Welcoming in a new year is, as always, a time of reflection. Here at Tryzens it is no different. 2017 was an especially successful year. We had numerous reasons to celebrate, we received great accolades and expanded our business into Australia and New Zealand. We have compiled a selection of 2017 highlights.

Winning Salesforce Commerce Cloud EMEA Delivery Partner of the Year.

It was a great year for partnerships for Tryzens this year and we are still delighted from the announcement made at Salesforce’s XChange Conference 2017, the eCommerce and digital retail event of the year, saw Tryzens appointed as the only EMEA Delivery partner of the year.

Tom Griffin, COO, Commerce Cloud, Salesforce exclaimed “Tryzens demonstrates a commitment to delivering intelligent and innovative solutions that enable companies to connect with their customers in new ways.” We are extremely pleased at how strong our partnership has flourished and appreciative to see the hard work of our sales and delivery teams be recognised on such a scale.

Tryzens have been in partnership with Salesforce Commerce Cloud for many years and the announcement of this award was a great honour and a reflection of the tremendous skill and care of the Delivery Teams at Tryzens to ensure clients benefit from the great capability of this enterprise platform.

This calendar year saw the contract wins of significant Salesforce clients such as British retailer Sweaty Betty who specialise in women’s activewear, luxury destination store Liberty London and T.M. Lewin, a leading men’s shirt retailer. Whilst in our Australian office we launched the new CottonOn sites and signed more incredible brands such as Seafolly, MacPac and M.J. Bale. We look forward to continuing our work with retailers to place the Salesforce Commerce Cloud solution at the heart of future-thinking, seamless omnichannel eCommerce experiences.

Awarded Magento Enterprise Level partner

We were also delighted to announce Tryzens had been awarded with the accolade of Magento professional partner, solidifying the already strong relationship with the highest level of partnership Magento offers for regional partners. It was a proud moment for all of us here at Tryzens as we have worked hard to invest in our team, our capabilities and our performance, and it is rewarding to see that our momentum is converging with Magento’s own growth and strategy in the commerce marketplace. This calendar year Tryzens signed with several renowned brands such as David Nieper, Actegy and Ferrero Food Services.

Magento Commerce stated: “Tryzens has developed a dedicated practice of experienced, reliable Magento professionals so we are delighted to be able to award Enterprise Partner status. We look forward to continuing to work together to create exceptional online experiences for our clients.” For Tryzens the announcement underlies our deepening commitment to the Magento eCommerce platform and we look forward to what’s to come in 2018.

Building our team in Australia/ New Zealand

This year based on our early successes with clients based in Australia, we took the decision to open our first office in the region, based in Melbourne. We also appointed Josh Emblin as Country Manager to lead our sales activity and appointed James Lutchmaya and Sophia Brooker to head up our Programme and Customer operations.  We will continue to expand our local presence to support our clients in this exciting market.

Demystifying GDPR for Retail

One of the biggest regulatory and legislative changes impacting us all in 2018 that cannot be overemphasised is that of the new European privacy law known as GDPR (General Data Protection Regulation) which comes into full force on 25th May 2018.  Retailers operate in the very heart of where these regulations impact and cannot afford to put off the action to address their new obligations towards their consumers and employees. Tryzens decided to lead the process of education on the subject, wrote relevant white papers and partnered with specialist corporate and technology law firm White & Black in our mission to further demystify GDPR by hosting three sequential seminars at BAFTA. These free briefings were open to retailers and clients covering the following aspects of GDPR:

  1. Seminar 1: Personal Data, Lawful Processing and Consent
  2. Seminar 2: Practical considerations retailers should take to prepare their internal operations to demonstrate awareness of and compliance with GDPR.
  3. Seminar 3: Managing your GDPR obligations relating to third party Data Processors.

Tryzens have made all the content from these sessions available as recorded presentations, plus much more, on the GDPR Hub. Within the hub you can find platform specific guidance links, a downloadable copy of our GDPR whitepaper ‘A Retailer’s Responsibility and Liability under GDPR’ and our GDPR Service Provider questionnaire for eCommerce and digital service suppliers.

Click here to visit our GDPR Hub

Launch of new IPM services for leading eCommerce technology vendors

Integration Portfolio Management is a new service for software companies in the eCommerce arena. It enables them to work with a single provider for development, support and go-to-market strategy services across multiple eCommerce platforms at once. Tryzens’ IPM simplifies the principles of integrating their technologies with major eCommerce Platforms, whereby the software company invests in an aligned, seamless process and associated resource pool that is flexible to meet their evolving needs and priorities based upon market demand.

With the launch of the new service, we have seen some leading technology companies adopt this approach, and start seeing the benefits within months.

Klarna, being very pleased with our initial successful build of a Hybris cartridge, chose us to manage their integration portfolio across all their products & platforms. Previously, they had relationships with multiple SIs that were very experienced in their independent platform fields, but Klarna realised the benefits they could get by consolidated under a single Partner, with proven experience across multiple fields.

Another great partnership for Tryzens was the expansion of our relationship with SmartFocus, who used to work with over 5 Systems Integrators to manage their portfolio of integrations. This proved to be a logistical nightmare and incredibly inefficient. By consolidating this activity under the Tryzens IPM service SmartFocus saw operational and economic benefits within months of the transition.

Tryzens look forward to sharing more releases, working on exciting new projects with our partners and completing new website launches for our wonderful clients in 2018!

(as your GDPR compliance is also in their hands!)

With GDPR coming into force from a compliance perspective on 25th May 2018, retailers can no longer afford to put off the action to look at their new obligations towards their consumers and employees.

That said, we recognise that knowing where to start can be a challenge and so felt it essential to try to demystify GDPR for the retail community. With retailers operating at the forefront of the consumer market where personal data is used considerably, I expect that we have all seen the numerous headlines of new Data Subject (i.e. European citizens) powers that impact how you process their data, as well as huge potential fines that could be levied by a more empowered Regulator (the Information Commissions Office or ico). No doubt this relentless news has also been associated with an increase of SPAM to your inboxes on solutions promising to address the challenges!

However, all the noise (and opportunism by some) can cloud the real issue, and we must not lose sight of common sense and recognise that this new regulation is intended first and foremost to protect individuals in an era of explosive levels of data capture (whether Customers or Employees) as well as to theoretically simplify common business practices for businesses operating across the EU. It is absolutely not an attempt to stifle innovation, efficiency, customer experience or sales conversion which is obviously essential to the success of retail operations. As such I recommend that GDPR must be embraced to help your business demonstrate trust and transparency in the digital age.

Last week, we held our third and final (for now!) seminar with White and Black, our expert legal partners in our mission to demystify GDPR for retailers. Our focus this time was on the subject of managing your obligations relating to third party data processors. In eCommerce operations, there are typically a number of data processors in your overall digital commerce operations driving customer experience, this can range from distribution services to personalization tools, and from payment providers to hosting companies.

As a Retailer, you cannot escape being the accountable party as the ‘Data Controller’ to ensure your processing of personal data for customers and employees is both fair and lawful. However, under GDPR, the third parties that are operating as Data processors on your behalf also have explicit obligations that they must adhere to. In fact, it is essential that retailers recognise that they may already committed in agreements that currently have a term that goes beyond 25th May 2018 and as such may automatically place them in breach of GDPR compliance unless issues are identified and remedied before this date. Therefore, it is essential to take steps now to audit your use of Data Processors and ensure that they are able to operate in compliance to GDPR to enable you to be able to be confident that your business is also.

The following is a quick recap on the areas we covered in the seminar, which a recorded version can be watched here:

  1. GDPR comes under the description of being ‘principles based regulation’ meaning it is not 100% prescriptive and must be interpreted and applied with thought and relevance by each retailer as there is no explicit standard to follow. You must assess your own risks and take a proportionate response to mitigate any risks identified, documenting your findings and decisions, tracking achievement and training your staff.
  2. GDPR works on core principles that are aimed to ensure that businesses operate both ‘fair’ (reasonable) and ‘legal’ processes and that they operate with ‘transparency’ so that consumers know what will happen to their data held by a retailer and how to interact with the retailer if they need more information or a change of action. (Revisit our recorded GDPR webinar 1 for a recap).
  3. A data controller is defined as the organization that determines the purposes and means of processing personal data. In an eCommerce arrangement, this is the retailer.
  4. A Data processor is any organization that processes the data on behalf of the data controller- whether that be storing it, analyzing it, segmenting it or any other task. A retailer could, and usually does, use any number of third party data processors.
  5. For the first time under GDPR there are now direct responsibilities imposed on Data Processors to demonstrate compliance with GDPR.
  6. Both Data Processors and Data Controllers must be able to comply with the new rights of the Data Subject such as the right to be forgotten or the right to withdraw consent. (Revisit our recorded webinar 2 on GDPR for a recap on this)
  7. Data Processors have direct responsibilities under GDPR that they must achieve.
  8. Data controllers must audit the data they capture and process (including those of relevant Data Processors), taking appropriate steps to secure the data and to regularly minimise the amount of data held so it is only held for fair and lawful processes that your customers and employees have agreed to/are aware of.
  9. There are clear requirements for Retailers to ensure that they exercise diligence when selecting service providers (data processors) to ensure they are able to be compliant to GDPR before entering into contracts with them.
  10. Doing contractual reviews of your current Data Processors early is key! Many retailers will have contracts that do not expire before the deadline, it is essential to review, and renegotiate these contracts where applicable. On our GDPR hub we have shared a questionnaire you can use with the suppliers you rely on.
  11. When updating your Privacy Policy and adapting them to be more accessible Fair Process Notices in the customer journey, you need to ensure they accurately reflect or cover the responsibilities covered by third parties Data Processors so that your statements are accurate and valid, back to back, with your contractual position with data processors.

So, our message is simple, it is essential that Retailers have a clear plan to review all Data Processor Agreements asap and amend them where necessary in time for the 25th May 2018.  If a Data Processor cannot prove to be GDPR compliant and contract as such with the Retailer, then the Retailer is responsible to find and use only Data Processors that can commit to compliance if your current suppliers cannot.  Data Processors are also liable under GDPR and as such we would expect them to be aware of their obligations and taking steps to ensure compliance in order to support your business obligations.

For more detailed information on this subject, to play our recorded webinars, or, to access additional resources like our Supplier Questionnaire (to validate Data Processor capability in regard to GDPR) and a quick link to the ICO draft Guidelines for contracting with Data Processors, please go to our GDPR Hub where these resources can be found. If you have any questions on the matter, please do not hesitate to contact us.

Appoint an internal owner and take a pragmatic risk-based approach

Designed to better protect EU citizens’ data and harmonise legislation across Europe, the General Data Protection Regulation (GDPR) brings in a raft of new guidelines and requirements that retailers need to be savvy to.   That said, much is reinforcing the Data Protection Act already in place but with a greater emphasis on ensuring compliance.

At the heart of the initiative is the intent to support the increasingly digital economy, to build trust and to help protect consumers (data subjects) from exposure to risk that their personal data will be compromised and misused.

Yes, there are of course material fines that the ICO could impose from 25th May 2018, but to focus on that is the wrong basis for getting ready for GDPR, instead retailers should be looking to demonstrate that they take the fair and lawful processing of private data seriously and that they can be trusted.

Being a principles-based piece of regulation though means that every retailer needs to be able to demonstrate and evidence their own review, action and processes that were undertaken and put in place, there is no single approach that everyone can print out, copy and say, there you go, this is our position.

In our second instalment of our three-part seminar series – in collaboration with law firm White & Black – we set out to further demystify GDPR in order to help the retailer community establish a practical, best-practice approach to preparing themselves to demonstrate GDPR compliance.

Discussions were centred around how retailers can achieve operational readiness through a risked-based approach (RBA) that looked at the nature of data being held and the purposes for which it is being in order to identify and assess the significance of any potential risks that may be exposed. From this understanding a plan of action can be created that is relevant to the level of those risks and to show how relevant personal data will be captured, managed, protected and controlled to ensure fair and lawful processing.

White & Black outlined the following logical approach to help you review internal operational procedures when it comes to managing personal data:

  1. Planning: This is very much a workshop activity of key stakeholders in the management of functions and technology. It would involve white board sessions to identifying core data captured, processing activities, scoping of the systems impacted and any third parties that may be involved as Data Processors. The aim being to scope out the activity needing further investigation, identifying and grading key potential risks and areas for audit focus. It is also essential to appoint an overall owner for the GDPR activity to manage the various stakeholders to deliver the plan.
  2. Data Audit: Retailers will need to map out the data captured and systems impacted, and this may be best achieved by formulating structured interviews with functions and stakeholders to ensure all avenues are covered and that consensus can be gained on the risk associated with current data held and practices followed to improve the protection for your customers and employee’s personal data. Formalise the outputs in to a document where the risks can be ranked and reviewed and additional data records can be collated alongside such as current privacy notices, supplier contacts, and customer forms. This will form the basis of a risk register from where the plans to mitigate can be based and monitored.
  3. Analysis: Key stakeholders should actively review the risk register, the grading and prioritisation of risks and establish a regular mechanism for reviewing progress ahead of the 25th May 2018 deadline. Retailers should report at Board/Executive management level on core risks identified; formulate key organizational recommendations and actively monitor the completion of tasks and the closing of risks.
  4. Implementation: Key within this part of the plan is to redefine notices and prepare materials (privacy notices, amending supplier contractual clauses, validating security and DP processes and systems, breach notification etc.), but, it is also about preparing the business to handle the many rights of the consumer regarding their data such as the right of erasure (often called the right to be forgotten) as well as the rights of objection, access, portability of data etc.  Arguably ensuring there are processes in place, manual or automated, could be a bigger hurdle for many retailers to implement and support.  Which brings us on to the other key process in implementation, that of ensuring all staff are effectively trained in the importance of GDPR and what it means to them practically day-today.

GDPR will require a fundamental review by each retailer, be they traditional or a born-in-the-cloud retailer operating purely online. To that end as the topic is so broad and the clarity of interpretation still immature, we do believe that a risk-based approach is essential to becoming compliant in an efficient, effective and timely manner.

The following is a summary of the key messages from this session:

  1. GDPR and e-Privacy are parallel forces impacting ecommerce during the transition to common standards. Marketing and online purchasing have different obligations and constraints over the next couple of years as these two pieces of legislation evolve.
  2. Consideration needs to be given by retailers to clearly demonstrate compliance in the online user journey and data capture processes to ensure they are seen to be both fair and lawful processes. Of course, this needs to be as friction free as possible and we demonstrated some concepts as to how this could be achieved,
  3. The new (and strengthened) rights of consumers (data subjects) will require clear external and internal processes that can be followed. This arguably has the greatest administrative burden under the new regulations.
  4. Retailers need to take a risked-based approach to mitigate the risks of data loss or misuse to protect their customers and employees.
  5. Third parties are commonplace in eCommerce, but understanding their role as a Data Processor is critical to ensure appropriate contracting and processes to control risk. The retailer is ultimately liable for their actions when it comes to their own customers.
  6. A clear internal owner and a clear plan for achieving compliance should be a top priority for every retailer right now to ensure a viable and sustainable approach is implemented, well before the 25th May 2018.

Our next seminar will explore in some depth how retailers can practically and effectively manage the increasingly complex area relating to third party suppliers, and what data they process, where they process and store it and what terms and conditions are in their agreements.

For more information on this session, please go to our GDPR Hub.

Brexit or no Brexit, the General Data Protection Regulation (GDPR) to protect consumers’ personal data for people living in the EU, and to help standardise practices for business operating across the EU, has already been adopted by all Member States and comes in to full force on 25th May 2018.

As with any new regulation, a lack of clarity can give rise to both confusion among those that are impacted and opportunism from people looking to make a quick buck. This Fear, Uncertainty and Doubt (FUD) gets in the way of understanding what it really means for businesses and the people charged to manage their way through it. With retailers operating at the very forefront of consumer interaction, we felt it essential to demystify the subject and provide guidance on what needs to be understood and what preparations need to be made.

I expect we have all seen the big GDPR headlines of new consumer powers and big potential fines from a more empowered regulator (the Information Commissioner’s Office, or ICO), and have experienced an increase in spam on the risks. However, we must not lose sight of common sense and the fact that this regulation is intended to protect individuals and support common business practices across the EU. It is not an attempt to stifle innovation, efficiency and great customer experience, which is at the heart of retail operations.

This led us to collaborate with White & Black, a law firm with expertise on a range of commercial law and regulation, and together we have created a series of free briefings to help the retail community get to grips with the subject. We hosted the first of these seminars on 25th July to set out the basic building blocks of the elements that impact how we prepare for GDPR.

First and foremost, it is important to understand that GDPR comes under the description of being ‘principles-based regulation’, meaning it is not 100% prescriptive and must be interpreted and applied with thought and relevance by each retailer. GDPR works on three core principles that aim to ensure that businesses operate both ‘fair’ (reasonable) and ‘legal’ processes, and that they operate with ‘transparency’ so that consumers know what will happen to their data held by a retailer, and how to interact with the retailer if they need more information or a change of action.

In our first seminar we explored:

  1. What personal data really means today and the fact it has grown in range to include the device ID (e.g. mobile or laptop) and the IP addresses we use to access the internet for shopping online. We also discussed the concepts of normal and special data and the rules that applied to each.
  2. What constitutes lawful processing of personal data, and what is the role of a third party system provider as a ‘data processor’ working for the retailer, who is the ‘data controller’. We learned that lawful processing must be based on at least one of the three principles of Performing a Contract, Legitimate Interest or Consumer Consent. With the exception of managing special data, or in regard to marketing communications, we learned that consent is possibly the least effective way to determine lawful processing for an eCommerce operation.
  3. We learned how Privacy Notices have evolved in to Fair Processing Notices and how these will now need to be raised in prominence from the traditional positioning on a footer of a website, to being reference/linked to in the customer journey. That said, it is not necessary to introduce additional steps, nor to require a consent or click through, but better to show a consumer when additional information is available on the retailer’s approach to fair and lawful processing.

The key take-aways from the first session were:

  1. Retailers must assign a clear internal owner for GDPR to work through the programme of activity needed to demonstrate readiness and compliance.
  2. Retailers must carry out a review of the ‘personal data’ held on consumers as soon as is possible to determine if it is valid, current and needed (as well as which third parties rely on it)
  3. Retailers should delete personal data not required for fair and lawful processing
  4. Retailers should validate their fair processing requirements and review how and where to introduce consumers to these notices without negatively impacting customer experience or activity or conversion.
  5. With the exception of marketing and /or capturing special classes of personal data (e.g. sexual orientation, medical data) retailers should avoid the need for consumer consent as a basis of processing personal data. If you do rely on consent, you should also evidence that you have legitimate consent – or request it if you cannot.

Actioning all of these steps will require new procedures to be implemented internally. In our second seminar, we will be sharing our thoughts on the practical steps to review internal operational procedures for managing personal data. For more information on this session, please go to our GDPR Hub

Don’t put off learning about GDPR as you need time to act before enforcement commences- the changes are significant, as are the risks from inaction

With less than a year to go before organisations which process, use or exchange consumers’ personal data within the EU need to comply with the new General Data Protection Regulation (GDPR), eCommerce systems integrator Tryzens has highlighted how this new directive will impact retailers, and what key steps brands will need to take to mitigate the impact when the regulation becomes enforced from  25th May 2018.

The GDPR is legislation that effectively replaces the Data Protection Act 1998 in the UK, and aims to harmonise the approach to the protection and privacy of all personal data collected for/or about citizens in the EU. Whilst upholding the values of the free flow of information across Member States, GDPR also gives individuals much more transparency and control over what companies can do with their data.

“With heavy fines that can be imposed via the ICO (Information Commissioners Office in the UK) of up to 4% of global group revenue, the risk of failure to comply by the time GDPR is enforced is far too significant to ignore”

Andy Burton, CEO of Tryzens, has advised that all retail organisations with physical or online sales outlets operating in the EU, or those that promote or sell advertising or marketing to EU residents, need to be more aware that they have to comply with the new GDPR.  It is already passed as law today and is enforceable from 25th May 2018.  It is also relevant in regard to a retailer’s management of their employees’ data too.

Burton said: “With heavy fines that can be imposed via the ICO (Information Commissioners Office in the UK) of up to 4% of global group revenue, the risk of failure to comply by the time GDPR is enforced is far too significant to ignore.  It’s crucial that the in retailers’ Boardrooms they start to look seriously at what data they capture, how consumer consent for its use is gained, and ensure the use is purely for what GDPR refers to as Lawful Processing.  Equally, the complexity of the retail technology environment brings about a significant increase in the volume of potential Data Processors that the Retailer (as Data Controller) has to have appropriate back to back contracts, controls and security measures in place for.”

Burton continued: “May 25th of next year is not far away in regard to the scale of the review retailers need to undertake, and it’s worth stating too, that the myth that this may go away because of Brexit is simply not true,  it is already applicable in UK law,”

“GDPR will significantly impact how retailers collect and process personal information, be they pureplay etailers or traditional bricks and mortar. We have less than 12 months before the deadline and with hyper sensitivity in the market to avoid adding any friction to a customer shopping experience (because of the potential impact to sales conversion), I cannot stress enough the importance of ensuring the ecommerce, store, marketing and trading teams fully understand what compliance to GDPR looks like so they can adapt to deliver a positive and seamless customer experience” warned Burton.

Ahead of GDPR, Tryzens has published a Whitepaper aimed specifically at the retail market to explain the major changes, and is running a series of seminars over the coming weeks to help retailers answer the practical questions around what does this mean for them, such as what do I have to do, where do I start,  and, how can I do this and minimise any negative impact on my customers.

As well as having specific guidance for ecommerce operations, Tryzens has set out the top 10 generic steps all Retailers must take to mitigate risk in their business and implement effective GDPR disciplines to ensure compliance, as set out below:

  1. Check you have notified the Information Commissioner’s Office that you are a Data Controller (i.e. organisation that owns the data) – this is simple to do online at ico.org.uk
  2. Share information with management and your board on GDP impact and obligations.
  3. Use a data self-assessment survey to identify risk and readiness for GDPR. A good one can be found at https://ico.org.uk/for-organisations/improve-your-pratices/data-protection-self-assessment/getting-ready-for-the-gdpr
  4. Update, or implement, both a formal data protection policy and privacy policy that covers the responsibility to secure data, with legitimate consent and for the sole purpose of lawful processing.
  5. Appoint someone responsible for leading, managing and monitoring GDPR compliance across the business.
  6. Prepare for the new law to be enforced by updating internal and relevant supplier processes, auditing personal data held by your business (for customers, prospects and employees) in order to ensure only relevant data is securely maintained.
  7. Update your Employee handbooks and train all your staff on GDPR and their obligations and responsibilities to comply with it.
  8. Check and/or update your data collection consent wording across your relevant channels.
  9. Check customer and supplier contracts, notably in regard to digital service suppliers that are part of your supply chain to provide service to your customers, as they may be Data Processors but the rretailer remains the Data Controller and must be able to enforce their policies.
  10. Check your insurance coverage for compliance with GDPR.