There have not been too many influences throughout the course of human history that have posed impacts as significant as those that have resulted from the advancement of technology. They are impacts that have only increased of late as we continue to ride a crest of digital acceleration that spans the world, touching every community, changing the way we live our daily lives. The most notable adaptations that have resulted can be seen in the ways in which we communicate and the modes we leverage to gather and share information. Supported by digital technologies and systems, the transformation that we continue to undergo is nothing short of revolutionary. For retailers and other businesses, the impacts have been felt throughout the entire organization, from supply chain and merchandising to human resources and customer service. However, the area of the business that is perhaps exposed to more implications than any other, says Ritchie Po, Privacy Practice Lead at Kobalt.io, is the processes by which data and information is collected and governed.
“The retail industry, and the world in general, has been shifting toward more of a reliance on digital technologies to help us do just about everything,” he asserts. “And this includes shopping. This shift has obviously accelerated as a result of the pandemic and the associated lockdowns that have occurred and social restrictions that have been put in place. The less that retailers and consumers have interacted face-to-face, the more orders have gone online, increasing the volume exponentially. And, although much of the industry has responded positively to these shifts, moving more of their business toward online channels, there were a number of retailers that were not fully prepared to go online, in particular small and medium-sized businesses. The big problem is that when implementing digital systems and components to help support the surge in online business, many weren’t diligent enough to review and understand all of the privacy aspects of the implementation. This results in an unawareness of how much information the organization is collecting from the customer and the safeguards that are necessary in order to ensure compliance to all of the legal requirements.”
Multiple jurisdictional regulations
It’s an issue that, if not properly addressed and dealt with now, poses serious consequences to retailers and other businesses that are collecting data through their ecommerce systems and other digital tools. It’s an area of the business that Po says deserves as much attention from merchants as possible in order to navigate through what he refers to as a “new digitized world” and position themselves well to enjoy success going forward. However, there are many layers of complexity involved in the collection of data and the legal framework around governing the information. And, according to Po, they are layers of complexity that pose even greater risks to retailers that sell to consumers in multiple jurisdictions and regions around the world.
“The challenges and risks related to the collection of data when selling internationally are highlighted by the differing data subject rights and privacy rights between jurisdictions,” he says. “There’s sometimes a presumption among Canadians that because a store is operating within Canada that they only need to comply with Canadian privacy laws. However, it couldn’t be further from the truth. Despite the jurisdiction or country that a retailer or business is operating in, they must ensure that they comply with the data privacy laws of the countries and regions that their consumers live in. For instance, Europe has its own standards and legal requirements that need to be abided by when selling to consumers in those countries. And, California recently introduced another layer of privacy rights to its existing laws and regulations. These laws in different countries and jurisdictions might overlap in many cases. However, the challenge is in complying with all of the differences in regulations throughout the world.”
Evolution of legislation
Canadian laws and regulations around data privacy and rights are developed and enforced by the Office of the Privacy Commissioner of Canada which offers its Personal Information Protection and Electronic Documents Act (PIPEDA) as a national standard for privacy practices in the private sector. However, as Po points out, the European Union introduced its General Data Protection Regulation (GDPR) in 2018 – a set of digital laws that govern the data and privacy of citizens living in each of its countries. It replaces the previous Data Protection Directive which was introduced in 1995 during the infancy of the Internet. In addition, California, too, recently instituted laws under the state’s California Consumer Privacy Act (CCPA). These are but a couple of examples of the multitude of jurisdictional standards and regulations that are being developed by governments all around the world. And, as Po points out, laws and regulations within this new digital world are quickly evolving, forcing businesses to actively and consistently review and update the safeguards that they have in place to protect the data of their customers.
“Lawmakers and those involved in the development of regulations in Canada are always trying to modernize Canadian privacy legislation,” he asserts. “And retailers and other businesses are also constantly attempting to keep up with the pace of digitization, one that’s recently been accelerated, and the evolution of the related laws around data. Quebec’s Bill 64, which came into effect in the province a little more than a year ago, is a great example of this modernization of laws. It represents the biggest step so far in complying with laws and regulations under the GDPR, which is the gold standard internationally, and will likely serve as a benchmark for any future developments concerning Canadian data privacy laws.”
What retailers can do
Bill 64 requires all businesses dealing with customers who live in Quebec to come into compliance with its laws and regulations by September 2024. Po believes that it has the potential to propel Canadian legislation forward, recognizing a number of areas within the country’s data laws that still require strengthening. In fact, he refers to a memo recently written by Canada’s Privacy Commissioner, Daniel Therrien, which highlighted some of these lingering concerns. They include the inclusion of the right to erasure which ensures the removal of unnecessary information from a company’s records; the inclusion of stricter fines and penalties that result from a business’ inability to comply with laws and legislation, as well as the inclusion of greater detail around data sovereignty and its requirements. It’s an evolution and modernization of the laws that are challenging retailers from a compliance perspective. However, Po suggests that there are some things merchants can do to ensure they are in-line with the laws.
“There are some fundamental things that retailers can do in order to give themselves the best opportunity to keep up with the accelerated digitization of the industry as it relates to the collection and governance of data,” he says. “Conducting a privacy gap assessment is a really great exercise to undergo. Even if a retailer is only collecting a small amount of personal information, they often won’t know where the data resides. This is especially true of small and medium-sized businesses who are usually operating without processes by which permissions for the collection of data are locked down. So, it’s not just about the information that’s collected online, but the information that’s collected in the store as well at the point-of-sale. As part of this process, there has to be some top-down direction so that frontline staff understand their role and responsibilities in the appropriate collection of data and in obtaining the consumer’s consent. A gap assessment will allow a retailer to understand, from end-to-end, how the data is collected and how it’s used within the organization. This is a bare minimum as a place for retailers to start.”
Collaboration and comprehension
In addition, Po suggests that any retailer looking to really get a handle on data privacy legislation and layers of protections that are in place within their organization should appoint a Data Privacy Officer, on a consultancy basis in the least. Doing so provides an invaluable resource that the company can leverage to conduct a privacy impact assessment in order to better understand whether or not they’re collecting the most meaningful data or over-collecting information via their technology systems. And they can also guide with respect to the processes that are necessary in order to create efficiencies and comply with laws and regulations. He adds that seeking advice from legal counsel will also be incredibly useful in helping the business recognize where the risks are and ways to mitigate or deal with them. In fact, Po says that, in many ways, a great deal of collaboration is required within an organization to access the knowledge and understanding that’s needed for retailers to address the increasingly complex challenges around data privacy and maintain the necessary compliance.
“Data privacy can become a very complicated issue to address for any retailer. There are so many moving parts and differing regulations across provinces and countries. Tackling these challenges requires a lot of cooperation within the organization and with outside sources in order to accurately understand how to keep track of the data that’s being collected and ways to properly delineate it and strengthen their comprehension of the rights that consumers have in Ontario as opposed to Quebec or France or America or Singapore. Maintaining compliance with all of these different sets of laws and regulations at once, while ensuring that workflow and processes reflect that comprehension, can be a massive challenge for most small and medium-sized retailers to overcome. And, the further we move into this new digitized world, the greater the necessity will become for retailers and other businesses to make data privacy and compliance a top priority.”