Digital Retail Challenges within the EU: Fulfillment of Holistic Customer Journey Post GDPR

Retail customers are demanding better shopping experience whether shopping online or in-store. To provide this experience, retailers use digital technologies such as Artificial Intelligence, Big Data, to name a few. They also collect personal data from customers, process it and integrate it in their business models. Use of the digital technologies and customers' data poses legal challenges with the introduction of GDPR in EU. This paper analyses the challenges faced by digital retailers as they strive to provide fulfilling customer experiences. The authors address in this study, the influence of GDPR on business and technological aspects of digital retail.


INTRODUCTION
Evolution of retail by using technology is not a new phenomenon.It dates back to the mid-18th century [16,42].18th century industrial revolution kickstarted the beginning of a long wave of change innovation in the retail sector [42].Starting from around 1950s, the retail in Western Europe experienced a similar revolution to the industrial sector one hundred years earlier which has seen digitally enhanced technologies at different stages of the customer journey such as individualization where by custom cookies can enable customized search options for shoppers online, digitalization which involves collecting, analyzing and formulating strategic business models such as convenient payment and delivery options [26].Retail is facing a similar revolution now.
The term Digital Retail is a combination of 2 concepts: (1) Retail which comes from an old French word tailler which means -cut-off or dividing‖ in terms of tailoring and was first recorded as a noun with the meaning of a "sale in small quantities" in 1433.As in the French, the word, retail, has the same meaning in both Dutch and German [18] and (2) Digital Technology which was inspired by the ideas of a German mathematician of the 17 th century, Gottfried Wilhelm Leibniz, who proposed a binary computing system [6].Consumers are becoming more sophisticated and want to be involved in each stage of the purchasing journey.On the other hand, retailers are trying to collect information about customers at each stage of their journey.At this moment, the retail sector is flooded with a huge amount of personal data processing technologies such as Internet of things(IoTs) devices and biometric technologies.
Customers now interact with firms through a myriad of touch points in multiple channels and media, and customer experiences are more social in nature [31].Retailers are consistently working towards enhancing customer journey both in the store and online on websites and mobile apps.Using different technology to collect customers' data and to personalize the shopping experience is a major feature in digital retail [39,45].It can create an attractive environment, making the shopping experience engaging and memorable [25].
It has become imperative for retailers to use new digital technologies to enhance customer journey and meet customer expectations [19].Due to the growth of new technologies and the potential for customer saturation, retailers must focus on technologies which are relevant for consumers and that really provides value to unify customer information, product availability, product information, and pricing at all touch-points across all channels [5].Because of the enormous scale of the ever developing technologies, utilizing these technologies for enhancing customer experience is one of the most challenging research issues in context of omnichannel retail [45].
-Understanding customer experience and the customer journey over time is critical for firms.This phenomenon of technology boom has also coincided with the introduction of General Data Protection Regulation (GDPR) in EU.The Official English version of the GDPR defines data processing as a means of any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction [38].This makes it even harder for the retailers to implement the right technologies and adopt their business models.On one hand, the demands from customers for a holistic journey is increasing but on the other hand compliance to legal obligation is mandatory for the retailers.
There has been lately a lot of research in the retail domain discussing opportunities presented by technologies but there have been very few attempts to discuss challenges companies are facing in implementing these technologies especially in the context of GDPR [3,22].Despite many multinational retailers, the retail sector has never become as globalized as other industries, which can be attributed to a number of aspect including cultural habits and laws which are different in every region [27].Digital Retail is steadily expanding within the EU but still it's not as mature as it is within the US [46].It can be attributed to the challenges faced within their industry amidst dynamic legal, technological and business trends within the region.This paper will identify the challenges for retailers in providing a holistic digital customer journey in the EU.

BACKGROUND 2.1. GDPR
The framework was approved on 14th April 2016 and has been effective since 25th May 2018.Unlike the Data Protection Directive 95/46/EC, where EU member countries decided upon the nature of its implementation, the GDPR is a regulation passed by the EU parliament and therefore binding to all member countries and supersedes national laws.The regulation protects EU residents against privacy violations of their personal data without geographical boundaries as long as enterprises process their data within the EU/EEA countries.There are severe penalties for non-compliance where by 4% of worldwide revenue or €20 million, whichever is higher is imposed once there is violation of the regulation.The GDPR is a new, complex and comprehensive regulation that must be carefully observed by everyone within an enterprise; in this case, all functions within retail business along the customer journey, there is tension and uncertainty among businesses.
The GDPR gives individuals control over their personal data and protects their privacy.This leaves a lot of unanswered questions; the reality is that enterprises, the digital economy and corporates continue to share data amongst themselves for security and commercial purposes.A number of lawsuits have been filed since the GDPR came into effect but they have not been concluded for lack of sufficient critical mass of case law.[23] The regulation is becoming a standard bearer even in less than one year of its existence.Many other countries such as Russia, Brazil, India, Japan, etc. are following suit to come up with a standard regulation to protect personal data.Enterprises through their Data Controllers will have to continuously be informed and inform their Data Processors about the 6 GDPR compliance principles as mentioned below: Continuous implementation of the dynamic interpretations of the GDPR compliance will continue to be a challenge in Digital Retail enterprises because there is a high dependency on data in order to carry out various business processes such as marketing (profiling customers, formulating personalized promotions, etc.), evaluating customers for credit worthiness or financing eligibility, collecting and analyzing data after sales, and so on.At the moment there is a limitation on how much personal data companies can collect, how long they can store it and for what purpose will they collect it in order to offer personalized experiences to customers, lest the expose themselves to potential legal risks of violating the GDPR which can be very costly.[14,49].

Technologies for Enhancing Customer Journey
A customer journey is defined as a series of a customer's interactions with a service provider to achieve a specific goal.It may involve utilization of touchpoints.A customer journey can be short lasting for several minutes to hours or long taking several days to weeks [17].There are several touch points along the customer journey depending on how complex the product is, whether the customer is utilizing all the options availed along the customer journey as expected (Planned customer journey) or unplanned customer journeys which are usually result of defective products or processes while trying to fulfil the customer order and mostly involve reverse shipping, exchange or refund.In recent literature, the customer journey is categorized into three major stages: Pre-purchase, Actual-purchase and Post-purchase [24].
During the prepurchase stage, the customer might discover the product (good or service) then researches about the product (specifications, terms of purchase, etc) and makes comparison.All these might be online or offline (word of mouth, store, etc) or even concurrently.The purchase stage is when the consumer actually buys the product, pays for it or applies for financing.
Post-purchase stage involves customer feedback and after sales services.
There have been various studies recently which have looked at how digital technologies can improve the shopping experience [2,29,49].The main focus of these studies have been to examine the capabilities which are offered by technologies but the studies focusing on how the use of technologies can be affected by GDPR are rare [1].
Manifold options exist to enhance customers pre purchase experience by providing enriched information based on location of the customer [43].There is a lot of literature on using mobile technologies during prepurchase stage.Mobile technology use starts from home and continues while in-store to compare products for potential purchase via any number of channels [30].
Using mobile ID tracking, retailers can use the consumers' smartphone's Wi-Fi to track their journey in the store and can know the repeat visitor and analyze the departments and parts of the store visited.They might either retrieve data by scanning product barcodes or QR-codes with the mobile phone camera by using special m-shopping application [14].
Another technology which is used to enhance pre-purchase experience is beacon technology.Beacon technology is a locationbased marketing technology allows retailers to send messages or notifications to consumers in the beacon's zone in to promote specific products or give recommendations [12,31].Robots enhanced with the abilities such as sentiment analysis can directly interact with the customers and adapt to the customer's reactions thus provide a tailored experience to each customer [2,21].
Similarly, Interconnected robots with different set of abilities installed can work together [3].Robots strategically assigned outside the store may start interacting with pedestrians before they visit the store and can inform in-store robots about potential customers entering [23].
Kamei et al. [23] proposed a location sensing system which can precisely know the positions of customers by using multiple laser range finders installed in the store.The positioning system assigns a temporary ID to a customer, which can be used customer identification till exiting the store and providing personalized information and offers using NFC (near field communication) [28].WLAN (Wireless Local Area Network) is an alternative that can be used to capture the movement of customers in the stores to indicate customers' interests in a particular area of store and that can be used for providing personalized customer service and promotions using NFC [28].Similarly, Bluetooth-based beacons, RFID-tags (radiofrequency identification) can be attached to products, loyalty cards and shopping carts to track customers and their shopping baskets, purchases, and interaction with digital product information and the products itself [4].
Several techniques for vision based systems have been developed including blob tracking, active contour tracking and 3D model based tracking [35].These systems using aforementioned tracking techniques can be used to identify, how long customers look at a product, if the product is picked up and bought or if it is placed back again [34].This information can then be further used for personalization and real time promotions.Retailers can provide customized marketing programs for the customers at an individual level and hence increases product and brand awareness after the purchase by communicating to them through the devices they have bought i.e.Internet of Things (IOTs).
But most of the services these technologies provide in all need to re-configured for retailers to comply with GDPR and in our study we will discuss, how are different aspect of digital retail being affected by GDPR implementation.The study mainly focuses on EU as there is dearth of research on the challenges and opportunities digital retailers have in EU after implementation of GDPR.

METHODOLOGY
We conducted a literature review following the review approach as proposed by Webster & Watson 2002 [51], ensuring high quality and rigor in the reviewing process, answers to the following research questions are pursued (1) -What's the definition of Digital Retail?‖ and (2) -How can Digital Retailers overcome business and technological challenges within the General Data Privacy Regulation (GDPR) framework to offer their customers rewarding customer journeys?‖

Review Approach, Scope and Selection Criteria
Using the database of ScienceDirect, this review was conducted in four steps: (1) We stated the keywords as -Challenges and opportunities in Digital Retail within the EU‖ and this generated 1,116 results.(2) In order to capture the effects of the Great Recession on EU retail trade [41] and a general overview of the impact of the GDPR [11]  We also used the official European Commission English language script of the General Data Protection Regulation (GDPR), a review article on how to audit GDPR from Information Systems Audit and Control Association (ISACA) and text records from a GDPR seminar conducted by the EUGDPR Institute.

Result
We

Data Breaches
While retailers innovate exciting customer journey experiences, they collect, store, analyze and transfer a lot of personal data from customers.In doing so, they face the challenge of protecting this data from breaches.Stealing Personally Identifiable Information (PII) contributes to more than 50% of all data breaches and has a significant effect on revenue and stock markets within the retail sector unlike other sectors.A lot of breaches are usually discovered way later after the attack has happened [48].Article 31 of the GDPR requires Data Controllers to report data breaches to the supervisory authority within 72 hours of becoming aware of the breach.In addition to that Article 32 requires that the data subject is informed of the data breach for as long as sensitive information that can potentially deny the data subject their rights of privacy except if the data controller can prove that they have (1) implemented appropriate technical and organisational protection measures in respect of the personal data affected by the breach (such as encryption).( 2) taken subsequent measures which ensure that the high risk to the rights and freedoms of individuals is no longer likely to arise or It would involve disproportionate effort [11].Apart from potential loss of revenues arising from settling court cases, reduction of sales revenue and shrinking of stock price, retailers can suffer damage of reputation in case there is data breach involved.

Return on Investment
The major bottlenecks inhibiting companies to adopt or change technologies are largely related to high investments and uncertain business returns.Retailers have invested a lot in their IT infrastructure in order to obtain a single view of the customer across channels and in fact realized a positive change on their ROI.This is especially true in commercial banks [33].However, with implementation of GDPR, many retailers are still hesitant to invest in such ideas for fear of the unknown.As a result, retail customers are not able to get the desired shopping experience which technologies can offer.
Moreover, adopting to GDPR for their current technology arrangements is also proving to be expensive for retailers.5 out of the 10 biggest data centers in the world are located in China and India which are low cost countries compared to the remaining 5 of 10 where USA has 4 of them and Norway with 1 [37].As such, many global enterprises outsource their data processing activities in low cost countries.The GDPR territorial scope covers even non-EU/ EEA countries as long as the data subjects are EU residents.This means EU Data Controllers will have to make sure that Data Processors comply with GDPR [47].Whenever the purpose of data collection from the data subject changes or data has to be kept for a longer period other than that which was specified to the data subject at the time of collecting the data, new notice to inform the data subject as well as consent have to be collected, otherwise a Data Impact Assessment which takes quite a long time should be conducted [11].This can cost enterprises a lot of resources and opportunities for increasing revenue especially for processes which require real time data such as discriminative pricing.
Vendor contracts need to be prioritised regarding the level of personal data that they encompass in the service provided.The GDPR provides prescriptive wording for updating contracts.It may well be the case that there are a lot of vendor contracts to assess and you will need to prioritise according to the amount and type of data processed under the contract [9].
Another challenge related to Investments in technology is the in Customer Relationship Management (CRM) systems and other marketing enhancing technologies.Now with the GDPR, the use of tracking cookies to track customer behavior does not conform to the GDPR principle of Data Minimization.Session cookies which are necessary for identifying users in order to provide the services are recommended.This is likely to limit marketing services.Between April and July, 2018, a survey was carried out to understand how news organizations may be adapting to the new privacy framework where prominent news websites in seven countries (Finland, France, Germany, Italy, Poland, Spain, and the UK) were analyzed using a purpose-built software tool, webXray, which traces the network of outside parties that load contentand potentially track users.There was a significant decline in cookies and third party content of news websites which was generated mostly from Amazon, Google and Facebook.This was directly connected to GDPR compliance by newspaper companies.Definitely such developments are likely to reduce digital retailers' revenue due to limited advertising and customer behaviour tracking mechanisms [32].

Understanding the Customer
For better understanding of customers, retailers need to gather data throughout customers' journey [8].While between 2014-2017, online sales within the EU has consistently risen, it only contributed to just about 18% of the total revenue among retailers.Physical stores will continue to co-exist along digital channels depending on a number of reasons such as demographic composition, type of product and versatility to adapt to new technologies.
There is increasing availability of unstructured data from cameras, sensors, internet of things (IoT) in physical stores and this has contributed to processing of huge volumes of data.For this data to be relevant to Digital Retailers, it must be processed in real time which is a huge challenge especially regarding getting consent from customers particularly in physical stores for using this data with the introduction of GDPR.It is harder to get consent, GDPR article 6a, 7&8 consent.Article 9 prohibits processing od special categories of personal data.Retailers have to come up with innovative solutions to overcome this obstacle if they want complete understanding of their customers.
The digital technological developments have helped change the nature of customer-retailer interactions, giving rise to new shopping behaviors.Retailers have to tailor their strategies to be able to adapt to these changing behaviour.Three of the most common challenging behaviours are free riding, showrooming and webrooming [40].Free riding behaviour has been identified in literature as one of the negative aspects of multi-channel-retailing [44].An example is the American Electronic Retailer Best Buy which failed in China due to this issue.Customers would access all the information about electronic products, make comparisons but at the end buy from a cheaper Chinese retailer.This was a disadvantage as Best buy had invested a lot of capital to develop the customer journey enhancing technologies.The retailers can use customers mobile search cookies to overcome this issue by offering -match the price‖ or similar offers but the data processing has to comply with GDPR article 9 [13].

Predicting Shopping Behaviors of Existing Customers
New customers are a lot more expensive than returning customers for retailers [7].In order to conform with the of Data Minimization where data collected is required to perform a specific purpose [13], tracking cookies which are essential in performing analytics is not possible.Data analytics is one of the major contributors of revenue streams for digital retailers [48].This is a major challenge to digital retailers.

Individual Country Rules and Cultures
Eliminating geographical limitations has always been considered as one of the advantages of Digital Retail and with implementation of GDPR throughout EU is supposed to make it easy to have a consistent and standardized approval from all customers in EU.Customs terms also differ from one geographical location to another.Since 2018, Airbnb, the world's leading C2C accommodation service provider has been going through a hard time in Austria due to changing regulations.The government required Airbnb hosts to pass on guests' information for tax purposes [10], something which might violate the EU privacy regulations, among other issues.Another example expressing how digital retail is affected by individual countries rules and regulations can be seen in the legal battle between Uber and the government of France where Uber is accused of operating illegal transportation business in the country, something which is deemed legal in other EU countries.[36] Similarly, regarding developing standardized practices for complying with GDPR consent mechanism for whole of EU is impossible.Around 50 articles in the GDPR can be modified by individual countries depending on their preferences.Age Consent Variations by EU Member countries [38].For example, the right to consent in Austria is valid from age 14, other countries, have 16, others 18.

Processing Data across All Channels
The ideal position for a firm would be complete customer data integration (CDI), or an integrated, single view of the customer across channels.The ideal database would depict which channel(s) each customer accessed during each stage of the decision process, including competitors' channel [31].Biometric technologies can be used as a unique identity to identify customers across different channels.
In the context of retailers using online and offline channels, use of biometric technologies such as facial recognition technology (FRT) can be lawful in two different scenarios.If data processing by the retailer does not identify the customer, then the data processing activity may fall under the legitimate interest of the retailer [15].If data cannot be anonymised, only explicit consent from customers can justify the data processing activities by retailers.However, due to the strict requirements of explicit consent, there are still other conditions that must be met before the processing is lawful and it becomes a challenge for retailers to get consent in different channels because consent of one channel cannot be used in the other channel.If a retail store is identifying the customer, consent cannot be accepted as explicit with just entrance to a store that has a prominent notice on the front door.For example, use of CCTV with FRT for categorization purposes categorization of non-identified customers' digital signage use in the retail store categorization of identifiable customers' loyalty membership CCTV for security purposes.If a retail store acquires consent together with a loyalty program, and the consent is explicit, freely given, informed and unambiguous, the consent can be accepted as valid [15]

MANAGERIAL IMPLICATIONS
We analyzed the business and technological challenges faced by retailers in EU since the GDPR became effective on 25 th May 2018 throughout the whole customer journey.We don't dispute the fact that processing personal data is vital in improving customer experience by enhancing transparency, interaction, fast and affordable service delivery among other benefits in digital retail but we strongly emphasize that GDPR compliance is not optional but a mandatory obligation to digital retailers within the EU and beyond as long enterprises process data relating to EU residents.This is both within brick and mortar stores as well as across all digital channels such as mobile apps and websites.
Therefore, we recommend the following solutions much as they are very basic and not new in digital retail, they have been neglected for so many years.For example, the Austrian Data Privacy Regulation of 1980 [20] comprised of many of the articles in the GDPR but the light punishment that came with noncompliance wasn't persuasive for enterprises to conform with the regulation.Now that the GDPR violation comes with a minimum penalty of €20 million or 4% of the global revenue, enterprises will have to strictly be vigilant in observing the regulation.In order to guide digital retailers on how to offer innovative, rewarding and exciting customer journeys and yet stay GDPR compliant hence minimizing legal risks which can potentially attract hefty fines in courts of law, damage the company's reputation, lead to revenue losses in case customers switch to other competing service providers among other negative effects, we recommend the following: Incorporating GDPR into the enterprises Governance, Risk Management and Compliance GRC) policies.This will involve active participation of Boards of Directors (BODs), who will set organizational goals, empower senior management to set GDPR compliance as a strategic priority, Management which will prioritize monitoring GDPR compliance activities and mitigate potential threats due to non/compliance and Heads of Departments (HODs) who will have to demonstrate GDPR Compliance practices within departments, oversee operational effectiveness from legal and financial perspectives.
Where processing sensitive personal data is involved, enterprises must make sure that at least they have complied with the 6 GDPR fundamental principles mentioned in section GDPR (put the number of the section here) This can be achieved by informing the data subject about what data to be collected, for which purpose, who will have access to it and for how long it will be stored and requesting a consent or otherwise the data controller in this case the digital retailer will have to prove that there is any of the following interests fulfilled before processing personal data: legal interest, legitimate interest, public interest or vital interest to protect the data subject.We emphasize transparent categorization of cookies, so that data subjects choose which category and purpose they wish their online behaviour to be tracked.In addition to that, consents can be requested for a certain period of time and for a specific purpose only.Consent has to be requested again in case the permission and purpose to collect data from the data subject expires.Violation of any of these leads to the maximum penalty of €20 million or 4% of the company's global revenue, whichever is higher.In case enterprises are not completely sure that they have fully complied with the 6 GDPR fundamental principles, we recommend a Data Privacy Impact Assessment (DPIA) to be carried out.This is an internal assessment conducted within the enterprise to assess vulnerabilities and their impact.This should be clearly documented and a report is submitted to the Data Protection Authority (DPA) for final assessment.Retailers can conduct internal assessments such as hiring professional hackers to detect data breaches within their enterprises and report any incidences without any undue delays in order mitigate the risks that come with the GDPR violations.
To overcome the challenge of increased investment because of GDPR, digital retailers can minimize data by not collecting unnecessary personally identifiable data to minimise vulnerabilities.In addition to that digital retailers can let the data subjects do things on their own such as posting their personal data, photos, deletion of information, etc.This can be done on company's social media facilities such corporate Facebook page, twitter handle, LinkedIn, and so on.By doing this, customers will enjoy interactive customer journeys but they will be responsible for their own data privacy.
To overcome the challenge of understanding the customer and still being complaint to GDPR, digital retailers should look into anonymization or pseudonymization of data as soon as possible where the product offerings are not highly personalised.This will reduce GDPR potential risks of violation and at the same time, customers' data can be processed in order to predict customer shopping behaviors and provide customized services without identifying individual data subjects.While processing data across channels, digital retailers must ensure that they are complying with Article 25 of the GDPR by ensuring that their systems and applications conform to Privacy by Design and Privacy by Default.This can be achieved through some simple practices such as encrypting sensitive data such as credit card / debit card PIN encryption, strict access protocols such as passwords in order to monitor accountability for data privacy, among others.
For overcoming the challenges of individual country regulations in respect to GDPR, Digital Retailers can consult their local Data Protection Authorities in case they need clarity with data privacy compliance regulations in individual countries.In addition to that all GDPR and other data privacy compliance activities such as monitoring, training, implementation must be clearly documented to be presented to Data Protection Authorities whenever required.EU member states are allowed to make minor modifications of about 50 of the 99 GDPR articles, such as the determining age of child consent.Digital Retailers operating in more than one EU member state need to update themselves with this modifications varying from country to country.

CONCLUSION
We conducted a comprehensive literature review and review of GDPR documents to come up with the challenges digital retailers are facing with the implementation of GDPR.We also pointed out possible steps which retailer can take to overcome these challenges from a technological and business aspect.This is a general overview of GDPR and the idea behind this was not to go into details of all six principles of GDPR with related 99 articles and 173 recitals because fully understanding the regulation, its implementation, and determination of legal ramifications for violating the regulation is still work in progress.There is a backlog of data privacy cases filed in courts of law and waiting for legal interpretation.Further research can be done to elaborate these deeper into the GDPR fundamental principles, related articles and recitals in order to come up with more in-depth research findings on compliance, implementation and impact on business models and technologies.
In addition to that, the regulation is quite elusive on elaborating the appropriate technologies to implement in the enterprises.We discovered that some regulations such as Right to rectification (Article 16) and Right to erasure / Right to be forgotten (Article 17) face technical limitations in case of cloud service environment given the period of time allowed within the GDPR framework to fulfill these tasks.Completely deleting selected personal data from backup systems and traditional storage methods such as Compact Discs is almost impossible and expensive.More research in Digital Retail technologies is required to overcome these challenges otherwise, different stakeholders may have to compel the regulators to specify on the technological requirements for fulfilling such conditions.
Therefore, we retained only 26 articles from ScienceDirect.In addition to that, we searched another database; ResearchGate and applied the same selection criteria.A total of 46 articles were selected depending on the basis of relevance of the search words or phrase, English language and Open Access feature.We used the key search phrase, -Challenges and Opportunities in EU Digital Retail‖ which yielded several results but only 12 were selected.We further used 2 other key words; -Digital Retail‖ which yielded 20 articles and -Customer Journey‖ with 14 articles.
and Social Change and Procedia Computer Science which had the closest relationship with our topic, we obtained 75 articles, out of which 49 were eliminated because either they addressed other topics linked to other subjects such as smart cities, innovation, financing, among others or their geographical scope was outside the EU.

Table 1 : Inclusion-exclusion criteria of literature review
totally searched and analyzed 75 sources with already grounded and published findings between February, 2010-February, 2019 to improve on the scholarly definition of Digital Retail, identify challenges within the EU Digital retail and recommended possible ways of converting these challenges into opportunities from business, technological and legal points of view for Digital Retailers to offer uniquely rewarding customer journeys.