Posted on 27 February, 2019  |  15 mins

You’ll likely have heard the term GDPR bandied about a lot for the past year or so—and while it’s a mouthful (its full name is the General Data Protection Regulation), it’s actually just the name for the updated Data Protection Act that contains the personal-data-handling rules all businesses should follow, if they are based in the EU.

You see, the old UK Data Protection Act worked fine way back when we didn’t shop online, collect customers’ email addresses, use store cards and record phone calls with customers. But now, since all of that is the norm for many retailers (and other businesses too!), an update is long overdue.

So the updated version (which became binding UK law on 25 May 2018), now includes the protection of data gained through these and many other typical retail and shopping practices in which we all engage pretty much daily.

In short, the updates brought in by the GDPR provide us with the latest version of the rulebook for how businesses of all types, models and sizes must deal with particular types of information in the ever-changing digital business age.

In this guide, we’ll explore what the rules really mean, including the key elements that are particularly applicable to retailers. We’ll cover what sort of data is covered by the rules, where it comes from and how you may be collecting and storing it (even unintentionally), what you can (or can’t) be doing with these data, and how to keep things practical and compliant when it comes to everyday retail and marketing interactions.

We’ll also share some helpful tips and tools for how to data-map your business and we’ll share how you can ensure you’ve got the right contractual documentation in place, containing the right clauses to make them legally compliant in light of these changes.

Getting to grips with key GDPR jargon

OK, so before we go any further, let’s clear up a few of relevant legal terms for items or activities that crop up a fair bit in discussions about data-handling obligations:

Personal data: Any information from which a living individual can be identified. For example, name, credit card details, email and internet IP addresses, etc.

Special categories of personal data: Certain sensitive types of personal data. This is any information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life or sexual orientation or that is health, genetic or biometric information. (These type of data must be handled even more sensitively.)

Data processing: Any activity (or series of activities) in relation to personal data, which can include collection, recording, retrieval, storage, consultation, use, alteration or amendment, transmission, disclosure or deletion or destruction of the personal data. We’re all doing this with personal data on a very regular basis.  

Data controller: That’s most of us. A business or organisation that collects personal data and makes decisions about what to do with it. Whatever type of business activity you do, your business will probably be a data controller.

Data processor: Fewer of us fall into this category. These are businesses or organisations that you may ask to provide you with particular services that happen to involve the processing of personal data on your behalf, for example, the businesses that host your website, help you send your email campaigns and who manage your payroll requirements. If you were doing these activities yourself, you’d be both controlling and processing the data. But if you’re doing these activities for others, you’re classified as a data processor.

Data protection officer (DPO): Someone who’s nominated by a business to oversee data protection compliance and to interact, as required, with the Information Commissioner's Office (ICO). It’s only mandatory for businesses with more than 250 employees and/or those whose activities deal with exceptionally sensitive data, such asan individual’s religious beliefs, trade union membership, racial or ethnic origin, sexual status, physical health and mental health—but any business can decide to have a DPO if they want to and there may be some benefits in doing so. Even if you don’t appoint someone specifically, you’re still going to need someone in the business who is on top of your data activities and can efficiently handle data requests or any reporting requirements.

Data protection impact assessment: Also called a ‘DPIA’. This is the process of systematically and proactively assessing the potential impact of your technology, initiative or project on any relevant personal data, so that any identifiable possible problems can be removed, or their risks mitigated, in advance of any changes or work commencing.

Privacy notice(s): You should now be using a number of these as you operate your business. Alongside your usual legals containing terms and conditions, disclaimers and any other materials (like website cookies policy notices), you should have a privacy notice on your website, one readily accessible to cover your general trading relationships, one for employees, contractors and workers and one for job candidates where you’re undertaking recruitment activities. There may well be a need for others, depending on the type of business you operate. While a data protection policy and procedures outlines what you’ll do to protect data and what process you’ll follow if there’s a breach (and these are often more internal-facing), privacy notices are outward-facing public statements that contain the detail of what data is being collected in connection with a particular activity, as well as how it will be used, stored and shared, and of course, how long it may be retained before it’s deleted.

The ICO: The Information Commissioner’s Office; AKA the UK’s information (or data) protection regulator. The ‘Office’ is an independent public body that reports directly to Parliament and enforces the UK’s data protection regime. The Information Commissioner leads the organisation and is directly appointed by Parliament.

Subject Access Requests: So ‘subjects’ are individual people. And as individuals, we’re entitled to ask businesses holding our personal data to tell us which data they are holding on us and why, as well as how long they will be keeping these data. These requests are called ‘subject access requests’ (you’ll sometimes see the acronym ‘SARs’ used as well). In some cases, as individuals, we’ll be able to prevent those businesses from continuing to hold our personal data. 

There are five essential facts you should know from the outset:

There’s been a lot of reporting on the changes brought in by the GDPR. Let’s boil things down to what really matters. We’ll start with the five main facts that are important to know:

  1. We’re in it together. Almost all UK businesses, regardless of their type, business structure or size, are affected by these rules and the recent updates.
  2. Brexit will not change this. The UK government has made clear that it intends to keep the newly updated rules in place once the UK leaves the EU.
  3. Penalties for non-compliance with the rules have increased. However, the ICO has also made very clear that the predominant purpose of this law is not to fine businesses and that they have no desire to cripple any businesses for non-compliance.
  4. How you process personal data is key to compliance. This includes how you collect, use, share and store any information relating to an identifiable person who lives in the EU.
  5. Consent is vital: At the root of it all is the need to have express consent from that identifiable person (often called a data subject), for any and all activities involving the processing of their data.

It’s long been the case under UK law that...

Personal data must be:

  1. Collected and used fairly and lawfully by all businesses and the individuals within them
  2. Held and used for one or more clearly specified reasons that are legitimate
  3. Handled in a manner that’s compatible with your registered purpose(s) and with what you told the individual when you collected it
  4. Adequate, relevant and not disproportionate or excessive given the purpose for which you are collecting and using it. Only collect, use and keep what you reasonably and legitimately need
  5. Accurate and up to date—this is an ongoing duty. So, if someone moves, or the data changes, you must update the records you hold
  6. Deleted once it’s no longer strictly necessary for the your legitimate purpose in collecting, using and storing it
  7. Secure—this includes ensuring that it is backed up and access-protected, with access permitted only to those authorised to see it (and those authorised to see it should be on a strictly ‘need to know’ basis)
  8. Kept within the European Economic Area—unless the recipient to which the data is sent/shared is based on a country which has similarly robust data protection rules in place.   

The latest updates mean that…

Many of these original principles and requirements have simply been adapted and/or expanded to meet modern realities. Broadly, they can be categorised into four main groups:

  1. Individuals’ rights
  2. Internal procedures and administration
  3. Supervisory authorities and reporting obligations
  4. Accountability and penalties.

Let’s look at each of these in more detail…

1. Individuals’ Rights

What’s justified

The legally recognised justifications for you as a business to collect and use personal data typically range from:

  1. what’s called a ‘contract reason’, meaning the data is needed so that a business can perform its contractual obligations to its contract partner
  2. to a ‘legitimate interests reason’, meaning where the use of personal data is necessary for that business’ (or a third party’s) lawful interests, (so long as that legitimate interest does not override the individual’s fundamental rights, freedoms or interests)
  3. to a ‘legal obligation reason’, where a business must use an individual’s personal data in order to perform a legal obligation by which we it is bound (like paying an employee); and
  4. to a ‘consent reason’, where individual has given their consent to use their personal information for a specific reason or specific reasons.

There are other less regular reasons contained in the updating legislation as well. Our templates remind you about them too and will help you decide if they’re applicable in your case.


Whatever activities you carry out, demonstrating that you have the specific consent of each individual person (or ‘data subject’) to your collection and handling of their personal data is vital to evidencing your legal compliance.

Under the updated regime, data-controlling businesses must now do more to obtain an individual’s consent to the collection and use of their personal data and to evidence that they have this consent for all the purposes for which these data are used.

A data subject’s consent must be ‘freely given, specific, informed and unambiguous’; and it must be expressly given for a clearly understood purpose.

In practical terms, this means that as a business, you must use clear and plain language to inform people about how you collect, use and store their personal data. And you must present this information in a manner that ensures it stands out from any other content that may accompany it (i.e. it’s not in small print and therefore can’t easily be overlooked).

So when you display your trading terms and conditions on your premises, website, catalogue or paperwork, for example, those terms will need to contain the right clauses to meet this requirement. And you’ll need a further privacy notice(s), (which explains more about your approach to keeping personal data secure, why you believe it is necessary to collect and use it—there are various categories of justification - and how it will be used). In both cases, these materials must be easily accessible to those with whom you’re interacting.  

And, crucially, also within the language that you use, must be a clear and unambiguous message to those recipients of these terms and other business materials, that they are perfectly within their rights to not consent to your collection and use of their data—and it must also be clear to them what happens if they do not consent (which might be that you inform them you cannot do business or interact further with them as a result).

A related, key amendment is that consent can no longer be considered inferred by an individual. For example, if a recipient does not react in response to a communication from you containing a stated intention to send them your newsletter or to include them in your club membership, their lack of response to your communication cannot be treated as their implicit agreement to you carrying out or continuing that activity in relation to them.

Additionally, businesses are no longer allowed to automatically pre-select tick boxes on behalf of individuals or set general ultimatums (e.g. ‘unless you reply and say ‘no’, we’ll assume you’re happy to be included…’). This is not ‘freely given, specific, informed and unambiguous consent’ according to the revised laws.

Under the latest revisions to the law, for consent to be granted, the receiving individual must have unambiguously signalled their agreement by ‘a statement or a clear affirmative action’.

You must keep a record of that consent too. Without evidence of this, and/or where it’s not clear whether there was consent or not, you’ll be treated as having acted unlawfully in handling that individual’s personal data.

The new right to be forgotten

The updated law gives individuals a new right: to be forgotten, meaning that if you’re a data controller, individuals can ask you to delete their personal data if there’s no compelling reason for you to continue to handle or process it.

You’ll also need to ensure that any data processors working with or for you also delete this personal data.

You can find more on this right in Farillio’s suite of data asset management and data protection materials, including Farillio’s guide to the right to be forgotten.

The new right to data portability

Individuals are permitted to request that a copy of their data is provided to them, without charge, in a common format—i.e. one that they can clearly access, read and understand.

Importantly, under the amended regime, this format should also enable them to reuse that data for their own purposes and it must be machine-readable, enabling the individual to easily transfer it across different IT services in a secure way.

The right applies where personal data has been provided to a data controlling business, with the individual’s consent, and the use (processing) of this particular personal data is carried out by automated means.

From a practical perspective, this means that however you’re holding data, if you’re holding data belonging to one individual alongside belonging to other individuals, (as most of us do, e.g. in a spreadsheet or central account), you’ll need to ensure that data belonging to those other individuals are not disclosed at the same time.

Access to data requests (subject access requests)

These rights are enhanced to remove (in most cases), the ability for the data controlling business to charge an admin fee of up to £10 in response to requests by individuals to view and to copy their data.

A charge will now only be justified where the business can show, clearly and justifiably, that the cost of fulfilling the request is excessive. (This argument, the ICO tells us, will only rarely be accepted.)

Requests to have access to, and copies of, these data must now be fulfilled by the data-controlling business within a month, and you can only refuse to fulfil them if you can prove that the request was manifestly unfounded or excessive.

Your business’ data protection policy and procedures and your privacy notices have never been more important in empowering you to identify how you handle, and when you can refuse, these requests. You’ll need very clear criteria for refusal decisions. Make sure you’ve had an expert review these carefully.

Further reading from Farillio:
Guide to requests from individuals about their data
Guide to lawfully handling employee data

2. Internal and administrative procedures

Businesses must now provide greater evidence that their data-controlling processes are compliant. There are a number of new principles and requirements governing how data controlling and data processing entities must operate.

Data privacy officers (DPOs)

Most small businesses will be able to continue to operate lawfully without a DPO, but the ICO strongly recommends that, wherever possible, someone within your business is appointed as one. Some organisations, such as public bodies or those carrying out particular activities (e.g. large behavioural monitoring research studies) are required to have one regardless of their size.

Further reading from the ICO:
Fact sheet about data protection officers

The GDPR doesn’t specify credentials for DPOs, but the ICO has made clear that it should be someone with professional experience and knowledge of data protection law. Businesses who do appoint one should ensure, amongst other things, that the DPO reports to the board.

Further reading from Farillio:
Guide to whether you need a data protection officer

Data protection by design and default (including DPIAs)

You now have a legal obligation to consider and include data protection obligations whenever you start new projects, introduce new systems or change your existing operational policies and practices. In short, data protection will need to be wired in, from the outset, to all strategic decisions that you make, so that you are taking into account the personal data impact of anything that you do/plan to do.

This evaluation exercise is called a ‘data privacy impact assessment’ (DPIA). You’re expected to systematically and proactively assess the potential impact of your technology, initiative or project on any relevant personal data, so that any identifiable possible problems (like you not having express consent for a particular planned activity, or sharing activities with someone who is not legally permitted to process personal data on your behalf outside the EEA), can be removed or their risks mitigated, in advance of those changes or that work commencing.

You should document the outcome of this assessment in every case, so that you will be able to demonstrate it has taken place and that its consequences are a legally compliant approach by your business.

For businesses with more than 250 employees (or those with less but whose activities involve sensitive personal data), internal records of all processing activity must also be kept.


Just like your data protection policy and procedure and privacy notice documentation, you’ll also need to take a look at your contracts, especially those between you and any data processing businesses with whom you may work with or rely on. (Remember that these businesses include anyone who is holding, hosting, processing or storing personal data for you—like payroll companies, hosting providers, accountants, consultants, and email marketing and/or market research businesses.)

There are new rules about what these contracts must say on data protection matters.

Equally, data processors will need to consider their own contractual terms and conditions also. As far as personal data is concerned, data-processing businesses must now operate only on the written instructions of the data-controlling business, they must ensure the security of the data that they process in line with the updated legal requirements and they must keep clear and precise records of their processing activities in an easily presentable format.

3. Supervisory authorities and reporting obligations

There’s no longer a need to register with the ICO.

The revised regime removes the need for you to register your business with the ICO as a data controller (which used to be a mandatory requirement). However, you will still need to pay a fee to the ICO.

Registration and Fees with the ICO

Data controllers must pay the Information Commissioner's Office (ICO) a fee every year unless one of the exemptions apply to them (see below).

If you paid a fee under the old legislation (Data Protection Act 1998) then you don’t need to pay the new fee until your existing registration ends. The ICO will assume that you must pay the Tier 3 fee until you provide them with information otherwise.

If you’re required to pay a fee, then there are three different tiers and these depend on the number of staff (which is an average across your financial year and includes all employees, workers and partners) that you have, your annual turnover and whether you are a public authority, charity or small occupational pension scheme.

  • Tier 1 fee of £40—this applies if you have a maximum turnover of £632,000 for your financial year or you have no more than 10 members of staff.
  • Tier 2 fee of £60—this applies if you have a maximum turnover of £36 million for your financial year or you have no more than 250 members of staff.
  • Tier 3 fee of £2,900—if you don’t meet the criteria in Tier 1 or Tier 2 then you must pay the Tier 3 fee.

As explained above, data controllers must pay the ICO a fee unless one of the exemptions applies. A data controller does not need to pay the fee to the ICO if it’s processing personal data only for one or more of the following reasons:

  • Staff administration (i.e. for appointments, removals, remuneration, discipline and other personnel/staff matters);
  • Advertising, marketing and PR of your business' goods or services;
  • Accounts and records (i.e deciding whether to accept a customer or supplier and keeping records of your own transactions);
  • Non-for-profit purposes;
  • Personal, family or household affairs (i.e. not for commercial or business purposes);
  • Maintaining a public register;
  • Judicial functions (unlikely to apply);
  • Processing personal data without an automated system (such as without a computer).

If the data controller is processing personal data for any reason other than those set out above then it must pay the relevant fee to the ICO.

The ICO has useful self-assessments about whether you are required to pay and if you do need to pay, how much you need to pay (follow the links for more information).

The law does permit businesses with multiple offices across the EU to have a ‘lead supervisory authority’ to act as a central point of contact on all data protection matters and to ensure efficiency and consistency in the way that businesses can comply with their obligations.

Reporting breaches

Personal data breaches must now be reported by a data controller to the ICO within a maximum 72 hours of the data controller discovering it (unless, exceptionally, the breach concerned anonymised or encrypted personal data).

You must also notify affected individuals who could be harmed by a data breach. Harm might take the form of an actual or potential identity theft, or a breach of an individual’s confidentiality.

Take a look at our separate guide on data breaches—what you need to know, for more guidance about how and what to report, to whom and when.

4. Accountability and penalties

Who’s now accountable?

The updated law casts its net far wider than the outgoing regime. It applies not just to EU-based businesses and organisations, but also to non-EU-based data controllers and data processors, if:

  1. they offer goods or services within the EU or
  2. they monitor behaviour of individuals whose activities take place in the EU.


There’s a new technical concept of ‘accountability’ imposed on businesses handling personal data..

It requires you, as a data controller and/or data processor, to show to your relevant supervisory authority that you comply with the GDPR and its principles.

The obligations extend from the recording of processes (current and new) and how regularly they are reviewed and updated, to the use of data privacy impact assessments, and to staff training, to evidencing appropriate disciplinary policies and procedures and your approach to enforcement of these.

(See our short guide to the new accountability principle under the GDPR for more information.)


These are far weightier under the new regime. Fines are not the only penalty for personal data breaches, though they are the one that tends to command the most attention: up to £17m in the UK or 4% of the controlling or processing business’ global annual revenue, whichever is the greater. 

What are the essential steps?

There are 14 main things you need to do to achieve (and be able to demonstrate) your continuing compliance under the revised legal regime. Remember that they are not a one-off tick-box exercise. You will need to keep them, and compliance with them, regularly under review:

1) Data mapping. Identify:

  1. The personal data you currently hold
  2. How the data is stored and processed
  3. How you obtained personal data
  4. The purposes for which the personal data is used
  5. The lawful basis for using the personal data
  6. Who the personal data is shared with (if anyone).

Don’t forget that this isn’t just about customer personal data. It also covers your employees and people you contract to provide you with services or supply you with goods. Make sure you’re looking across your whole business at all points of interaction and communication where you’re ending up with personal data belonging to individuals.  


2) Data minimisation

  1. Ensure the data you hold is only used for the reason it was originally obtained
  2. Securely delete any data that’s no longer needed. There are legal rules on how long you may need to keep some types of information. Farillio’s template documentation contain guidance and drafting suggestions on retention periods applicable to each type of data.

3) Review of procedures and policies. Include:

Details of your organisation and other data controllers with whom you may be connected or interact

  1. Purposes to which you put these personal data
  2. Description of categories of individuals and categories of personal data
  3. Categories of recipients of personal data
  4. Details of transfers to third countries and details of safeguarding measures
  5. Retention schedules (how long you’re keeping items of data and why)
  6. Description of technical and organisational security measures for the personal data
  7. Internal data protection policies
  8. Implementations that meet principles of data protection by design and default
  9. Your staff’s understanding of the data protection rules. You must give them training where necessary to ensure their understanding.  


4) Check that your policies and procedures cover the individual’s right:

  1. to be informed
  2. of access to what you’re holding on them
  3. to rectification of any errors or out of date information
  4. to erasure (or the right to be forgotten)
  5. to restrict processing—withholding their consent from some activities that you might want to use their data for
  6. to data portability - so they can see and download and use their personal data in the format in which you’re holding it
  7. to object to you collecting and using their personal data
  8. not to be subject to automated decision making or profiling. (‘Automated decision making’ is where a decision is automatically made by a system without any human involvement. Under data protection legislation, this includes profiling. ‘Profiling’ is the automated processing of personal data to evaluate or analyse certain personal aspects of a person (such as their behaviour, characteristics, interests and preferences). Typical applications of profiling include use of online behavioural advertising (such as targeted online ads based on browsing behaviour), credit scoring as part of a mortgage or finance application and the use of artificial intelligence and machine-learning, for example, for Internet of Things applications.)

5) Review your privacy notes, making sure they’re transparent, concise, easy to understand, easy to access for your customers, suppliers, and employees and include:

  1. Your business’ identity and contact details
  2. Details of how data is used by your business
  3. A clear explanation of the lawful basis on which you rely for processing data and if you rely on the ‘legitimate interest’ basis for processing personal data belonging to individuals, then these legitimate interests must be explained in your notices and communications with those individuals
  4. Details of any transfers of personal data to other countries and the safeguards or compliance efforts you’ve taken
  5. Your data retention periods
  6. Explanation of individuals’ legal rights
  7. Whether you’re carrying out automated decision making (including profiling), plus the significance and consequences of this

Top tip: Double check on Farillio that you’ve got all the ones you need—as there are quite a few variations and, depending on your business, you’ll need different ones of these.


6) Ensure you’re equipped to handle individual data access requests (subject access requests—SARs)

  1. Keep your data handling procedures up-to-date, accessible and clear— ensuring everyone relevant also fully understands how you handle these requests when received, and how you ensure you meet the one-month deadline
  2. Train (and refresh) staff to recognise subject access requests when they arise (remember they can come from all sorts of angles, including potentially over live chat and direct or private messages via social media channels. While your privacy notices and terms may make clear how requests should be made, individuals may not always follow the ‘official’ paths and may need to be directed to them in a manner that is not (and is not perceived as) a delay tactic
  3. Remove any SARs fees from your website/documentation if your old terms contained the right to charge for providing access and copies.

7) Review the consents you’ve received from individuals. They should be:

  1. Freely given (which is especially important to evaluate where there is an imbalance in the relationship, such as between employee and employer; where arguably the employee feels they have no choice but to give over personal data)
  2. With affirmative action (i.e. opt-in boxes rather than relying on opt-out boxes or pre-ticked opt-in boxes)
  3. Specific—meaning attached to a particular use and not a blanket consent to any type of use
  4. Easily revocable (i.e. people must be able to easily withdraw their consent)

And consent requests should:

  1. Be displayed clearly and prominently
  2. Include your business name and details of any third parties with whom you may be sharing the data
  3. Include an explanation as to why you want the data and how you will use it (including how any third party contracted by you will use it)
  4. Ask individuals to opt in
  5. Give the individual sufficient information to make a choice. If there are different purposes for processing data, they should be able to opt in separately for each purpose (i.e. it should not be one opt in for all)
  6. Be separate to other terms and conditions
  7. Provide details of how consent can be withdrawn

8) Assess your security, technical and organisational measures

  1. Make sure you have appropriate technical and organisational measures in place to protect personal data and keep a clear picture of what’s coming in and how you’re using it (including how others may be using it on your behalf)
  2. Take into account the risks represented by processing the data and the nature of the data itself

9) Ensure you have a relevant security breach policy

  1. Ensure that you have procedures in place to detect, report and investigate a data breach

10) Conduct regular Data Protection Impact Assessments that includes:

  1. A description of the use of data and the purposes for use
  2. The proportionality of the use of data in relation to the purpose
  3. Any risks to individuals in this collection and processing activity and your measures in place to address the risks

11) Review third-party contracts

  1. Review your third-party contracts, and ensure you at all times have a written, compliant contract in place if you use data processors
  2. Ensure the right safeguard measures are in place if your transfer personal data outside of the EEA

12) Make your policies child friendly

  1. Ensure your privacy notice would be able to be understood by a child where there is a reasonably foreseeable possibility that your product or service might be used by a child (whether intended for a child or not)
  2. Ensure you have processes in place for obtaining parental permission to the use of a child’s personal data if this is the case.

13) Consider appointing a data protection officer

  1. It’s not mandatory for businesses with less than 250 employees but at the very least where you have a team of people working with you, you should nominate a staff member to be responsible for your data-handling activities and to ensure legal compliance

14) Keep data protection under review

  1. Classify any new types of personal data that you process
  2. Recognise any new purposes for how the personal data may be used
  3. Identify any new parties with whom the personal data may be shared
  4. As a result of the above, identify any updates that are required to your policies and privacy notices or to the boundaries of the consents you have in place already—they might need expanding with new express consents
  5. Review the security of personal data that you’re holding
  6. Implement data minimisation measures so that you delete what you do not need any longer/are permitted by law to delete.

And what, specifically, does this mean for you as a retailer?

Really, it depends how you’re selling your products. The UK’s legal regime is designed to protect the personal data of individuals rather than businesses—so, therefore, if your customer base is consumers rather than businesses, these laws will apply to you.

A common question that many small businesses have regarding the recent updates to the data protection laws is whether, given that they may have built it based on opt-out methods, or bought those contact details, they now have to delete their entire email list that they’ve spent lots of time, effort and money building up.

The answer is that it depends on who are the contacts on your email list.

If they’re individuals (and that includes not only consumers but sole traders and partnerships too), there’s no need to delete if:

  1. You have legally compliant (affirmative, opt-in and informed) consent from the individual
  2. They were given the option to opt out at the time their data was collected and you now give them the option to opt out with each message you send them.

If you can’t say yes to the above criteria, you may still have a legitimate business interest, legal obligation or contract reason for having their data on your list. But you'll need to check these carefully and ideally take expert advice, because if you don't, you may be on shaky ground if you continue to keep and use the personal data of these individuals.

If they’re businesses, including limited companies (public or private) and limited liability partnerships: there’s no need to delete what’s in your database if:

  1. You provide those listed with an option to opt out with each email they receive from you. If they do not opt out, you can safely continue to communicate with them
  2. Each email’s content is relevant to the recipient’s specific role and the organisation as a whole

But it’s not just the type of customer that will affect how the data protection law applies to you. It also depends on how and where you sell your goods:

  1. Online (e.g. from your own eCommerce website)
  2. In store (e.g. in a bricks-and-mortar shop)
  3. Distance (e.g. via catalogues and telephone)

If you sell online or are a distance seller...

… your customers typically need to share more of their personal data during the browse and transaction process of shopping. Therefore, you may well have a greater data protection burden than a bricks-and-mortar store would—as their customers can often simply buy a product without so much as sharing their name.

Distance sellers via catalogues/telesales may also have a fair degree of data on those to whom they sell, typically not as extensive as online retailers, but it can be considerable.

So, what are some main ways personal data is processed by online and distance retailers, and if you’re one of these types of retailer, what do you need to do to stay within the rules?


Of course, this won’t affect you if you’re a distance seller without a website—but if you’re an online retailer, your eCommerce store will leave cookies on the computer, tablet or phone of anyone that uses your website.

These are small pieces of text data that in various ways help to improve the online experience: from essential cookies that make the site work to non-essential cookies that let you know more about the visitor’s interests.

In line with laws around data protection and consent, the UK ‘s Cookie Law was introduced, to ensure all website visitors have the opportunity to opt out of having their data collected in this way. This is why you see a cookies notices on the websites that you visit, generally alerting you to the fact that the website is using them and if you continue to browse the site, or click that you consent, you’re agreeing to the website collecting personal data that it learns about you during your browsing activity.

Further reading from Farillio:
Guide to cookies on websites

Email newsletters

Email marketing is a fantastic way to get your latest offers and news in front of an engaged relevant audience. As explained earlier, there are specific rules regarding how you can email your potential or current customers, and this depends on whether they’re individuals or businesses and whether or not they can opt out at any time.

The ways in which you can add individuals to your email subscription list is more strict under the recently updated rules. Before the GDPR came into force, you could manually sign customers up to your mailing list so that they would receive your marketing communications automatically—for example, if they’ve given you their email address whilst purchasing something from you, or handed over a business card, you could simply and lawfully add their email details into your mailing list.

However, this is no longer allowed—and isn’t actually a particularly effective way of building an interested email audience! Instead, the customer themselves will have to physically tick a box or take some other affirmative action (we’ve seen people at business events signing their own business cards and stating they’re ok with being sent material) so that they can be said to have opted in to receive any marketing communications from you.

Also, if you’re outsourcing any of your store’s marketing activities to an agency, you’ll need to check that the terms of your contract show that that agency will be processing your customer’s data correctly.  For example, many small businesses use third-party email campaign tools such as Mailchimp so that they don’t have to send emails directly from their normal email account, and so they can get detailed analytical information on how their email campaigns perform.   

Further reading from Farillio:
What does the GDPR mean for marketing activities?

Phone communications

If you record telephone conversations whilst selling over the phone, you’re not permitted to allow that recording to continue during the point where the customer shares their payment details—for example, their credit or debit card number, their security code, etc.

Therefore, you must have a way to stop the recording on the call or you could adopt software to remove the details relating to the credit card and payment arrangements. It’s also a requirement to inform your customer that the call is being recorded.

Similar to what we mentioned earlier about third-party email campaign tools, if you’re using a third party to record your calls for you, it’s important to check that their terms and conditions also show that they’re handling your recorded calls in line with the data protection laws.

General information collected at checkout

Of course, anyone buying anything online needs to give personal data in order to make delivery and payment arrangements—and therefore you’re collecting personal data every time someone buys something from you.

You’ll also likely have the ability to view a customer’s past purchases from within your eCommerce software—and some goods may start to build a picture around your customers: e.g. whether they’re male, female; whether they have kids; whether they have any pets; whether they have any dietary preferences, medical conditions; etc.  

All of this information can enable you to group your customers into different demographics (this is called customer profiling) and you may then use this to adapt and tailor your marketing strategies to appeal to your different types of customer.

This all counts as personal data and some of it could be highly confidential.  Therefore, it’s important that this information is treated in the same careful way as all other personal data your customers share with you.

If you sell from a bricks-and-mortar shop…

… you’ll generally handle less personal data, simply because there are fewer ways that your customers will need to interact with you in order to purchase a product.

But, of course, even physical stores process personal data at some point. Let’s explore the main ways and what you need to do to stay within the rules.


Many offline retailers are taking tips from their online counterparts and sending digital receipts to their customers via email. Not only is this good from an eco-friendly point of view, but it also enables you to use email as part of your marketing strategy.

However, if you do email receipts to your customers, this doesn’t necessarily mean you can email any marketing messages to them. This is because if you tell the customer that you’re collecting their email address for the purpose of emailing them their receipt, this is the only purpose you’re allowed to use the email address for.

If you’d like to also send them marketing communications, you’ll need to make that completely clear when you collect their email address and they must agree, without a doubt, that they’re happy for you to send marketing communications to them. And remember, you must always give them the option to opt out within every marketing email that you send them.  

And don’t forget to check how any third parties are using your customers’ data too—perhaps you’re using an email campaign service such as Mailchimp to send your marketing emails—you should be able to find out exactly how their personal data processing works and whether it is legally compliant by checking your contract terms with them.


When considering what personal data means and therefore what to include in your data-assessment, data-mapping process, it’s not the most obvious… but CCTV footage does also count as personal data.

If your shop has security cameras installed, the images they capture are technically considered personal data—simply because they allow you to identify individuals.

So to comply with the law, you’ll need to put a clearly visible sign up in your shop that announces that CCTV is in operation and why it’s being used. And it’s also important that you only collect, use, share and store the images from the CCTV for specific, relevant reasons and that you delete the images once they’re no longer needed.  

At the till

It’s likely that your till-point transactions are handled by third-party payment provider—and so it’s actually them, not you, that records payment data such as card details. However, in the interest of transparent data processing, your customers should be able to know who that third party is and how they process their payments.  

Like online businesses, offline retailers can get a really good idea of how individual customers shop in their store. While online businesses can typically access this information from the past orders area in their eCommerce software, offline retailers like you may use a number of creative ways to learn about those who shops in your store.

Whether this is through point-of-sale questionnaires, stampable loyalty cards, or perhaps store cards that log each customer’s purchases, these are all types of customer profiling—and you’ll be potentially collecting a huge amount of personal data there too. So while not always technically part of the purchasing process, it’s data that you should also include in your data mapping exercise.

And there are rules for all types of retailer too...

No matter whether you’re selling to individuals or businesses online, at distance or offline, you need to have privacy notices and terms and conditions that make clear what personal data you gather, what you use it for, where you store it and for how long you keep it.

And because of the different rules around the different types of retailer, as described earlier, you’ll need to use specific terms and conditions depending on what type of retailer you are.

To help you use the correct ones, we have templates for all types available to you on Farillio.

Don’t forget that you’ll also need privacy notices and a data protection policy for your employees, contractors and other workers too. Staff often provide just as much, if not far more, personal data than customers.   

Hopefully you’re now feeling confident about how your own efforts comply with the updated legislation and you now have a clear handle on what you need to do as a retailer to handle your customers’ personal data correctly.

One of the biggest risks of non-compliance is that someone complains about how you accessed or handled their data and an investigation results...

Reputational damage is a big deal... and it’s not just your customers who might boycott you if you aren’t behaving compliantly or responsibly with their data; you could also end up with a supplier going elsewhere in order to prevent their own reputations becoming tarnished.

However, at Farillio, we’re all about making small businesses braver, more confident and empowered to tackle their business challenges—so come join in the fun over at and get your legal needs sorted!

Workplace Productivity Blog CTA 728 x 90 4