Retailers have just over five months before they need to be compliant with hard-hitting new data protection regulations, or face steep fines.

The General Data Protection Regulation (GDPR) will apply in the UK from 25 May 2018.

The new regulations, which replace the Data Protection Act 1998, impact on how retailers manage all personal data they hold, including customer marketing, loyalty schemes, home deliveries and much more. The rules will also impact heavily on how in-store CCTV footage is used and stored.

At its heart, the GDPR is designed to prevent personally identifiable information (PII) such as customer names, home, email and IP addresses and bank details, from being collected and used without consent and to ensure that any PII that is held with consent is recorded, managed and protected to the highest possible standard.

The GDPR introduces seven key principals for how PII is managed.

As part of the requirements, the use of personal data must be fully consented by the individual, and this must be done with a positive, unambiguous opt-in.

People’s personal data, such as names, addresses and card details, will need to be made anonymous so in the event of an accidental leak or hack they cannot be identified.

Individual rights will also be strengthened so that people must be informed within 72 hours if there has been a breach of their personal data.

Individuals will also be able to request information about the data that a store holds on them and they will have the right to have their data rectified or deleted should they wish.

Retailers will also need to ensure that they inform any third parties and data processors (such as loyalty operators, suppliers and beacon technology operators) when a right to rectification is exercised.

The location and purpose of each CCTV camera will need to be clearly justified and documented and staff must also be fully informed and trained on all policies and procedures that the company has in place regarding the store’s use of CCTV.

Under GDPR, any person who enters the store and is recorded on CCTV will also have the right to ask for a copy of their personal data from the footage. Retailers will have to supply this within a month and they must ensure that any other individuals who could be identified in the footage are redacted.

Failure to comply with any of these steps could constitute a breach and be subject to a fine of up to  €20m or 4% of turnover - whichever is higher.

For more information and support with complying with the GDPR visit

The ICO has also launched a dedicated GDPR preparation helpline for small organisations on 0303 123 1113.