Press releases

Deloitte Cyber reveals best data privacy practices for retailers during the holiday shopping season

NEW YORK, NY, USA, 24 November 2020—During this time of tightening COVID-19 restrictions and more physical restrictions, retailers are more focused than ever on reaching the online customer. However, as societies move to “safer at home” scenarios are they “safer online” as well? As the holiday shopping season ramps up this week, Deloitte is revealing the top data privacy practices retailers need to keep top of mind

The recent Deloitte “2020 Deloitte Holiday Retail Survey: Reimagining Traditions,” while focused on American consumers, is a good indicator of how most global consumers will likely behave this year in light of COVID-19. 64% of survey respondents indicated that their holiday shopping budgets will be spent online during the holidays—a number which will likely only increase in the coming weeks. At the same time, Cyber Monday has also bypassed Black Friday in importance for all generations (59% of respondents plan to shop on Cyber Monday versus 48% on Black Friday). These trends have brought cyber practices to the forefront for many retailers.

“Given the cost of a security breach—losing your customers’ trust and perhaps even defending yourself against a lawsuit—safeguarding personal information is just plain good business. Earlier this year, we saw the rise if phishing campaigns for consumers around the pandemic; cybercriminals will simply adjust their phishing lures now to email themes to current holidays and events,” said Emily Mossburg, Deloitte Global Cyber Leader. “Striking the right balance between secure transactions, data privacy and positive user experiences is crucial for organizations to confidently expand online services and customer reach.”

Customers, vendors and supply chain partners want to know that cybersecurity is a priority for the organizations and institutions to which they entrust their transactions, information, and personal data. Employees want to feel certain that their work-related data is secure, and that the networks they need to do their jobs will function properly.

Organizations should ask themselves what they must do to build and maintain trust.

- With more data, more connectivity, more access, do we understand our cyber risk and are we confident our Cyber program will maintain and strengthen trust? Finding and knowing where the most vulnerable areas are within an infrastructure and systems is an important first step in building a top-tier cyber program. Use this knowledge to minimize weaknesses and enable a robust digital environment that is highly reliable, available and secure.

- Are we proactively detecting for fraudulent activity and cybercrime? Ensure that financial transactions are secure, and systems operate with integrity. Monitor the dark web to identify organizational exposures and historical, active and planned attacks against your organization. Perform sentiment analysis to improve staff, supplier and customer communications.

- Is data collected ethically and protected appropriately? Embed Cyber and data governance into systems that enhance safety measures in the physical space. Educate personnel involved in data collection about their new responsibilities as data collectors and stewards of security and privacy.

Just before the holiday season began, the European data protection rules changed with immediate impact on current data sharing practices. Since the Court of Justice of the European Union (CJEU) made their judgement in the Schrems II case there is work to be done for organizations that share/transfer personal data from/to the USA and EU countries. International operating retailers that transfer data will have to make sure the contractual agreements on data sharing match the increased strictness of the European court and subsequent guidance from the European Data Protection Board.

Even with the promise of Coronavirus vaccines on the way, retailers should not rest easy in preparation for next year’s holiday retail season as online marketers targeting consumers will have to start thinking of new ways to target, engage and redirect customers to their platforms. To make the Internet safer, the use of third-party cookies will no longer be possible by 2022. This means a major shift in digital marketing practices, in favor of privacy protection of consumers.

These decisions reinforce the importance of data protection to global commerce and the critical role that privacy professionals play in implementing protections in line with foreign legal requirements.

Organizations that created new workforce strategies and customer service approaches under the pandemic pressure of 2020 will need to determine if they warrant longer term adoption and transform the ad hoc procedures into best practices for the future. From a Cyber lens, digital trust is a critical facet of society’s ability to thrive in the next normal.

“Retailers are trying to get closer to their customers by using new technologies like augmented and virtual reality and this should come with a focus on consumer trust,” said Annika Sponselee, Deloitte Global Data and Privacy Leader. “Retailers should provide straightforward language in their privacy communications explaining how they are protecting it and why data from consumers is being used.”

About Deloitte

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), its global network of member firms, and their related entities (collectively, the “Deloitte organization”). DTTL (also referred to as “Deloitte Global”) and each of its member firms and related entities are legally separate and independent entities, which cannot obligate or bind each other in respect of third parties. DTTL and each DTTL member firm and related entity is liable only for its own acts and omissions, and not those of each other. DTTL does not provide services to clients. Please see to learn more.

Deloitte is a leading global provider of audit and assurance, consulting, financial advisory, risk advisory, tax and related services. Our global network of member firms and related entities in more than 150 countries and territories (collectively, the “Deloitte organization”) serves four out of five Fortune Global 500® companies. Learn how Deloitte’s more than 330,000 people make an impact that matters at

Press Contacts:

Steve Dutton
Global Communications Deloitte Global
Tel: +1 202 734 3207

Stephanie Anderson
Global Communications Deloitte Global
Tel: +1 212 492 3959

Did you find this useful?