The General Data Protection Regulation (GDPR) comes into force in May 2018, and every retailer holding or processing the data of employees and/or customers needs to not just be aware of GDPR, but become compliant with it.

If you’re unsure of what GDPR compliance actually means in practice, you’re not alone - about half of small businesses are in the same boat.

What is the GDPR?

The GDPR seeks to unify current data protection regulations across the EU whilst strengthening the rights of individuals with regards to their personal data. For UK businesses, the GDPR is, in practice, an extension of the Data Protection Act. We recommend heading to the Information Commissioner’s Office (ICO) website for a detailed look at the new requirements.

What retailers need to do

If you collect any data on customers or employees who are EU citizens, you need to work to be compliant with the new rules. The two biggest changes you need to make are related to data consent and data rights.


If you want to process personal data, you must have a lawful basis for doing so. For most marketing communications, that lawful basis is usually the consent of the individual. Under the GDPR, consent will need to be as easy for the individual to withdraw as it to provide. You mustn’t hide consent requests in your terms and conditions, or use pre-ticked boxes - the opt-in must be positive, clear and concise.

Data rights

Individuals have more rights over their data, including the right to ‘be forgotten’ (where their data must be erased if there’s no compelling reason for it to continue to be processed), the right to rectification (where personal data is inaccurate or incomplete), the right to be informed that their personal data is being processed, and the right to access their personal data.

It’s the right to access data that is perhaps the most notable for retailers. You must respond to subject access request within a month of receipt, and for no charge, as long as the requests aren’t overly complex, repetitive, or excessive.

First steps

We highly recommend seeking legal advice regarding the precise steps you need to take to be GDPR compliant, but all retailers should take the following initial measures:

  • Create a data map. Record every route that personal data takes through your business, including entry points (at the point of sale, on your website etc.), how and where it’s processed (within the EU or internationally?), any third party processors, and when data is typically deleted.
  • Create processes for managing new data rights. Who will respond to requests for erasure, rectification and deletion? You also need to plan how to quickly draw together the personal data of an individual in response to a subject access request. Your data map will help with this.
  • Training and awareness. Ensure that are employees are aware of the GDPR and what it entails. There’s no harm in strengthening your cyber security policies, either.


Regardless of the outcome of the Brexit negotiations, all UK retailers need to comply with the GDPR or risk severe fines. GDPR may be complex legislation, but if you’re already compliant with the Data Protection Act (or comparable rules in your country), then you won’t need to make too many changes.

The information in this article is for information purposes only. It is not intended to constitute legal or other professional advice, and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances.