Demystifying GDPR - A Check List for Convenience Retailers


The General Data Protection Regulation (GDPR) is the new framework devised by the European Union to help safeguard people’s rights when it comes to their personal data, coming into effect on the 25th of May 2018. It's adding increased responsibilities onto all businesses that collect or process personal data and the fines for non-compliance are BIG, up to 20 million euros or 4% of your global turnover.

Don’t think a typical convenience store handles much data? You might need to think again.

Katie Jenkins, Head of Customer Proposition at Bolt Learning, highlights the key areas a convenience retailer will need to consider.



I have a website

If your websites sole purpose is as a standalone marketing site, you have little to worry about. However, if you collect any personal data via it, certain considerations need to be made.

Is there a newsletter sign-up form? If yes, make sure that you can collect consent from those signing up.

Can people order online? If yes, you will need to collect and protect certain details in order to deliver their goods.


I have an EPOS system

If you collect customer data via your EPOS, you’ll need to inform the customer exactly what is being collected, what it is being used for, gain positive consent, and be prepared to erase a customer’s details on request. 

Be aware of the physical theft of a terminal and put measures in place to limit the likelihood. Draw up a policy of what you and/or your staff should do in the event of a breach.



I send marketing materials to people

Consent must be a positive action (opt in rather than opt out) and the text must be clear and simple. You must record consents so that you can prove that active consent has been given. Always make sure to collect consent to send marketing SMS and emails, including an option to unsubscribe.


I have an offline/online database with customers’ personal details

One of the questions that GDPR forces retailers to ask is “do I really require all the personal data that I store on someone, in order to perform my contractual duty/function?” Only store the specific data relevant for a specific task, and you need to collect, and record, active consent.


Can my customers easily get access to the information I hold on them?

Your customers now have a right to request what information you hold on them, as well as the right to request that you delete, amend or port that data elsewhere. Create a process/plan for your staff to follow should any of these requests be made. Make sure that you refer to your customers rights and where they can exercise it in your privacy policy.


I hire companies to help me with payroll/HR/deliveries etc

You are responsible for the personal data that is in the possession of your suppliers. For each supplier make a list of all the personal data you send them – if some of the information you send isn’t necessary, then remove it. Check your suppliers are GDPR compliant; they must legally inform you of any potential breaches.



I employee people

Be careful not to pass on any employee’s details to anyone other than those performing a specific function for the business, e.g Payroll suppliers (who must be compliant too.). Ensure you have a retention policy for employee data (eg deletion 7 years after employment ended.) It is also an employer’s responsibility to ensure their employees are also aware of how these legislations affect them.


What if something goes wrong?

In case of data breach incidents, you may be required to inform your supervisory authority and your customers, within 72 hours of becoming aware of it.  Create a plan showing what you and your employees should do in the case of a data breach.


Need further advice?

Bolt Learning is offering two online training modules, contact us today by following the link below!


We also offer a GDPR eLearning demo which you can try for FREE!


Disclaimer: this article is not meant as legal advice. You must seek advice from your legal advisors to ensure complete compliance with GDPR.