For many years, harvesting customer data was like prospecting for gold, with retailers collecting as much information as possible to tailor their customer experiences, foster loyalty and improve decision-making processes. Over time, companies have deployed creative and innovative means – including interactive surveys, feedback forms, engaging experiences and reward programs – to entice customers to hand over their information. However, with the rise of cybersecurity threats – and with safe
h safeguard mechanisms not being up to scratch – retailers have been forced to become more thoughtful about the information they are choosing to stockpile, and why they are opting to do so.
In recent years, there have been a number of data breaches in the retail industry, with brands including Bunnings, Woolworths and Vinomofo just some of those being exposed. In certain instances, information relating to customer names, email addresses, phone numbers and delivery address details have been revealed to external parties.
In turn, customers are reevaluating which brands they trust, and whether they feel comfortable handing over personal information.
So, how can retailers continue to collect data in an ethical and transparent way, without increasing the significant financial and non-financial risks involved in a potential data breach?
Winning the CX battle
Andrew Black, managing director for Connect ID, a digital identity verification platform that enables businesses to verify customer identity without seeing or storing personal data, believes that there has been a tendency for businesses to over-collect customer information in recent years.
This has become more apparent as Australia has become something of a global, data-breach epicentre over the last few years, with cybersecurity attacks “moving the needle” around internal governance capabilities, and the information that actually needs to be collected.
As a result, Black believes that brands are now reconsidering whether they need access to documentation including – but not limited to – driver licences and healthcare cards.
He believes that brands are seeking to minimise the information they are choosing to store, citing the fact that some companies are moving away from asking for date-of-birth details, and are instead wanting to verify whether the customer at hand is over 18.
“The appetite for risk has changed,” Black told Inside Retail.
“For small and medium-sized retailers, cyber insurance and liability has skyrocketed, and at times they don’t have security resilience like the top end of town.”
Black believes there are two main drivers of the race in retail to collect as much customer data as possible: the need to personalise customer service offerings and decision-making processes, and a “just in case” mentality combined with fear of falling behind competitors.
But with strong financial penalties for breaching legislation around consumer privacy – such as the Privacy Act in Australia and the General Data Protection Regulation (GDPR) in Europe – as well as the reputational cost around a data breach, he believes that the approach to data collection is starting to shift.
“The average cost for an Aussie business for a data breach was close to $5 million, which has led to retailers rethinking whether they need to hold onto that extra document,” he said.
“You can still win the CX battle without having to store [all the data] that sit underneath it.”
Growing appetite for applied analytics
Regarding how retailers can more effectively collect customer data without jeopardising customers, Nigel Poole, CEO of e-commerce and CX agency Matter Design, told Inside Retail that companies should make it a priority to have a clear and up-to-date privacy policy in place.
The policy should outline what information is being collected, how the information is being collected, how it will be used and how it will be protected. Poole also contended that retailers should be transparent in communicating their policy to customers, and receive prior consent from customers before requesting that they submit personal information.
He added that customers should know that they have the right to: request access, correct, amend, delete, restrict, port to another service, or object to how their data might be used.
Establishing an infrastructure that can accommodate increasing volumes of customer data safely, and ensuring this information is only available to those that need it, is also important for retailers.
“A smaller system footprint reduces the chance of breaches,” he said.
Unlike Black, Poole does not believe that retailers are avoiding capturing customer data in response to recent data breaches. Rather, he believes the appetite for applied analytics is growing.
“The shift we have noticed is that companies are investing to ensure that they are compliant with privacy regulations [and] follow international regulations like GDPR and the California Consumer Privacy Act in the United States,” Poole said.
Retailers and fraudsters are getting better
Regarding how retailers can better protect customer data, Black suggested that brands use trusted providers, and have a strong understanding of what they are collecting, and why they are doing so.
He also suggested that brands collect the minimum amount of information necessary to meet their objectives, without potentially compromising customer privacy.
“I think retailers are continuously getting better at protecting customer data. Unfortunately, fraudsters and cybersecurity perpetrators are getting better as well. It’s a constant arms race,” he said.
“But organisations are taking greater steps to try to protect their customers and their business.”
Poole noted that retailers should constantly review how they can provide commensurate value for the customer data they are requesting and receiving.
He added that brands should consider implementing an analytics package that doesn’t use cookies, and create a “simple yet comprehensive privacy policy”.