GDPR: Retailers Prepare For Compliance

New data rules seen as both a threat and an opportunity

On May 25, the European Union’s General Data Protection Regulation (GDPR) will start being enforced, meaning that all individuals, companies, and organizations will have to comply with new rules on how they manage data they hold on EU citizens. Infringements will be punishable by fines of up to 20 million euros, or 4 percent of global revenues, whichever is larger.

All companies that seek to do business with EU citizens are affected by the GDPR, and most have already taken steps to demonstrate compliance. Consumers, too, get new rights under the GDPR: They will be able to know all the data that companies hold on them, delete any of this data on request, and even port the data to another company. It is not yet clear whether consumers will take advantage of these new rights. Regardless, companies are having to build the capabilities to grant any requests.

In a recent survey, we asked a series of questions about the GDPR to over 200 senior retail executives in France, Germany, and the United Kingdom. Our respondents discussed the level of their preparations to conform to the new regulation, and how they think it will affect their businesses.


Data is a significant part of modern business. Overall, 78 percent of our respondents report that owning, managing, and working with customer data is important for their businesses. More than a quarter say it is “fundamental”. (See Exhibit 1.)

Because data are critical to inform and support internal decision making, our respondents are taking the GDPR very seriously. They think it is essential to keep the confidence of consumers and to avoid any regulatory or financial risk.

So businesses – including smaller ones – are devoting significant employee time and effort to ensure compliance, deploying an average of 10 employees each. Of these, 5.5 are new hires, adding a significant cost. Interestingly, the number of employees devoted to the GDPR is similar in both small and large organizations, showing that the level of capability required does not scale with size but is a similar absolute burden for all businesses. Smaller businesses have made fewer hires – an average of 4.6, compared to 7.6 for larger ones – no doubt because they have less capacity to absorb the additional cost.

Differences between the countries in our survey are starker. UK companies, while they devote similar levels of resources to the GDPR to those in the other countries, have hired more new employees: 6.8, compared to 4 in France, and 5.3 in Germany. This suggests that UK companies feel they require a relatively large number of changes to their current data practices. Looking deeper, over 20 percent of UK companies are deploying more than 15 employees, compared to 15 percent for French companies. (See Exhibit 2.)

So it is clear that, no matter where companies are located, they are bearing significant costs to ensure compliance. While our survey does not cover the US or any other countries besides the three in the survey, we are confident that companies elsewhere will also have been building data protection teams at significant cost.

Beyond legal compliance, our respondents are also preparing for the business implications of the GDPR: 25 percent see it as an overall threat; 18 percent see it as an opportunity; and the majority – 57 percent – see it as both. However, these results are not consistent across geographies. French respondents are significantly more negative about the overall effects than those in Germany and the UK. (See Exhibit 3.)

The biggest worry for the respondents is the right of consumers to easily move their data from one business to another: 64 percent see this as a threat to their business. But some businesses see this new right as an opportunity. The most agile, responsive businesses will be able to personalize their offers, by requesting data gathered by competitors on an individual’s history as a customer. However, only 53 percent of our respondents have a strategy in place to take advantage of the new regulation. There are significant differences between the geographies, with German retailers significantly more prepared for the opportunities – 69 percent have a strategy – than those in the UK (51 percent) or France (40 percent).

German retailers are also most likely to have a defensive strategy in place to better manage data and provide greater data security for their customers: 95 percent have one. French retailers fall well behind in this at 77 percent, while UK retailers are at 91 percent.


The extent to which potential threats and opportunities from the GDPR are realized will depend on how far consumers take advantage of their new rights – and it is not certain that they will be that interested.

Many companies over the last decade have had data breaches, in which customers’ personal and financial information has been hacked. Many of these incidents provoked significant short-term impacts, such as major drops in share price and departures of senior managers. However, in the vast majority of cases, share prices rebounded, and consumers stayed loyal to the business.

Overall, consumers have shown themselves to be remarkably insensitive to the risks caused by easy access to their data. The data story of the last decade has been of an ever-increasing number of consumers sharing their personal data with social networks, as well as with more-mundane businesses. The long-term impact of data leaks and hacks has been much smaller than at first expected: It appears that consumers do not feel as strongly about their data as do privacy advocates – and the GDPR.

Many of our respondents believe they will have to manage a large number of data requests from their customer bases: Around 30 percent believe that over 5 percent will make use of their new rights. But this level of activity will require a fundamental shift in consumer behavior, which has not been seen to date. If consumers continue to be relaxed about their data, then many of the threats and opportunities of the GDPR will not materialize. Instead, these businesses will have spent significant time and effort in building up new capabilities that will yield only minimal benefits.