1

1. Register with the ICO and pay your data protection fee

Almost all businesses processing personal data must pay an annual fee to the Information Commissioner's Office (ICO). Register before you start processing personal data. The fee depends on your size and turnover.
2

2. Identify what personal data you hold and why

Map the personal data your business collects. Common retail data includes customer contact details, purchase history, loyalty programme records, CCTV footage, delivery addresses, and marketing preferences. Record the lawful basis for each type of processing.
3

3. Write and publish your privacy notice

Create a clear privacy notice explaining what data you collect, why, how long you keep it, and how customers can exercise their rights. Display it on your website, in-store, and at the point of data collection.
4

4. Set up consent mechanisms for marketing

Under PECR (Privacy and Electronic Communications Regulations), you need specific opt-in consent before sending marketing emails, texts, or making marketing calls. Use clear opt-in checkboxes (never pre-ticked) and keep records of when and how consent was given. Provide easy unsubscribe options in every communication.
5

5. Establish CCTV compliance procedures

If you operate CCTV, complete a Data Protection Impact Assessment, display clear signage at all entry points, set a retention policy (ICO recommends 30 days), and train staff on handling subject access requests for footage.
6

6. Create a data breach response plan

Prepare a plan for responding to data breaches. You must report breaches posing a risk to individuals to the ICO within 72 hours of becoming aware of them. Notify affected customers if the breach poses a high risk to their rights and freedoms.

UK General Data Protection Regulation (UK GDPR)

Retailers handling customer personal data must comply with UK GDPR. This covers collecting, storing, and processing customer information including names, addresses, email addresses, purchase history, and marketing preferences.

Seven key principles

Personal data must be:

Lawful, fair, transparent: Clear about what data you collect and why
Purpose limitation: Only use data for stated purposes
Data minimisation: Collect only what you need
Accuracy: Keep data up to date and correct
Storage limitation: Delete data when no longer needed
Integrity and confidentiality: Keep data secure
Accountability: Demonstrate compliance

Lawful bases for processing

You need a lawful basis to process personal data. For retail, common bases are:

Contract: Processing necessary to fulfil customer orders
Legitimate interests: Fraud prevention, business analytics (after balancing test)
Consent: Required for marketing emails and non-essential cookies
Legal obligation: Compliance with tax and accounting laws

Customer rights

Customers have the right to:

Be informed: Know what data you collect and how you use it (privacy notice)
Access: Request copies of their personal data (respond within 1 month)
Rectification: Correct inaccurate data
Erasure: Delete data in certain circumstances ('right to be forgotten')
Restrict processing: Limit how you use their data
Data portability: Receive their data in machine-readable format
Object: Stop certain processing (e.g., direct marketing)

Marketing consent

For marketing communications:

Obtain clear, specific consent (opt-in, not pre-ticked boxes)
Keep consent records
Provide easy unsubscribe options
Honour unsubscribe requests promptly
Only send marketing to those who consented

Data breaches

If customer data is lost, stolen, or accessed without authorisation:

Report to ICO within 72 hours if breach poses risk to individuals
Notify affected customers if breach poses high risk
Keep records of all breaches

ICO registration fee

Most businesses must pay an annual data protection fee to the ICO:

Tier 1 (Micro): £52 - turnover ≤£632,000 and ≤10 staff
Tier 2 (Small/Medium): £78 - turnover ≤£36m and ≤250 staff
Tier 3 (Large): £3,763 - above tier 2 thresholds (fees uplifted 17 February 2025; £5 direct debit discount)

Privacy notice: Create and publish a clear privacy notice explaining what data you collect and why
Subject access requests: Implement procedures for responding to subject access requests within 1 month
Marketing consent: Review consent mechanisms for marketing - ensure opt-in (not pre-ticked boxes)
Data security: Implement secure data storage and access controls
Breach response plan: Develop data breach response plan
ICO registration: Pay annual ICO data protection fee
Staff training: Train staff on data protection responsibilities
Impact assessments: Conduct Data Protection Impact Assessments for high-risk processing
Data retention: Review data retention periods and delete data no longer needed

Register with the ICO as a data controller

Guide to GDPR for small businesses

ICO registration fees

Your fee tier depends on your organisation's size and turnover. Most small retailers fall into Tier 1 or Tier 2. You can check your tier and pay online through the ICO website.

Data Protection Fee

Data Protection Fee - Processing personal data (customer records, CCTV, marketing)

Regulator: Ico
Typical fee: £52 (micro-organisations), £78 (small/medium), £3,763 (large) — uplifted 17 February 2025
Timeline: Register before processing personal data
Frequency: annual
Legal basis: UK GDPR; Data Protection Act 2018; Data Protection (Charges and Information) Regulations 2018

Mandatory for most businesses processing personal data. Three tiers: £52 (turnover ≤£632k, ≤10 staff), £78 (turnover ≤£36m, ≤250 staff), £3,763 (larger organisations). Exemptions for some sole traders, not-for-profits. Must comply with UK GDPR principles. Keep records of processing. Appoint DPO if required. ICO can audit and fine for non-compliance.

CCTV in retail premises

CCTV is common in retail for security, loss prevention, and staff safety. However, operating CCTV makes you a data controller for the footage, bringing additional obligations under UK GDPR.

CCTV in retail premises - data protection obligations

Data protection obligations for retail CCTV under UK GDPR and the DPA 2018, following the ICO's Video Surveillance Guidance — signage, data retention, subject access requests, body-worn cameras and staff monitoring rules.

Retailers using CCTV must comply with UK GDPR and the Data Protection Act 2018, following the ICO's Video Surveillance Guidance. (The separate Surveillance Camera Code of Practice under the Protection of Freedoms Act 2012 binds police and local authorities in England and Wales, not retailers.)

Data Protection Impact Assessment: Required before installing CCTV; must assess necessity, proportionality, and impact on individuals' privacy
Signage requirement: Clear, visible signs at entry points stating CCTV is in operation, its purpose, and contact details of the data controller (DPO if applicable)
Lawful basis for CCTV: Typically legitimate interests (Article 6(1)(f) UK GDPR); must document a Legitimate Interest Assessment
Data retention period: Typically 30 days unless footage is needed for an incident, investigation, or legal proceedings; must have a documented retention policy
Subject Access Request response: Within 1 calendar month of receipt; can extend by up to 2 further months for complex or numerous requests
Body-worn cameras: Additional safeguards required; staff must be trained, cameras clearly visible, recording indicators displayed, and use governed by clear policy
Staff monitoring via CCTV: Must be transparent, proportionate, and have a legitimate aim; covert monitoring only in exceptional circumstances (e.g., suspected criminal activity) and requires senior management authorisation
Audio recording: Rarely justified in retail; requires stronger justification than video alone due to greater privacy intrusion
Third-party access: Footage should only be disclosed to law enforcement or other third parties where there is a legal basis (e.g., court order, crime prevention)
Guidance: ICO Video Surveillance Guidance (UK GDPR / DPA 2018) — the applicable framework for retailers

Loyalty programmes and customer data

If you run a loyalty scheme, you are processing personal data. Be clear with customers about what data you collect through the programme and how you use it. Common pitfalls include:

Using loyalty data for profiling or targeted marketing without a clear lawful basis
Sharing data with third parties (suppliers, marketing partners) without explicit consent or a transparent privacy notice
Retaining loyalty data indefinitely after a customer stops using the scheme
Not providing a way for customers to access, correct, or delete their loyalty data

What to do if something goes wrong

Common retail data breaches include: a laptop or tablet containing customer records being stolen, a mailing list being sent with all email addresses visible (CC instead of BCC), an online store being hacked, or CCTV footage being shared inappropriately.

If a breach occurs, contain it immediately, assess the risk to affected individuals, and report to the ICO within 72 hours if the breach poses a risk. Keep a record of all breaches, even those you decide not to report.

Official data protection guidance

ICO - SME web hub (opens in a new tab)
Data protection guidance tailored for small businesses
ICO - Pay your data protection fee (opens in a new tab)
Check your fee tier and register online
ICO - CCTV and video surveillance guidance (opens in a new tab)
Detailed guidance on lawful CCTV use
ICO - Direct marketing guidance (opens in a new tab)
Rules on marketing emails, texts, calls, and PECR compliance

Data protection for retail businesses

Annual retail compliance checklist

Retail sector market overview

NHS Data Security and Protection Toolkit compliance

Data protection and CCTV for hospitality businesses

Data protection for healthcare providers

1. Register with the ICO and pay your data protection fee

2. Identify what personal data you hold and why

3. Write and publish your privacy notice

4. Set up consent mechanisms for marketing

5. Establish CCTV compliance procedures

6. Create a data breach response plan

ICO registration fees

CCTV in retail premises

Loyalty programmes and customer data

What to do if something goes wrong

Official data protection guidance

Related guides in Data Protection

Annual retail compliance checklist

Retail sector market overview

NHS Data Security and Protection Toolkit compliance

Data protection and CCTV for hospitality businesses

Data protection for healthcare providers

1. Register with the ICO and pay your data protection fee

2. Identify what personal data you hold and why

3. Write and publish your privacy notice

4. Set up consent mechanisms for marketing

5. Establish CCTV compliance procedures

6. Create a data breach response plan

ICO registration fees

CCTV in retail premises

Loyalty programmes and customer data

What to do if something goes wrong

Official data protection guidance