How Oasis Fashion is protecting its marketing data from GDPR

With enforcement of Europe’s highly anticipated General Data Protection Regulation just a few months away, Oasis Fashion is getting choosier about which companies it shares data with.

The fashion retailer doesn’t buy third-party data nor does it sell any of its customer data, but it does outsource some data-management tasks, and it is those companies that are  being vetted, Oasis’ head of digital, Helena Theakstone, said. Companies like SMS providers and email service providers are among those being scrutinized by Oasis, and it’s turning away any new mar-tech partners that pitch for its business if they aren’t yet compliant.

Oasis isn’t alone in having its work cut out for it in preparing for the GDPR. Fifty-nine percent of marketers haven’t received any GDPR-related training, according to a survey of 381 marketers by the Institute of Direct and Digital Marketing. A separate study from the U.K. trade body the Direct Marketing Association found over half (57 percent) of 197 marketers surveyed admitted their team is under-trained when it comes to the GDPR.

Oasis’ legal firm is vetting the retailer’s existing data partners and prospective suppliers to determine how they gather, use, disclose and manage the retailer’s data. Once the audits are returned, the retailer will determine if it continues with the suppliers. But given it has such a small roster of partners, Theakstone doesn’t predict any wholesale changes to its suppliers. Also, the retailer’s own data has given it a pretty good idea of whether a person’s privacy is infringed upon when it processes someone’s data.

Although a person’s individual rights have been strengthened when it comes to what an advertiser can and can’t do with someone’s data, the foundations of those rights were there all along under existing legislation, said Theakstone.

Oasis has already vetted two potential new partners in the last month. The retailer declined to work with one business when it discovered it hadn’t updated its privacy policy to account for the GDPR and was unwilling to create one with Oasis. It chose another partner that was willing to work with Oasis on such a policy.

Spanish banking group Banco Sabadell is also assessing its third-party vendors for GDPR compliance, including marketing services providers. Speaking at an event hosted by online security firm RSA on Feb. 4, the financial firm’s IT risk director Javier Sanchez Ureta said it now judges all vendors against 14 different areas of risk, such as their security track record, before agreeing a deal.

Beyond the audits, Oasis is also using its GDPR preparations as a chance to take more ownership of its data. It recently hired a website optimization manager, customer insights manager and customer services expert, roles that will help Oasis develop a more rounded view of its customers. The customer services expert, for example, will oversee the company that handles the retailer’s interactions with shoppers. The customer insights manager will help the brand build a CRM platform and do contextual targeting. Industry observers believe contextual targeting will be a better alternative to third-party cookie data, which will be harder to use post-GDPR.

Download an excerpt of our latest issue of Digiday magazine

To that end, Oasis is also looking at customer values, such as who they vote for, whether they have kids, and whether they a dog or cat person, Theakstone said. “We’re trying to pinpoint who our customers are so that we can target around those [contextual] themes rather than [cookie data].”

One role the business has no immediate plans to recruit for is a data protection officer. There is still some confusion in the market as to whether the role is compulsory or not. At one point, any company with more than 250 employees needed to hire a DPO, but current guidance says the role is only necessary if a company handles a lot of sensitive personal data.

Image courtesy of Oasis Fashion

Sharing is caring!

Leave a Reply

Your email address will not be published. Required fields are marked *