Now more than ever, retailers are faced with a wide array of opportunities to use customer data to achieve their commercial objectives. RPC explains that by spotting and assessing key risks early, organisations will be better equipped to avoid breaches of data protection law that may lead to costly fines or claims, failed projects and reputational damage.

Retailers are increasingly relying on digital tools that use customer data to maximise growth and further other business aims, such as optimising supply chains or improving safety in stores.  

Investing in tech

In a recent survey by WNS and Forrester Consulting, highlighted by the British Retail Consortium, almost half of respondents (46%) cited investing in technologies as their key initiative to address business priorities, with 35% identifying digital or data transformation as their main initiative.  

The way in which retailers can utilise data-intensive tools is vast, from shopfloor technologies, such as proximity marketing via Bluetooth or footfall analytics, to back-end big data and analytics projects, such as those aimed at establishing a unified customer view across multiple touchpoints.

What the range of technologies often have in common is the large-scale use of customer personal data, which is heavily regulated worldwide and in particular in the UK and EU.  

Protecting privacy

The expanding opportunities to leverage data coupled with the risks of getting it wrong have driven the privacy and security of personal data up the priority list in boardrooms.

For example, although 71% of respondents to the WNS/Forrester survey identified speech analytics as one of the top AI technologies they expect to implement, most would be unaware that earlier this year Budapest Bank was fined €650,000 for multiple GDPR breaches in deploying speech analytics to identify the emotional state of customers.  

Reducing risk

Fortunately, there are a number of ways that retailers can mitigate this risk.

Firstly, retailers should have processes in place to detect privacy risks early, at the start of negotiations with a vendor or the development of an in-house solution.

Retailers should also consider the types of personal data that will need to be processed and make sure this goes no further than necessary.

“It is crucial to consider transparency obligations. If it’s not possible to explain this in layman’s terms, it’s unlikely that the tools will meet the requirements under data protection laws”

It may be possible to pseudonymise (de-identify) data or otherwise reduce privacy risks without jeopardising objectives.  

They should also consider the key principles of data protection law when leveraging data in this way, such as security and data retention.

It is especially crucial to consider transparency obligations and how to make technology explainable. If it’s not possible to explain this in layman’s terms, it’s unlikely that the tools will meet the transparency requirements under data protection laws.

There are also few substitutes for thorough due diligence on any third-party vendor to fully assess any privacy risk they present.  

Top tips for processing data

Here are some practical pointers that retailers could adopt when developing or onboarding tools that rely on processing customer data:  

  • Consider an internal early-warning system for privacy risk (trained ‘privacy champions’, for example) and ensure that you can develop usable guidelines and training for those staff acting as your eyes and ears.  
  • Ensure that contracts contain the mandatory provisions required by law, consider how best to restrict the vendor’s use of customer data contractually and negotiate protections around liability and penalty-free termination rights where you can demonstrate reasonable privacy concerns.  
  • Think practically when giving privacy information, such as using verbal notices or in-store signage.
  • Ensure that personal data is deleted when no longer needed and restrict who has access to the customer data and how it is used internally.  

By setting up processes to identify and assess risk early, retailers can set a compliant direction, document the steps taken to comply with data protection laws and avoid costly delays or retrofits.  

Want to know more?

Read about the latest retail and consumer law developments in the latest edition of Retail Compass:

Retail compass softcopy postcard (1)

Jon Bartley, RPC

Jon Bartley is a partner at RPC

Bartley has more than 20 years’ experience as a commercial and data protection lawyer and heads RPC’s Data Advisory practice. He assists household-name clients on data protection and cybersecurity issues and was noted as being “extremely strong in the field” by the Legal 500 in 2020.

+44 20 3060 6394


Amy Blackburn, RPC

Amy Blackburn is an associate at RPC

Blackburn is a commercial associate advising on data privacy and cybersecurity issues. Amy has experience across a wide range of data privacy and cybersecurity matters, including GDPR and PECR compliance, data processing agreements and cross-border data transfer.

+44 20 3060 6757