Apple CEO Tim Cook has called for a U.S. privacy law similar to the European Union’s General Data Protection Regulations. Here is a summary of the main privacy challenges retailers face and how they can begin to address them.

John Tsopanis, data and privacy director, Exonar

At the recent International Conference of Data Protection and Privacy Commissioners in Brussels, Tim Cook called for U.S. laws equivalent to the GDPR:

“The world’s data and privacy crisis is real…Every day billions of dollars change hands and countless decisions are made on the basis of our likes and dislikes, our friends and families, our relationships and conversations, our wishes and fears, our hopes and dreams. These scraps of data, each one harmless enough on its own, are carefully assembled, synthesized, traded and sold. Taken to its extreme, this process creates an enduring digital profile and lets companies know Tyou better than you know yourself.”

With a potential seismic shift in the American data privacy landscape now openly on the table, what might this mean for retailers and what challenges are they likely to face, as learned from the GDPR?

Identifying the full scope of personal information processed across your estate is your first priority.

The General Data Protection Regulations (GDPR) sparked a deep data discovery exercise across industries, and the retail sector—in terms of both the scale of its consumer base and the depth of behavioral insight required for marketing departments to work effectively—provided some of the toughest challenges for data privacy compliance.


At the heart of data privacy is an understanding that different types of information have different levels of sensitivity, and that the privacy impact on citizens is in most cases directly proportionate to that sensitivity. This poses a problem for the retail industry.

Psychological profiling

Retail is built on consumer insights, building increasingly accurate household profiles, and understanding each block of consumers’ propensity to spend. Marketers can build an infinite number of profiles depending on the types of data they decide to analyze, broken down by an almost unlimited number of filters. Everything from merchant category codes (MCCs), to ZIP+4, to correlated discretionary spending across multiple industries (e.g. customers who live in South Carolina, shop at Ann Summers, drink Starbucks and took at least two international flights this year).

In essence, retailers are the masters of building the who, what, where, when and why of consumer behavior.

From a data privacy perspective, this practice is psychological profiling, and the anonymity of individual consumers as part of this practice is of the utmost importance if retailers are going to maintain the trust of their customers and the sanctity of their data practice by ensuring that when a breach occurs, the profiles of individual users are not revealed. It is this type of breach that can destroy consumer trust and the stock price of your organization.

3 big challenges

So, what can US retailers learn from the GDPR?


Three major challenges for retailers facing GDPR and similar regulations are:

  • Accurate data discovery at scale: Identifying the full scope of personal information processed across your estate is your first priority.
  • Classifying personal information to prioritize efforts to protect the retailer from data risk:  Better classification means better risk reduction.
  • Growing the personal information estate to drive better analytics and more efficient data practices, whilst maintaining full control of your personal information estate and keeping data risk to a minimum: Compliance activities must accommodate for the growth of the organization and move dynamically with the organization. If your efforts provide a static snapshot in time, then six months down the line you’ll have to perform the exercise again.

Struggles with the GDPR compliance effort in retail, from my experience, included:

  • The mass proliferation of personal data across multiple insecure repositories, accessed regularly by employees who need to process vast amounts of personal information to do their job: In some of the largest FTSE 100 companies, data discovery exercises took over two years!
  • Data classification and developing a consistent understanding and overview of the highest risk areas of data risk: It was very difficult to disseminate information unilaterally through an organization once decisions about data practices had been made. In essence, harmonizing practices and getting everyone singing from the same hymn sheet was a key obstacle.
  • Third-party data flows. So many third-party data flows: The administrative task of conducting third-party due diligence to ensure the security of data across the retail supply chain was almost impossible, as there was no technical capability to view those flows inbound and outbound from the organization.

What can retailers do to prepare themselves for increased data privacy scrutiny from their consumer base? My advice:

  • Data discovery, data discovery, data discovery. If you know where everything is, you can make good risk decisions and respond quickly to any event, giving you the ability to inform and reassure consumers about the status of their data, and remediate breaches.
  • Map your key data flows and understand where your highest areas of data privacy risk are. Data privacy is an ongoing activity and the early prioritization of your key data assets will help optimize your risk reduction efforts.
  • Be prepared to justify your data practices. If you’re in a position where you don’t feel you can justify them to your consumers, then in the event of a breach your stock will suffer, and consumers will lose faith in your brand.
  • Get ahead of the curve, get ahead of your competitors, and be prepared for a breach. A crisis doesn’t build character; it reveals it. Facebook losing $120bn in a day after further revelations of bad data practices is testament to this.

Exonar specializes in helping organizations understand what data they have, how to keep it secure and how to comply with privacy regulations like GDPR.