Are you ready for changes to retail customer data protection?

Are you ready for changes to retail customer data protection?

On 25th May 2018, the GDPR – the EU’s new law which will affect retail customer data protection – comes into force. Retailers are gearing up for changes to how they handle their customers’ data. Here, we look at its implications and show how you and your organisation can adapt your data collection methods. The key is to embrace the change and focus on building greater trust with your customers.

What is the GDPR?

Announced in 2016, after many years of planning and debate, the General Data Protection Regulation (GDPR) applies to all businesses that handle the personal data of EU citizens. So, it isn’t just EU states that have to comply. Regardless of how Britain’s exit from the European Union unfolds, these new rules will apply for most businesses across all sectors, and there are large fines for non-compliance.

With just under a year to go, businesses must prepare now if they are to be GDPR-ready. Elizabeth Denham, the UK’s Information Commissioner, has said: “If I could give you just one piece of advice today, it would be not to put this off”.

If your business handles personal information – applying to anything which can be used to identify someone, e.g. name, location, email address, social media posts, IP address etc. – then you’re accountable. A good rule to go by – proposed by the ICO – is that if your business is currently subject to the Digital Protection Act then you are likely to be subject to the GDPR. In short, the new retail customer data protection laws will affect you.

So, why the change?

The reasons are two-fold:

  • to grant EU citizens more control over their personal data


  • to unify all the data protection laws across the single market.

Many think the changes are long overdue. The current legislation was proposed to meet requirements that become more redundant every day. Over the last 20 years, there have been unprecedented shifts in how consumers use the internet, what they use it for and how they interact with organisations and institutions. The GDPR will better reflect today’s ever-changing digital environment.

Just think about retail. The rise of online shopping, loyalty schemes, social media and online marketing have reshaped the industry. The information collected through these activities is staggering: most retailers collect data on their existing customers, potential customers and employees.

How will the changes to retail customer data protection legislation affect you?

At bluesource, a lot of our customers tell us that many people in online retail don’t understand that they are affected by the new rule, while some feel adhering to the GDPR isn’t part of the responsibility of their job. What’s more, others have become frankly bored of hearing about the GDPR without seeing any action or leadership on the issue which can lead to disengagement further down the line.

A recent survey by the UK Direct Marketing Association (DMA) points to a general feeling of uncertainty:

  • 30% of respondents “believed their company to be ‘unprepared’ for the new rules”.
  • 42% “believed their marketing efforts will be ‘very’ or ‘extremely’ affected by new rules.”

Some of this apprehension is valid. It’s true that several marketing practices in retail will need review. And while it is also true that an organisation’s strategy to meet the GDPR’s requirements should be led from the top, it will be necessary for all your employees to know how the law will impact them. Here are the key focus points for retailers:


The GDPR imposes stricter rules around consent, i.e. how you obtain permission to hold on to your customers’ data. The new legislation gives people more power to control how organisations collect their personal data. The days of pre-selected opt-in boxes are over.

From May 2018, consent must be captured by active participation. In most cases, this means customers clicking to validate their interest for each of your promotions and mailing lists. You must also ensure they can withdraw their consent. The responsibility falls on you to make that option available and visible.

The most immediate effect here is that retailers must review their current websites and applications. And, as your customers need to be able to make informed decisions, your language must be consistently clear and unambiguous.

As customers become more selective over what they sign up to, mailing lists may decrease in size, and thus direct marketing will be impacted. What is needed is a re-think about how and why people are signing up to your promotions and whether they trust you.

Retailers need to be creative to find new ways of increasing their reach and improving engagement with their brand. Also, there will be more of an onus to earn your customers’ consent and trust.

Data breaches

Another significant part of the legislation affects how companies monitor, report and work to prevent data breaches. The GDPR requires organisations to report any breaches within 72 hours. The fine for non-compliance here can be severe – up to €20 million or 4% of annual turnover.

Previously, organisations were free to withhold information on data breaches, and many chose to do just that. High profile data breaches (Talk Talk and Sports Direct to name a few) led to falling share prices and public outcry. From 2018, concealing the scope of such breaches will constitute a crime. In preparation, you may need to install data monitoring tools and formulate detailed prevention strategies.

Data Protection Officer

If your organisation employs more than 250 people, you will also have to employ a Data Protection Officer (DPO), so this will be an imperative for larger chains.

Our message to retailers: embrace the change!

The GDPR presents many opportunities for innovative retailers. Much of the legislation has been conceived in response to growing anxiety about data protection and security. You can therefore use this opportunity to build better relationships with your customers and become more competitive. If customers trust your store over any other you will gain an advantage over your competitors. Trust as a focus of retail brand strategy should be more important than ever.

At bluesource, it is our mission to ensure companies of all descriptions are prepared for the GDPR, and that includes retailers. We provide a range of assessments to help your organisation recognise where you might be susceptible to these regulatory changes and understand what steps you can take to ensure you are compliant. If you’re worried that you do not have the tools or resources to be fully compliant, then get in contact and we can help you.

For more information about the GDPR and how bluesource can assist your organisation, contact us today.

Blogs,Blogs, ,

6th July 2017

Tim Walwyn

back to knowledge hub
[‎12/‎01/‎2018 10:32] Carleanne O'Donoghue: