The imminent GDPR regulations may well encourage customers to have more trust and confidence to share their personal details with retailers. Although for many businesses there are challenges involved in checking the way they collect, store, use and delete data, the outcome should be more efficient and more secure systems, and better business practice.


Going forward, bira members must be able to show to any interested parties – such as customers, employees and suppliers – how any data held is stored, how they collected it, how they use it and with whom they share it. It must be kept up to date and secure, and deleted when appropriate.

The path to follow to achieve these deceptively simple aims is explored on page 19. The General Data Protection Regulation (GDPR) comes into force in the UK on 25 May, which is, coincidentally, Spring Bank Holiday Mon-day. Despite the confusion around it, many of its elements are covered in the Data Protection Act 1998.

The GDPR rules have been in place since 2016, so there will be no grace period after 25 May 2018.

“The spread of the internet and the huge growth of data in the past 20 years has prompted this update of the 1998 Act,” says Andrew Hartshorn, partner in Shakespeare Martineau, the law firm advising bira on GDPR. “Retailers cannot ignore this. The regulations have been in place since 2016, so there will be no grace period after 25 May. The Information Commissioner’s Office, which will enforce GDPR, realises that not everyone will be compliant by then, but they want to see that you are moving in the right direction.”

Although the emphasis on GDPR has been about looking after customers’ data, Andrew points out that data on employees is also covered. Under existing legislation, any person (including a staff member) can ask to see all the information kept on him or her under a “subject access request”. This costs £10 and the employer must supply the information within 40 days. Under GDPR, there is no charge and the information must be delivered within a month.

“Our advice to employers is, be careful what you put in an email about a staff member, or indeed any individual. Work on the principle that one day, in the case of a dispute, he or she may read what you have written,” says Andrew.

A major concern for members is managing existing databases of customer details. Under GDPR, customers must be told how their details will be used, stored and eventually deleted. While the rules on e-marketing are not changing, the rules around consent are. See page 19 for more on this.

Bira encourages members using third-party cloud-based services to store data to check that their policies and contracts are GDPR-compliant.