In a few days, hard hitting new laws on data protection will come into force. C-Store looks at what the regulations mean to your business

GDPR. Four little letters that most convenience store retailers will have heard bandied about over the past few months, but may not - as yet - have paid proper heed to.

Well, with the 25 May deadline looming large, now really is the time to sit up and take action, because those four little letters are set to have a mighty big impact on the way in which all businesses, including convenience stores (regardless of size or number of staff), manage and protect all the personal data that they hold, even that of their employees.

Fast facts

WHO: The GDPR will impact all businesses (regardless of size) that use and store any kind of personal data

WHAT: The GDPR is a regulation drawn up by the European Parliament, the Council of the European Union and the European Commission to give citizens more control over how their personal data is used online

WHERE: The GDPR will apply in all EU member states regardless of Brexit

WHEN: From 25 May 2018.

In a nutshell, the General Data Protection Regulation (GDPR) will require you and your staff to adhere to a new set of regulatory principles designed to ensure that personal data is captured, used and protected to the highest possible standard. 

The European Commission defines personal data as “any information relating to an individual”, from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address. Under the GDPR this also includes CCTV stills and moving film, and more.

The impact of the regulations will vary greatly from store to store, depending on how much data a retailer has, or “processes”. Stores with customer loyalty schemes, large numbers of employees, newspaper delivery rounds, and CCTV systems will be harder hit than those without.

At its heart, the GDPR - which is the natural evolution of the Data Protection Act 1998 (DPA) - is all about accountability and transparency, meaning that solid record-keeping to demonstrate due diligence is now a must.

Simon Bishop, director of GDPR Systems, explains: “The DPA was to some degree a tick-box exercise - it was easy for businesses to declare that they understood and abided by the rules without having to think about it too much. The GDPR changes all of that,” he says.

Enforcing it all is the Information Commissioner’s Office, or ICO, which has compiled the following eight simple steps to help small businesses get GDPR ready.

Eight simple steps

Step one: Know the law is changing and make sure all your employees know the law is changing. You then need to understand how this change will affect your business, and identify anything you need to alter to comply. 

Step two: Make and keep a record of the personal data you hold and why you hold it.

Under the GDPR you need to keep records of all the personal data you hold and work with. You need to record all information including:

  • What data you hold (names, emails, individuals’ financial information).
  • How you got it (a customer form, bought-in marketing lists, staff application forms).
  • Why you have it.
  • How long you’ve had it.
  • Whether you still need it - if not, this is an opportunity to delete it.
  • Do you share this information with any other organisations? 

Step three: Identify why you have personal data and how you use it.

Under the new law you must have a valid “lawful basis” to process personal data and must be accountable for and transparent about it. Identifying your reason for collecting and handling personal data will help you identify your ‘lawful basis’. Once you have determined this you should document it and update your privacy notice to explain it.

There are six available lawful bases for processing personal data. According to the Association of Convenience Stores (ACS), the three that are most likely to apply to retailers are:

  • Consent: If you are using consent as a basis for collecting and processing data, that consent will need to be explicit and specific about what consent is being given for. For example, pre-ticked boxes or ‘consent by default’ are not acceptable under the regulations.
  • Contract: You can process personal data if you need to do so to fulfil your contractual obligations to them, or if they have asked you to do something before entering into a contract.
  • Legitimate interest: Legitimate interest is the most flexible lawful basis for processing. It is likely to be most appropriate where you use people’s data in ways they would reasonably expect (such as direct mail for marketing purposes) and which have a minimal privacy impact, or where there is a compelling justification for the processing. 

Step four: Have a plan in case people ask about the rights they have regarding the personal data you hold about them. Information on individuals’ rights under GDPR is available at:

Step five: Before collecting personal data, tell people why you need it and how you will use it.

At the point you collect personal data from people, you must provide them with certain information, including the identity of your business and how you plan to use their information. You also need to tell people about their rights and their ability to complain to the ICO if they are concerned about how you handle their information.

Your privacy notices must be easy to understand and given to individuals whenever you collect their personal data, both online and offline.

Need help?

The ICO has a number of online resources for small businesses. Visit

The ICO also has a helpline for businesses, where questions can be asked about the specifics of the regulations. The helpline number is 0303 123 1113.

If you would like legal advice on the specifics of the GDPR regulations and how they apply to your business, contact Fraser Brown Solicitors via the Association of Convenience Stores on 01252 515001.

Step six: Security of data. 

The GDPR is much more specific than the DPA 1998 about what you have to do about the security of your data processing, how you should assess your information risk, and the appropriate security measures that you should put in place, such as password protecting and encrypting your electronic devices, installing anti-virus software and using securely locked storage for paper records.

Step seven: Develop a process to make sure you know what to do if you break data protection rules and record it.

Think about the possible breaches that could occur in your business, for example paperwork or IT devices are lost or stolen, malware is used to gain access to your computer systems, personal data is sent to the wrong person, or documents are not disposed of properly, eg not shredded.

Step eight: Don’t panic!

While the risks of non-compliance are severe, with fines of up to €20m, or 4% of turnover, the ICO told C-Store it would rather support businesses in their quest for compliance, than fine them.

“A common myth is that the ICO will be fining organisations large sums for every breach of data protection law. The ICO is here to uphold the information rights of the UK public. We can and do fine organisations, but we have other tools at our disposal to ensure that businesses comply with the law.

“Monetary penalties have been and will continue to be a last resort of our regulatory action - our primary aim is to support businesses to get things right and improve their practices where required.”


The GDPR also has a number of implications for the way convenience store retailers manage their CCTV systems and data, as Simon Bishop, director of GDPR Systems, explains. He says: “From 25 May CCTV images will need to be treated with the same respect as more traditional forms of personal data.

“Once GDPR comes into force, camera location and purpose will need to be scrutinised and documented in more detail than before, and the purpose of each camera should be very clear.

“Your staff must also be fully informed and trained on all the policies and procedures that the company has regarding the store’s use of CCTV.”

The use of CCTV must be a “reasonable response” to the issue that you are seeking to address: to prevent and record incidents of theft or crime.

The type of surveillance system you choose to use and the location it operates within must achieve the purposes for which you are using it.

Appropriate signage must be in place to inform people that CCTV is in operation and why you are using it.

Under the GDPR individuals whose information is recorded have a right to be provided with that information or, if they consent to it, view that information. Information must be provided promptly.

You should also ensure that the design of your surveillance system allows you to easily locate and extract personal data in response to subject access requests.

It should also be designed to allow for the redaction of third-party data where this is deemed necessary.

Recordings should not be retained for longer than necessary, or more than 30 days.

Case study

How to stay on the right side of the law

Joe Williams, owner of Hook Norton Village Stores (Spar) used GDPR Systems’ CCTV Solution to help him get GDPR ready.

The system makes it much easier for a convenience store to demonstrate accountability by helping them to list all of their cameras and storage devices in one place.

“There’s quite a lot of scaremongering about the consequences of not complying with the GDPR so using the system has given me real peace of mind,” Joe says.

“It’s a bit like an online risk assessment. With a few clicks of the mouse you can see if you are compliant or not and where changes need to be made. It also then generates all the relevant GDPR policies and procedure documentation that you require, as well as summary reports for both management and the ICO.

“It took me about an hour to complete it and that was for 25 cameras.

“The system pointed out a few areas where we were weak and had to make changes. For example, access to the CCTV system had to be tightened by creating passwords for playback in the office.”


ICO answers your questions


Can I require people to sign up to marketing if they want to join my loyalty scheme?

Under the GDPR you should avoid making consent a precondition of a service. So if your loyalty scheme allows people to collect points when they shop, which they can then redeem against future purchases, you can’t require them to consent to marketing emails in order for them to collect these points. However, if a scheme is operated purely for the purposes of sending people marketing offers, you need to be upfront and clear about this and will need to ensure that the consent people provide when signing up meets the GDPR standard.

Do I have to get fresh consent from all my customers?

You do not need to automatically refresh all existing consents in preparation for the new law. But the GDPR sets the bar high for consent, so it’s important to check your processes and records to be sure existing consents meet the GDPR standard. If they do there is no need to obtain fresh consent.

We’ve heard stories of email inboxes bursting with long emails from organisations asking people if they’re still happy to hear from them. So think about whether you need to refresh consent before you send that email and don’t forget to put in place mechanisms for people to withdraw their consent.

Will GDPR prevent me from sharing information with other retailers about people I’ve banned from my shop?

The GDPR is not designed to prevent you sharing personal data for legitimate reasons. However, if you’re deciding whether to share information with other retailers, either directly or through a business crime reduction partnership, you need to make sure you’re able to share the information in a way that complies with GDPR. For example, you’ll need to address the following questions:

  • Is the data sharing fair, legal and transparent?
  • Is the information relevant to the other retailers?
  • Is the information accurate?
  • Is the information shared in a secure format and manner?