Retailers Should Be Aware Of The Data Processing Risks Of Personalised Marketing

52
Retailers Should Be Aware Of The Data Processing Risks Of Personalised Marketing
Wendy Tembedza and Bernadete Versfeld, Webber Wentzel.

According to Wendy Tembedza and Bernadete Versfeld, Partners at Webber Wentzel, personalised marketing is facilitated through the collection of data about a customer’s purchasing preferences, patterns and behaviours. AI, for example, can be used to analyse this information to gain insights into individual habits. This allows retailers to implement targeted marketing approaches for an identified customer to ensure maximum engagement and increase purchasing probability.

When using data analytics technology such as AI to create a profile of an individual, retailers need to understand that a comprehensive and actionable customer profile requires access to and use of a wide range of data. In many instances, data will need to be collected not only from the customer but also from third-party sources for the insights derived to be meaningful. Unsurprisingly, access to and the use of vast amounts of personal information has given rise to data protection and privacy concerns.

The correct management of data by businesses has become front and centre in the technological era, ushered in by the fourth industrial revolution. Any collection, analysis, storage and retention of data must comply with data protection laws. This means that any personalised marketing activities, which invariably require retailers to process their customers’ personal information, must be undertaken while keeping data processing risks in mind.

The Protection of Personal Information Act (POPIA) requires retailers to observe certain minimum conditions for the lawful processing of customer information. In the context of personalised marketing, risks arise at varying degrees in relation to these conditions.

Purpose Specification

POPIA requires that the personal information of a customer must be collected for a specific and explicitly defined purpose. The use of personalised marketing technologies creates the risk of scope creep in relation to information collected about a customer being used for varying and potentially unrelated marketing activities. It is therefore important to have processes in place to guard against inadvertently falling foul of this requirement.

Record Retention

POPIA regulates the retention of personal information records and provides that, unless certain exceptions apply, records of personal information should not be retained for longer than is necessary to achieve the purpose for which it was collected. In the context of personalised marketing, the most actionable insights about a customer typically emerge after several points of data about the customer are collected and analysed. Typically, this requires records to be retained for extended periods and retailers should ensure that doing so does not result in keeping records in contravention of POPIA’s requirements.

Security Safeguards

The benefits of personalised marketing are best harnessed where there is a wide array of data points about the customer. This requires collecting data points that go beyond mere contact information. The larger the data store, the more valuable this information becomes for criminals seeking to take advantage of it. Personalised marketing can therefore increase security concerns around data retention and management. POPIA specifically requires that appropriate reasonable technical and organisational measures be implemented to guard against unauthorised access to personal information. Retailers that implement technologies for personalised marketing must therefore ensure that their security controls are sufficient to meet the risk created by personalised marketing activities.

Data Subject Participation

Furthermore, POPIA requires responsible parties (such as retailers) to ensure that data subjects are provided with clear information about how their personal information is being processed. This includes details regarding what personal information about the data subject is held by the responsible party. In the world of self-learning AI technologies (ie technology that operates without constant human input of data), it may become difficult to accurately record the nature of personal information held about a data subject. It is in these instances that a thorough understanding of an AI tool’s functionality becomes important as failure to accurately account to a data subject might lead a retailer to fall short of its obligations under POPIA.

Notifications

POPIA requires that when customers’ personal information is collected, a minimum amount of information must be made available to them. Ideally, such a notification should occur before the information is collected and the customer should be the one to provide the information. In relation to personalised marketing, it may not always be practical to comply with these requirements and there are exceptions under POPIA that retailers can rely on.

The fact that instances where compliance with this requirement can be circumvented have been drafted as exceptions do however mean that a higher standard for assessing whether such an exception is appropriate in any instance will be applied. Reliance on any exceptions must therefore not be taken lightly and retailers should use best endeavours to comply comprehensively with the notification requirements where personal information is collected about a customer for personalised marketing activities using tools such as AI.

WEBBER WENTZEL
https://www.webberwentzel.com