Technology and data protection have had a significant impact on both traditional brisk & mortar and eCommerce retailers.

The Privacy and Electronic Communications Regulations (PECR), along with the GDPR mean all retailers must pay special attention to maintaining their sales and marketing databases, recording consent and managing data retention and disposal.

Multi-site retail chains often have different systems in different stores, many of them paper-based, and should consider data minimisation techniques to ensure they don’t hold unnecessary data.  Staff training across stores is often needed to ensure all employees understand their responsibilities with regard to data protection.

This page explains what data protection legislation means for retail & eCommerce organisations and the key areas they need to consider when managing personal data.

WHAT DOES THE LEGISLATION MEAN FOR RETAIL AND ECOMMERCE ORGANISATIONS?

Like all other organisations, retail and eCommerce organisations must:

tick
Be transparent in the way they process personal data and accountable for doing so
tick
Be able to detect, manage, report and respond to data breaches including, if necessary, liaising with the Information Commissioner’s Office (ICO)
tick
Understand the data they have, where it is stored and who has access to it
tick
Implement robust processes and procedures to protect personal data
tick
Allow all customers, suppliers and staff to:

  • Access the data stored on them
  • ensure the data is correct and modify it as necessary
  • Have it deleted (unless needed for legitimate reasons)

tick
Appoint a designated data protection officer if they:

  • Process data on a large scale
  • Use the data for profiling or automated decision making

card

IMPORTANT DATA PROTECTION CONSIDERATIONS FOR RETAIL & ECOMMERCE

Retail and eCommerce organisations must protect personal data in a wide range of their operations.  Some major considerations include:

Sales and Direct Marketing

  • Managing consent of individuals receiving direct marketing materials
  • Impact of Personal Electronic Communications Regulation (PECR) and ePrivacy
  • Data retention
  • Data base management and data minimisation

eCommerce

  • Data held in contact forms
  • Large quantity
  • Financial, payment and transactional details
  • Automatic profiling
  • Cookies and tracking pixels

Multiple bricks and mortar outlets

  • Data held in multiple formats and locations
  • Minimising duplicated data
  • Disposal and retentions
  • Legacy and non-standard system
  • Paper systems

Staff and Training

  • Training staff to understand their protection responsibilities
  • Embedding a culture of data protection often across multiple sites staffed by part-time, temporary and permanent staff

Administration

  • Email systems
  • Staff payroll, pension and HR records
  • Access and security CCTV

Data Security

  • Maintaining network and server security
  • Data encryption

Policies and agreements

  • Privacy, retention and data protection policies
  • Staff handbooks
  • Data sharing agreements
  • Data processing agreements

Enquire Today

Fill in your details below and we’ll get back to you as soon as possible

Alternatively click one of the options below to speak to us

 

Email Call

Sign up todayThe DPIA is a bitesize assessment of the impact of the most significant, interesting and important-to-know data protection issues. It’s not the full story, just a brisk, 3-minute resumé, collated and condensed especially for busy privacy professionals to ensure you’re aware of what’s happening in our fascinating, dynamic and engaging industry.

See our privacy policy.

Don't show this popup again.