Schedule Demo
GDPR 4 Minute Read

What does the GDPR mean for retailers?

Featured image: Online retail icons in a store - Read full post: What does the GDPR mean for retailers?

For retailers, understanding who your customer is, their preferences and their purchase history is crucial to providing the level of tailored service that customers now expect. The personal data of your customer base is, therefore, a hugely valuable asset to a retailer, both online and high street. Personal Data is the new oil, it’s an extremely valuable asset; however, if not managed correctly, this data could also become a huge liability when the General Data Protection Regulation (GDPR) comes into force in May next year. Doing nothing could mean that you are automatically out of compliance.

The GDPR will apply to retailers in two key areas - direct marketing and profiling. The former in terms of how you obtain explicit consent from customers to allow you to market to them, and the latter in terms of how you profile their spending habits.

Retailers will need to provide clear Fair Notice

Retailers will need to provide Fair Notice to customers about how they intend to process their personal data and why. In order to be able to legitimately market to customers, retailers will need customers to tick an empty box to gain legal permission to market to them. Pre-ticked boxes will be a thing of the past. Make sure you are open and transparent about how you use cookies online and, when engaging customers through social media, understand that just because their information is in the public domain, it does not mean that you can harvest it and do what you like with it.


Most retailers use complex data analytics to measure and better understand the buying patterns of customers to maximise stock and margins, as well as to improve customer engagement and experience. This kind of profiling activity will be heavily regulated under the GDPR and will require clear and open transparency with the customer on how their data is processed. If you profile your customers, or plan to in the future, you will need to inform them in advance and make clear how you intend to profile them and for what purposes. Additionally, certain types of profiling will require explicit opt-in.

Risk Management and Compliance

Retailers, both online and high street, will have to put a risk management model around Privacy into effect, covering how they are processing personal data from initial collection, through to final destruction. This may prove a steep learning curve for an industry which traditionally has limited resources in this area. Retailers will have to demonstrate the same degree of compliance as other industries which are already heavily regulated - such as Finance and Medical.

The requirement to appoint a DPO

Retailers will need to assess if they are required to designate a DPO. According to Article 37 of the GDPR, a DPO should be designated if “the core activities of the controller or the processor consist of processing operations which... require regular and systematic monitoring of data subjects on a large scale” or, “the core activities of the controller or the processor consist of processing on a large scale of special categories of data”.

The retailer shall support the DPO by providing resources necessary to carry out those tasks and involve the DPO in all issues that relate to the protection of personal data. The DPO shall directly report to the highest management level of the Data Controller or Processor.

There are opportunities too

Retailers will also need to demonstrate the same level of complex thought and risk mitigation around how they process the data of employees. Despite the GDPR being the toughest privacy law in European business history, it shouldn’t be viewed negatively. If retailers act now, and get their GDPR ‘ducks in a row’, there are opportunities. Customer-trust and brand-loyalty in the retail sector is hugely important. If retailers can demonstrate open and honest practices in how they process the data of their customers, these customers will reward their trusted and favoured brands with loyalty. For those retailers which fail to manage compliance on an ongoing basis, the reputational risks are high, not to mention the huge fines - €20m or 4% of global turnover.

Manage the challenges and opportunities

There is no disputing the challenges and opportunities that the GDPR will bring to your organisation. PrivacyEngine work with some of the UK’ and Ireland’s largest retailers, both online and high street to manage the challenges and harvest the opportunities. PrivacyEngine have extensive understanding and experience of all the primary business models and practical challenges which exist in the Retail sector, and we have devised trusted methods how to turn the requirements into opportunities.