Top things a Convenience Retailer needs to consider before GDPR comes into effect


If you think a typical convenience store doesn’t handle much data, you might need to think again. We have broken down the key areas you may need to consider before and after the introduction of the GDPR.

I have a website

Your shop window to the world! A website is a great tool to communicate with current and potential customers about the services/products you offer. If your websites sole purpose is as a standalone content marketing site, you have little to worry about. However, if you collect any personal data via it, that is when certain considerations need to be made.

  • Is there a newsletter sign-up form? If yes, make sure that you can collect consent from those signing up. You must be able to record the text they consented to, the time, the date and the ‘mode’ e.g website. Speak to your website provider for assistance in this area.
  • Allow people to order online? If yes, you will need to collect certain details in order to deliver their goods. Make sure that the information collected is all that is required to fulfil your obligations. Include exactly what you do with their data in your privacy policy & link to it during checkout
  • Privacy policy – every website should have one of these. Especially if you want to show your customers how seriously you are taking the new data protection laws. Your website provider would be a good place to begin a conversation about this. Mercurytide can help you with this.
  • Cookie policy – If you are using cookies to track your users behaviour, you should already have one of these in order to comply with the PECR. If you don’t have one, speak to your website provider.

I have an EPOS system

If you link your EPOS to a CRM and capture customer data for marketing purposes you will have to review your privacy policy. More specifically, you will have to put in place protocols for gaining consent from customers (and also be able to evidence that consent) and be prepared to erase a customer’s details on request. You will already be aware of the strict regulations under the PCI-DSS. In practice, the GDPR will not significantly alter the actions you need to take to remain compliant with the PCI-DSS, but the stakes do increase for non-compliance.

  • Keep anti-virus software up-to-date
  • Be aware of the physical theft of a terminal and put measures in place to limit the likelihood
  • Draw up a policy of what you and/or your staff should do in the event of a breach
  • If you collect customer data via your EPOS, draw up an easy-to-follow plan for your staff informing the customer exactly what is being collected and what it is being used for
  • Should customers not want their data to be collected, you must comply, and also delete any existing records if requested to do so.

I send marketing materials/newsletters to people

Consent is most likely your primary legal basis for handling personal data for this purpose. Consent must be a positive action and the text must be clear and in plain language. You must record consents so that you can prove that active consent has been given.

  • Extra attention is placed on communication towards children (13-16 years, depending on member state). We advise to put age limits on signing up to avoid communicating towards children.
  • Be aware that any activity involving the automatic profiling of a customer and geo location data require specific consent in addition to the main customer consent.
  • Ensure that your privacy policies cover the activities you are most likely to do. For example, always make sure to collect consent to send marketing SMS and emails, including an option to unsubscribe.

I have an offline/online database with all my local customers personal details

This has become a serious habit for larger retailers over the past decade. The trend most definitely poses a challenge when you consider it the context of the GDPR. The desire to have the ability to tailor your services to your local client base can be too tempting to bear. You should ask yourself if your business is the only one to have access to that data. If so, it is best to keep it that way to maintain the integrity and security of it. One of the questions the GDPR forces retailers to ask is “do I really require all the personal data that I store on someone, in order to perform my contractual duty/function?” If the answer is no, think about pseudonymisation tools to help alleviate that problem. Another one to speak to your IT/database provider about. We advise you to pseudonymise all customer data except for modules that handle direct communication with customers. For example, the part of your system sending marketing communications to customers likely only needs an email address and (with additional consent) a mobile number. Any software you use to handle statistics or patterns, most likely does not.

  • Any database that contains a large amount of customer data should be encrypted

I run a loyalty scheme

You have a loyalty programme because you want to provide incentives to repeat customers who demonstrate loyal buying behaviours. A successful programme will have those customers make frequent purchases and shun your competitors. So how do you maintain this without falling outside of the lines of the new legislation? The answer is relatively simple, tell your customers what you do exactly with their buying behaviour (i.e profiling – an automated process used by you to predict or analyse the personal preferences of that or a group of customers) and allow them to consent to it. Bear in mind that they must consent to each action. For example, they must consent to you marketing to them and also to you using their shopping history (and future habits) to tailor services to them. You cannot bundle them together. If your profiling is achieved via cookies, consent may already be in place, provided for by the PECR. It should be noted that the European commission have also recently issued a new draft E-Privacy Regulation which is intended to replace the existing e-privacy rules, at the same time as GDPR is implemented. Speak to your website provider about the implications of this.

  • Assess how compliant you currently are – do you have GDPR compliant consent for marketing? Have you got consent for any automated profiling activities outside of cookies? Are you able to evidence them both if requested?
  • If you have a gap in terms of compliance, draw up a plan of how you are going to get there. It is likely you will need to develop a communications plan to all your loyalty programme customers, explaining the changes and seek their approval.
  • One solution could be to separate personal and non-personal information, creating two different sets of data. This will help to improve anonymity when using analytics tools for marketing purposes.
  • If you work with other businesses and/or brands to data match, you will have to obtain consent from those customers too.
  • Be aware that your customers may ignore your attempts at gaining compliant consent from them. Don’t be surprised at a fallout of up to 50%

I employ people

It is likely that you are already adhering to the correct employment procedures and policies. The GDPR adds nothing further to these.

  • Ensure you have a retention policy for employee/applicant data (e.g deletion 7 years after employment ended).
  • Do not pass on an employee’s details to anyone other than those performing a specific function for the business, e.g Payroll, HR etc

I hire companies to help me with payroll/HR/deliveries etc

You are responsible for the personal data that is in the possession of your suppliers. Examples of the types of “suppliers” you will use on a frequent basis are couriers, delivery agents, payroll processors and anyone you outsource your HR functions to.

  • List all suppliers in your privacy policy.
  • For each supplier make a list of all the personal data you send them – if some of the information you send isn’t necessary in order for them to perform their function then remove it.
  • Review the agreements you have in place with your suppliers. Have they shown that they are going to be compliant with the GDPR when it is introduced? NB You must also approve your suppliers’ sub-suppliers before they can begin to process your data.

I collect information on my customers spending habits

Your customers can leave a trail at the POS. Even though this data may seem innocuous to you, it can reveal the location of customers at specific times. Therefore, it must be treated as personal data. There are ways to protect this cornerstone of tailored customer experience.

  • Speak to your IT provider about how you can go about anonymising this data whilst preserving the vital insights it provides, even if the individual requests their information to be deleted.

Can my customers easily get access to the information I hold on them?

The answer to this question, should be yes, but for a lot of retailers this would not have had to be a consideration until now. Your customers now have a right to request what information you hold on them, as well as the right to request that you delete, amend or port that data elsewhere.

  • Create a process/plan for your staff to follow should any of these requests be made
  • Make sure that you refer to your customers rights and where they can exercise it in your privacy policy

What do I do if something goes wrong?

A data breach is described as an incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. In case of data breach incidents, you may be required to inform your supervisory authority and your customers, within 72 hours of becoming aware of it.

  • Create a plan of what you and/or your employees should do in the case of a data breach. The ICO have some helpful advice on this. There is a list of criteria specifying when you need to disclose data breach incidents.
  • Your suppliers should be aware that is their obligation to always inform you about any data breach incidents.

Do my employees need to know about GDPR?

The introduction of the GDPR has rightly placed a great emphasis on data security and any communication towards your customers (and even prospective ones). However, in practice, it is down to those that you employ to implement and comply with the regulation. It is imperative that you establish a training scheme to inform your staff about GDPR. For example, do your staff know that they cannot add a customer to the marketing list without having their explicit consent first? Do your staff know that they cannot pass on any personal data to any third party without permission first? Even if they think that the customer would find value in it.

Disclaimer: this article is not meant as legal advice. You must seek advice from your legal advisors to ensure complete compliance with GDPR as this can vary from company to company.

Try Our Free Training Demo

If you require further advice or help with your GDPR journey, contact us using the form below.