Carol Osborne
Customer engagement is hugely valuable in the beauty industry and it is at an all-time high, for obvious reasons.
The better you know your customer, the more effective your product development and the greater the volume of repeat sales.
However, customer engagement generates transfers of personal data - big data - and retailers therefore need to keep data management at the forefront of their business plans.
Carol Osborne is co-Head of M&A and Corporate Finance EMEA, Bryan Cave Leighton Paisner.
Here, she draws on her expertise working with manufacturers, retailers and private equity investors in the consumer products arena to provide advice on data management in beauty and the introduction of GDPR...
Data collection in the beauty industry
Data is captured by the beauty industry in many ways. There is a wide variety of data generated by internal business operations including HR and employment functions, "bring your own device" policies, fingerprint access tools, and as provided by suppliers and vendors.
Data can also be collected from any online presence (such as a company-owned website, a mobile application, and social media channels), through in-person interactions with customers (including in-store data collection cards, geo-location or beacon technology and sales transactions), and through customer loyalty or membership programmes, promotions and sweepstakes.
Further, as the beauty industry explores new technology to make the buying process more engaging for consumers, including through virtual make-up applications, facial recognition technology or colour matching tools, those technology solutions capture additional personal information about the consumers including skin colour, skin problems (which might have medical ramifications), and racial identity.
What does the law say?
The implementation of the General Data Protection Regulation (GDPR) in the EU on 25 May 2018 draws the focus on these issues from the server room to the C-suite, because it imposes stricter obligations on organisations with respect to how they handle and protect personal data and has the potential to generate eye-watering penalties for entities failing to comply (up to the greater of €20m or 4% of total worldwide annual turnover).
But it is not just the GDPR – which is directly applicable in all EU Member states - that demands your attention.
The GDPR will operate in tandem with the existing (or incoming) data protection laws of each EU Member State - and those laws are also becoming more restrictive.
Action to take now
Retailers need to identify how customer data is generated or collected in their organisation, the types of data collected and why, how it is used and protected, where it is stored and shared, and what procedures and processes they have in place in respect of the various rights a customer has in relation to their data.
Any information relating to an identified or identifiable natural person will be protected .personal data'. Special attention needs to be paid to particularly sensitive information that constitutes 'special data' under the GDPR.
What surprises many beauty businesses is that they often collect information about their customers that constitutes 'special' data because it reveals their racial or ethnic origin, data concerning their health, or data concerning sexual orientation.
Special data or sensitive information has unique requirements relating to collection, processing and retention that must be rigorously followed.
Data mapping, or creating a data register, is a great place for every business to start because it will help a business understand the key attributes of the personal data they have collected.
Taking that information from the data register and implementing a robust data protection and data security program will be key. This will require the involvement of multiple departments across the business – from accounting, to marketing, to product development.
Compliance with changing data laws can bring challenges to even well-prepared organisations, but effective and customer friendly data protection and data security procedures make good business sense for three reasons:
- Clear engagement with customers on why their data is being collected and transparency about how that data will be used bring brand-enhancing credibility to the relationship;
- Rigorous security procedures to minimise the risk of data breaches (and the attendant negative publicity) create a stable platform for utilising collected data; and
- Clear internal data collection and protection procedures means those significant financial penalties for non-compliance are avoided.
