Interview: Sainsbury's CDO Andy Day and ICO Elizabeth Denham talk GDPR

Staying on the right side of the helpful-creepy axis - and the law

In his current role as chief data officer (CDO) at supermarket giant Sainsbury's, a job he's held for seven months, Andy Day is responsible for creating the retailer's overall information management strategy, improving the insights and business outcomes derived from the company's data. Much of that data, of course, consists of records of consumers' buying habits, and many of the planned new developments revolve around personalising services based on that information.

Certainly managing and deriving value from personal data is something he's accustomed to, having previously been business intelligence director at News UK and before that head of CRM at O2. But the world of data management is changing.

Day spoke to Computing at an awards ceremony run by consultancy DataIQ to honour influential leaders in data-driven business (at which, incidentally, Day bagged the top award). During the event there was much discussion of the responsible treatment of personal data and about the raft of new data protection legislation on the way. Day insisted that these impending new laws are a help rather than a hindrance to Sainsbury's.

"My mantra has always been that it is that our job is to use our customers' data for their benefit. If we do the right thing by the customer then they will reward us with their patronage and their loyalty. I know it sounds a bit trite but I fundamentally believe that," he said.

Compliance with most aspects the upcoming EU General Data Protection Regulation (GDPR) should be straightforward so long as the company acts on those principles, he maintains.

"We should be part-time custodian to that data, using it in a way that enhances your relationship with us. I think GDPR becomes a regulatory lens through which to see that. If you're genuinely acting in the best interest of the customer then GDPR is almost a side issue because by default you are already doing that.

"With the personalisation thing, if you can draw a line between a happier, better informed more loyal customer and the data you're using then I think that's absolutely in the sweet spot of what GDPR is trying to do."

In the interests of transparency, will Sainsbury's be setting up a system whereby a loyalty card holder can log into a website to view how his or her data is being used? Day believes that such a system should be available, although he doubts many customers would want to use it. For now, he says, the company is focused on being compliant rather than "solution-ising" transparency.

"The opportunity for brands like ours is to get on the front foot and be transparent. Does that mean we email everybody and let them know every transaction they made with us? Probably not because most people aren't interested, but should they be interested and should they want to seek out the information then I think we should be in a position to provide it."

For brands like Sainsbury's it's all about trust, Day says. Does this include allowing customers to opt out of some data collection?

"Yes of course, absolutely", Day said. "But you have to get the first bit right. If you're doing the right thing by the customer then you would expect the customer to allow us continued access to their data and everything that follows from that."

The issue of trust with respect to the acceptable use of data is one that evolves over time and is subject to changes in social norms. How will Sainsbury's avoid going too far, becoming 'creepy' in its use of predictive analytics to push messages at customers, making them feel they are being watched?

"It's finely balanced in terms of acceptability," Day said, relating a story of a beer brand that started targeting a friend based, presumably, on photos posted on Facebook.

"Of course that's a bit creepy, the guy wasn't expecting that, but if you're transparent with what you're going to do with it and you do so proactively then I think that becomes acceptable."

The consumer has to give off the right signals, he added, and the personalised messages pushed in an appropriate way "at the right time, in the right channel, with the right product".

Attending the same event, the UK Information Commissioner Elizabeth Denham told Computing: "Consumers are becoming more aware of their rights and more concerned about the need to control their own personal data. They want to wrestle back some control as to how their data is used. I think the GDPR reflects where we are as a society, wanting to wrestle back the control to the individual."

For many companies that use personal data for marketing, the transparency requirements of GDPR will be quite a challenge she believes, urging them to start thinking about the changes they will need to make.

"How are you going to use the data? How will you pull back the curtain and demonstrate to consumers in a way they can understand - remember that's clear, informed, unambiguous knowledge and consent? For companies where there's a whole chain of actors and transactions it will be challenging," she said, adding: "But we're here to help."