Changing data protection rules for retailers

Changing data protection rules for retailers

Are you ready for the GDPR?

The new EU General Data Protection Regulation (GDPR) is set to change existing data protection legislation from 25 May 2018, resulting in tighter data management rules for retailers that collect, use and share employee and customer “personal data” such as names, email addresses and transaction history.  We set out some of the key implications of the GDPR for retailers below.


The GDPR will replace the existing EU Data Protection Directive and introduce one set of largely uniform data protection standards across all EU countries.  The new rules have broad scope and will be relevant to organisations operating in or providing goods and services to the EU, whether or not those organisations are located in the EU.  As it is unlikely the UK will have left the EU before the GDPR go-live date in 2018, it is expected that the GDPR will apply in the UK initially and that there could also be equivalent legislation post-Brexit.


The “accountability” principle is a significant factor of the new rules and prompts businesses to develop a demonstrable, active culture of data governance and compliance.  Retailers will need:

  • to adopt internal policies and procedures, which are reviewed and updated from time to time;
  • to keep records about their processing activities (some retailers with fewer than 250 employees will be exempt from this requirement);
  • to consider appointing a protection officer (DPO) (see below Data Protection Officers);
  • to implement a privacy by design and default process (e.g. putting in place suitable safeguards for each project and ensuring that only necessary personal data are held), so that any processing of personal data is properly considered and appropriate in each context;
  • where carrying out high-risk processing, such as using CCTV in store or profiling customers, to conduct privacy impact assessments and consider how any risks can be mitigated prior to processing.  Some high risk projects will need to be notified to the regulator in advance; and
  • to notify data breaches to the regulator and to individuals in certain circumstances (notifications to the regulator will normally need to be made within 72 hours).

Data Protection Officers

Under the new rules, organisations that regularly and systematically monitor individuals, or process sensitive personal data or criminal offences data, on a large scale as a core activity of their business will need to appoint a DPO with “expert” knowledge of data protection law and practice.  Retailers that track and profile customers online, for example, for the purposes of behavioural advertising or that use CCTV in shopping centres or stores may meet the threshold for a mandatory DPO.  Even if it does not apply, current guidance positively encourages the voluntary appointment of DPOs.

Whilst some retailers may already have an in-house DPO, the DPO role is more pronounced under the new rules with its own framework – including protection for DPOs against dismissal and penalties, and some obligations on organisations (for example, to provide resources).  Retailers needing a mandatory DPO should ensure that any existing DPO role will satisfy the requirements.  Those without a DPO should start to consider whether they will hire someone or use existing personnel.  The former may be preferred from a cost perspective, but will only be feasible if the DPO can balance the role with their other duties and will not be conflicted.

Where appointing DPOs voluntarily, retailers should be aware that the mandatory rights and obligations could apply and therefore should take care when scoping the role.

Prepare for changes to consents and privacy notices

Consents to various marketing and affiliate marketing activities and loyalty schemes currently use a mixture of opt-in (for example, unticked boxes) and opt-out methods (pre-ticked boxes).  The new rules, together with recent guidance, will mean that the use of pre-ticked boxes and terms that bundle consents to everything will need to change.  The GDPR favours methods which enable people to specifically and actively opt-in and out to different uses of their data.

Privacy notices need to be more detailed and retailers will need to be prepared to state, for example, the planned data retention period or criteria.  Retailers should review their privacy notices and (if they rely on consent) their existing procedures for obtaining consent to ensure that they can comply with the enhanced requirements under the new rules.

New rights for individuals?

The new rules will strengthen existing rights of individuals and introduce new rights.  For example, individuals will have the right to have portable personal data and to have personal data erased. Individuals will still be able to make subject access requests for personal data, although retailers will have less time to fulfill a request (30 days rather than 40 calendar days) and will have to provide more information.

Increased monetary penalties

The enhanced obligations will be backed by new and larger monetary penalties.  The current threshold of £500,000 will increase to a maximum of EUR 20 million or 4% of annual worldwide turnover in the previous year, whichever is higher.  This represents a substantial increase and means that data protection will become a significant risk factor to retailers when appointing third party data processors.  They should therefore use the remaining time before 25 May 2018 to ensure that they are compliant with the new requirements.

If you have any queries or would like further information on GDPR and DPOs, please contact Beverley Flynn, Partner, Commercial and Data Protection.

First published in The Retailer, April 2017

Search our site