Data protection for retail businesses

Retail businesses handle personal data every day: customer names and addresses for deliveries, email addresses for marketing, payment card details, CCTV footage, and loyalty programme records. UK GDPR and the Data Protection Act 2018 govern how you collect, store, use, and delete this data.

This guide covers the retail-specific aspects of data protection. If you employ staff, you also have separate data protection obligations as an employer.

UK General Data Protection Regulation (UK GDPR)

Retailers handling customer personal data must comply with UK GDPR. This covers collecting, storing, and processing customer information including names, addresses, email addresses, purchase history, and marketing preferences.

Seven key principles

Personal data must be:

Lawful, fair, transparent: Clear about what data you collect and why
Purpose limitation: Only use data for stated purposes
Data minimisation: Collect only what you need
Accuracy: Keep data up to date and correct
Storage limitation: Delete data when no longer needed
Integrity and confidentiality: Keep data secure
Accountability: Demonstrate compliance

Lawful bases for processing

You need a lawful basis to process personal data. For retail, common bases are:

Contract: Processing necessary to fulfil customer orders
Legitimate interests: Fraud prevention, business analytics (after balancing test)
Consent: Required for marketing emails and non-essential cookies
Legal obligation: Compliance with tax and accounting laws

Customer rights

Customers have the right to:

Be informed: Know what data you collect and how you use it (privacy notice)
Access: Request copies of their personal data (respond within 1 month)
Rectification: Correct inaccurate data
Erasure: Delete data in certain circumstances ('right to be forgotten')
Restrict processing: Limit how you use their data
Data portability: Receive their data in machine-readable format
Object: Stop certain processing (e.g., direct marketing)

Marketing consent

For marketing communications:

Obtain clear, specific consent (opt-in, not pre-ticked boxes)
Keep consent records
Provide easy unsubscribe options
Honour unsubscribe requests promptly
Only send marketing to those who consented

Data breaches

If customer data is lost, stolen, or accessed without authorisation:

Report to ICO within 72 hours if breach poses risk to individuals
Notify affected customers if breach poses high risk
Keep records of all breaches

ICO registration fee

Most businesses must pay an annual data protection fee to the ICO:

Tier 1 (Micro): £40 - turnover ≤£632,000 and ≤10 staff
Tier 2 (Small/Medium): £60 - turnover ≤£36m and ≤250 staff
Tier 3 (Large): £2,900 - above tier 2 thresholds

Privacy notice: Create and publish a clear privacy notice explaining what data you collect and why
Subject access requests: Implement procedures for responding to subject access requests within 1 month
Marketing consent: Review consent mechanisms for marketing - ensure opt-in (not pre-ticked boxes)
Data security: Implement secure data storage and access controls
Breach response plan: Develop data breach response plan
ICO registration: Pay annual ICO data protection fee
Staff training: Train staff on data protection responsibilities
Impact assessments: Conduct Data Protection Impact Assessments for high-risk processing
Data retention: Review data retention periods and delete data no longer needed

Guide to GDPR for small businesses

ICO registration fees

Your fee tier depends on your organisation's size and turnover. Most small retailers fall into Tier 1 or Tier 2. You can check your tier and pay online through the ICO website.

Data Protection Fee

Data Protection Fee - Processing personal data (customer records, CCTV, marketing)

Regulator: Ico
Typical fee: £40 (micro-organisations), £60 (small/medium), £2,900 (large)
Timeline: Register before processing personal data
Frequency: annual
Legal basis: UK GDPR; Data Protection Act 2018; Data Protection (Charges and Information) Regulations 2018

Mandatory for most businesses processing personal data. Three tiers: £40 (turnover ≤£632k, ≤10 staff), £60 (turnover ≤£36m, ≤250 staff), £2,900 (larger organisations). Exemptions for some sole traders, not-for-profits. Must comply with UK GDPR principles. Keep records of processing. Appoint DPO if required. ICO can audit and fine for non-compliance.

CCTV in retail premises

CCTV is common in retail for security, loss prevention, and staff safety. However, operating CCTV makes you a data controller for the footage, bringing additional obligations under UK GDPR.

CCTV in retail premises - data protection obligations

ICO surveillance camera code of practice requirements for retail CCTV, including signage, data retention, subject access requests, body-worn cameras, and staff monitoring rules under UK GDPR and DPA 2018.

Retailers using CCTV must comply with UK GDPR and the Data Protection Act 2018. The Surveillance Camera Code of Practice 2022 (issued under the Protection of Freedoms Act 2012) sets out 12 guiding principles for surveillance camera use.

Data Protection Impact Assessment: Required before installing CCTV; must assess necessity, proportionality, and impact on individuals' privacy
Signage requirement: Clear, visible signs at entry points stating CCTV is in operation, its purpose, and contact details of the data controller (DPO if applicable)
Lawful basis for CCTV: Typically legitimate interests (Article 6(1)(f) UK GDPR); must document a Legitimate Interest Assessment
Data retention period: Typically 30 days unless footage is needed for an incident, investigation, or legal proceedings; must have a documented retention policy
Subject Access Request response: Within 1 calendar month of receipt; can extend by up to 2 further months for complex or numerous requests
Body-worn cameras: Additional safeguards required; staff must be trained, cameras clearly visible, recording indicators displayed, and use governed by clear policy
Staff monitoring via CCTV: Must be transparent, proportionate, and have a legitimate aim; covert monitoring only in exceptional circumstances (e.g., suspected criminal activity) and requires senior management authorisation
Audio recording: Rarely justified in retail; requires stronger justification than video alone due to greater privacy intrusion
Third-party access: Footage should only be disclosed to law enforcement or other third parties where there is a legal basis (e.g., court order, crime prevention)
Code of practice: Surveillance Camera Code of Practice 2022 (12 guiding principles under Protection of Freedoms Act 2012 Section 29)

Loyalty programmes and customer data

If you run a loyalty scheme, you are processing personal data. Be clear with customers about what data you collect through the programme and how you use it. Common pitfalls include:

Using loyalty data for profiling or targeted marketing without a clear lawful basis
Sharing data with third parties (suppliers, marketing partners) without explicit consent or a transparent privacy notice
Retaining loyalty data indefinitely after a customer stops using the scheme
Not providing a way for customers to access, correct, or delete their loyalty data

What to do if something goes wrong

Common retail data breaches include: a laptop or tablet containing customer records being stolen, a mailing list being sent with all email addresses visible (CC instead of BCC), an online store being hacked, or CCTV footage being shared inappropriately.

If a breach occurs, contain it immediately, assess the risk to affected individuals, and report to the ICO within 72 hours if the breach poses a risk. Keep a record of all breaches, even those you decide not to report.

Official data protection guidance

ICO - SME web hub
Data protection guidance tailored for small businesses
ICO - Pay your data protection fee
Check your fee tier and register online
ICO - CCTV and video surveillance guidance
Detailed guidance on lawful CCTV use
ICO - Direct marketing guidance
Rules on marketing emails, texts, calls, and PECR compliance

Business Context Testing

Content Graph

Guvnor

Data protection for retail businesses

ICO registration fees

CCTV in retail premises

Loyalty programmes and customer data

What to do if something goes wrong

Compliance Assistant

🧪 Business Context Testing

◉ Content Graph

ICO registration fees

CCTV in retail premises

Loyalty programmes and customer data

What to do if something goes wrong

Related guides in Data Protection

Business Context Testing

Content Graph