Imagine having no or significantly less customer data: if you’re a big supermarket, you’d be without a key competitive advantage. Yet in less than a year shoppers will have the right to demand a retailer export all information about them, hand it to a competitor, and afterwards delete the original records.

This is just one way a piece of EU data legislation, the General Data Protection Regulation (GDPR), is going to transform the way retailers manage customer data. Failure to comply will result in fines of up to 4% of annual global revenue or €20m (£17.5m).

Tech teams have until May 2018 to comply. The headline requirements are enabling consumers to edit, extract, transfer and delete any data held on them by any part of the business. However, to consider GDPR only a tick box exercise for IT would be a mistake: it opens up huge opportunities and risks for new propositions and models.

Imagine someone decided to create a ‘data passport’ for consumers. Think of how many websites today allow you to log in via Facebook. That’s just the tip of the iceberg because as well as collecting personal data from multiple sources - from retailers to banks to car insurers - such a service will be able to request the original sources be deleted. That could be your customer data.

Personal information can be ported to any third party only when needed, such as for an online purchase or insurance quote, and removed once the transaction is complete. The business that created the data passport would hold all the power from the customer data. In turn the customer would know their data is securely held in one place by a company they trust.

With their data in demand and back under their control, customers will have the power to expect more personalised benefits in return from the data passport company. It could be a shopping app that aggregates all the best deals and prices on their favourite brands into one ‘basket’. Another way could be aggregating groups of users with similar spending habits (such as certain products and brands) to get bulk deals. These new propositions could transform shopping habits.

Supermarkets need to ask themselves whether they want to take on a role holding their customers’ data passports. There are clear benefits, but it will place additional burdens on data storage and increase pressure to attract and retain the best data personnel. But if they don’t do it, someone else eventually will.

It will be important to be able to defend against anyone else using GDPR to take your business’ data - and this could be any kind of business. One technique may be to have smart ways of anonymising data that preserves business insights even if an individual asks for their specific dataset to be deleted. Also, invest in becoming a brand people trust - by both securing your data and communicating this to customers.

Preparing for when GDPR places data firmly back in the hands of customers has to be done now. It becomes law on 25 May 2018. Retailers need to avoid dismissing it as something for the tech team to deal with.

Duncan Brewer is partner - retail and consumer goods practice at Oliver Wyman