisations to ensure that large amounts of personal data can be stored and analysed easily and quickly, without compromising the security of customers or customers’ control about how their personal is used during the process. 

The GDPR requires a wholesale review of data handling and processing procedures, which presents a new opportunity for reviewing and mapping data flows, restructuring these not only for compliance, but for business efficiency.  Stringent breach reporting obligations will also mean that organisations must have an effective monitoring framework for assessing and improving processes.

Businesses will also need to be more transparent about what personal data they hold, why it has been captured, and what they intend to do with it. This industry is already burdened with regulation, and as a result, it is believed that many businesses within this sector may still be unprepared for GDPR. 

THE INDUSTRY OPPORTUNITY

Headlines have, so far, focused on the increase in penalties, but the new regulation could pose an opportunity for organisations to:

  • Improve information management and cyber security systems and strengthen risk culture.
  • Use risk identification and modelling of data and technology-related risks to create a unique profile for the organisation.
  • Re-examine insurance arrangements to ensure that relevant indemnity limits would cover the costs associated with data breaches and other infringements of the GDPR (to the extent insurable). 

It is hoped that the GDPR will help repair the recent breakdown in trust between consumers and organisations while allowing businesses to take advantage of the data-driven economy. Proactive organisations can take advantage of these opportunities to enhance their data capabilities and grow their business.

David Tate