GDPR in Retail

How Will GDPR Affect the Retail Sector?

What are some of the main concerns?

  • Adopting a privacy by design approach

  • Security of Endpoint Technology

  • Customer Data Processing notifications

  • Data Processing Agreements

  • Profiling

  • Customer Consent

  • Breach Notifications

  • Cross Border Flow of Data

Privacy by Design

Privacy by Design

One of the changes that the GDPR has bought about is the promotion of a privacy by design approach. This approach was not an existing requirement under the Data Protection Act (1998), making it a significant change. It puts data protection as a top priority right from the start.

The ICO suggests that organisations ‘build new IT systems for storing and accessing personal data, develop legislation that has privacy implications and embark on a data sharing initiative’.

Customer Data Processing Notifications

It is already a legal requirement that organisations notify the ICO of any processing of personal data. This includes any data from which a person can be identified:


  • Employment details
  • Loyalty card information
  • Email addresses
  • Location data

Under the GDPR, data subjects have the right to restrict processing of their data. This means that, in the event that the processing of their data is restricted, the retailer may store the personal data, but not process it any further.

Security of Endpoint Technology

Within retail, we have seen an increase in the number of endpoint technologies being used. These include kiosks and assisted sales devices. This is beneficial since it improves customer experience and ensures the business can keep up with web-based competitors. However, it also means criminals have more points of entry.

It is believed that 80% of retailers are deploying new technologies before they have the security in place to prevent a breach (research by Thales).

Under the GDPR, the importance of protecting endpoint technologies is higher than ever. This means going above and beyond standard controls and responses, and considering even the most extreme scenarios.

The retail industry is notorious for having one of the highest employee turnover rates. However, under the GDPR  it is important to ensure that all staff, even those working under a temporary contract, are aware of the procedures in place to protect customer data.

Data Processing Agreements with Suppliers and Third-Parties

Within the retail sector, there is a requirement to have a written processing agreement with all data processors. This continues under the GDPR.

However, the GDPR outlines in further depth, what should be included in these agreements.

They will need to highlight the required security measures, as well as the duty of the data processor to assist the retailer in the event of a breach or data portability request. It is also more likely that data processing agreements will be more negotiated than previously since the GDPR will introduce specific obligations for data processors.

Customer Profiling

Customer Profiling

Retailers profile customers in a variety of ways. For example:

  • The use of data obtained through the use of loyalty cards
  • Online behavioural advertising

As a result of the GDPR, profiling of an individual which may have a ‘legal effect’ will only be possible with informed consent. If the profiling does not entail the possibility of a ‘legal effect’ then explicit consent is not required. However, the retailer must bring their use of profiling to their customers’ attention. When doing so, they must be given the opportunity to object.

Profiling requirements under the GDPR are separate from existing e-Privacy rules, which still require you to obtain consent when placing cookies on an individual’s’ device. However, the European Commission has also issued a new draft e-privacy regulation which is intended to replace the existing rules.

This will come into effect at the same time as GDPR. Ensuring alignment with GDPR as well as new e-privacy rules should be a top priority for retailers.

Breach Notifications

The GDPR introduces new mandatory breach notifications to the regulator within 72 hours. In some cases, it will also be necessary to inform the data subjects as well.

Some of the most recent data breaches have involved companies within the retail sector. Therefore, it is of utmost importance that retailers carefully plan how a data breach would be dealt with.

They will also need to raise awareness amongst staff as to the procedure that is in place, and in some cases will need to roll this information across other groups that may be involved such as insurers and PR agencies.

Customer Consent

A trend that is becoming more commonplace in the retail industry is obtaining and using customer personal data for marketing purposes. The most prominent example of this is when, in-store, a member of staff asks for your email in order to send you an e-receipt. This data is then also added to the company’s mailing list, so as well as a receipt, the customer also receives regular marketing material.

Customer Consent

Under the GDPR, retailers will have to ensure that a customer’s consent to receive these emails is fully informed and freely given. No details about the way in which their data will be used should be hidden, or hard to find such as within a long set of terms and conditions.

Cross-Border Data Flows

During the process of becoming GDPR compliance, retailers should also identify international flows of customer and employee data. This includes both internally, as well as with third-parties.

Retailers who operate overseas stores or online sales should already be complying with international data transfers legislation. However, in addition to these rules, the GDPR brings with it the introduction of a ‘lead regulatory authority’ who will deal with complaints and sanctions amongst retailers who process data across EU borders.

Do you need more information about how you can get ready for the GDPR? Arden Group has teamed up with Microsoft and Mimecast to bring you a complimentary GDPR Seminar in Birmingham. Click here to find out more information and book your place.

Alternatively, contact a member of our team today to discuss your compliance plan.

Discover More.

We wish to emphasise that Arden Group is a Managed Service Provider and not a legal firm. Therefore, the views brought forward in this page are not necessarily shared by lawyers or courts.

Arden Group, therefore, does not guarantee that all information is factual and interpreted correctly. If you wish to ensure your advice or your company is legally covered by GDPR, consider consulting legal or specialised advice.

Newsletter Sign-Up.

Sign-up for the latest hints, tips and news from the communications industry.