High Streets Initiative 19 October 2017

Retailers and GDPR What are you allowed to do with customer information?

Customers and staff in a busy clothes shop
Failure to comply with GDPR rules could result in large fines for retailers
What are retailers permitted to do with the email addresses and customer information sometimes handed over by shoppers at checkouts? Here, Charlotte Ebbutt and Malcolm Gregory from law firm Royds Withy King explain the rules.

There is an increasing trend for retailers to ask shoppers for their email addresses at the checkout so that they can send them a receipt by email. So, what can retailers do with this customer information?

The management of personal data by businesses is a hot topic. Data hacks will make the front pages of our newspapers, and can attract significant fines.

With the General Data Protection Regulation (GDPR) less than a year away, retailers need to be careful when collecting customer information, and pay particular attention to the management of that data.

Email addresses collected at the point of sale are considered personal data under current data protection regulations and under the GDPR. The rules state that data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

This means that if an email address is given for the purpose of receiving an e-receipt, it must only be used for that purpose. A retailer cannot then use that customer information for marketing or any other purpose. Once the receipt has been sent the email address should be deleted, as the regulations do not allow for the unnecessary storage of personal data.

If a retailer wishes to use email addresses gathered at the point of sale for subsequent direct marketing this must be explicitly brought to the attention of the customer? and presented clearly and separately from any other information.

A customer’s consent must be freely given, specific, informed and an unambiguous indication of their wishes.


Retailers will profile customers in a number of ways, whether through the use of loyalty cards, online behavioural advertising or using CCTV to record in-store images of known individuals all of which will fall under GDPR regulations.

Consent will be needed from individual customers if that profiling has a legal effect. Unhelpfully, these legal effects have yet to be defined, but we would expect loyalty schemes where special offers are made available to some but not all customers to fall under this label.

If there is no legal effect then retailers are free to profile, provided that they have told customers about this and given them the opportunity to object.


Retailers should also bear in mind that the potential changes to data capture language or customer facing documents won’t be the only consent they need to review. The data held on employees also falls into the new regulations.

Retailers will need to consider whether they are currently relying on express consent from employees to process employee personal data, and consider the alternative grounds which can be relied on instead.

Data hacks

Retailers need to ensure that they have implemented appropriate procedures to ensure personal data breaches are detected, reported and investigated effectively.

If they do not already have them, they need to put mechanisms in place to assess and then report relevant breaches to the ICO where the individual is likely to suffer some form of damage, for example, through identity theft or confidentiality breach.

They also need to ensure that there are mechanisms in place to notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms.

The GDPR rules introduce mandatory data breach notifications to the ICO within 72 hours and in some cases to the data subjects too.


High Streets Initiative