The future of retail - When data protection meets the innovative world of in-store tech

As customers start to return to the High Street, retailers are looking at new and exciting ways in which to enhance their customers’ in-store experiences and to get the most from their processing of the potentially rich seam of customer personal data they can collect.

The UK market is beginning to see a range of new technologies deployed in physical sites, from “unattended retail” to use of facial recognition and retail experiences tailored to the customer.In this article, we discuss our “Top 5” data protection challenges (and opportunities) for physical retailers who are looking to develop and implement new in-store tech. 

  1. Bake-in data protection from the start The UK GDPR requires organisations to put in place appropriate technical and organisational measures to implement data protection principles effectively and safeguard individual rights. This is called “data protection by design and by default”. Retailers should therefore integrate data protection into their new processing technologies, from the design stage right through the lifecycle. We discuss some key considerations further below.

  2. Be fair, be transparent Transparency and fairness are cornerstones of UK data protection law. Your new technology is likely to process customer data in ways that they might not expect. Provide your customers with clear and accessible privacy notices that explain how your new technology will handle their data. Build-in processes that ensure your new technology is free of bias and does not discriminate between individuals. If you are making significant automated decisions about them, let them know and give them adequate recourse. Taking these steps will not only help you comply with the law, but will also strengthen your relationship with your customers. Good, clear privacy notice wording will also help you justify your lawful basis for processing your customer data, which leads us on to… 

  3. What is your lawful basis? The UK GDPR requires you to have a lawful basis for how you process your customers’ personal data. Your lawful basis connects to the purpose for which you are processing their data. You have a number of lawful bases to choose from, but some will be more appropriate than others. Retailers often seek to rely on legitimate business interests to justify their new processing, but should ensure that their legitimate interests balance up against the privacy rights of customers. The type of personal data you process is also important. If you are processing “special” categories or data (such as ID biometrics), you will need to have an extra basis for processing that data, such as the customer’s explicit consent. If you chose consent as your lawful basis, how will you collect those consents? If your customer decides to withdraw their consent, how will you implement this? 

  4.  Your customers have data rights Individuals have a number of legal rights they can exercise in relation to their data. Since GDPR came online, we have seen customers become increasingly savvy and pro-active about exercising those rights. How will your systems deal with customer requests to access their data; to have it erased; to have it transferred; or to cease processing it? This is not just a compliance challenge, but also a chance to show your customers that you respect their rights and process their data in a lawful way.

  5. Do an impact assessment Your processing will involve new technologies. You will also want to reduce the risks to your customers’ privacy. You should therefore document and record a data protection impact assessment (“DPIA”) when you embark on your new technology project. The DPIA will help you to identify the risks to your customers’ privacy rights and ways in which you can mitigate them. It might also cover the issues we mention elsewhere in this article. You should involve a range of stakeholders in producing the document, including your organisation’s data protection officer (if you have one).Not only will a good DPIA help you demonstrate your accountability and compliance with UK GDPR if the ICO comes calling, it will also be a useful project document in its own right. …and don’t forget This article has covered the key issues that retailers should consider when implementing new in-store technology to process their customers’ data. It is not an exhaustive list. In addition to these challenges, retailers should take into account UK GDPR principles such as data security; data accuracy; and storage periods for customer data. These are challenging times for physical retailers, but they are also exciting ones for in-store technology. Retailers who can balance commercial opportunity with good data governance will be the ones best placed to inspire customers and retain their trust and loyalty.

To discuss how to make sure your business is compliant with current data and e-privacy regulations please contact Freeths’ National Head of Retail, Philippa Dempster at, or our Head of Data, Luke Dixon at


The content of this page is a summary of the law in force at the date of publication and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.

Get in touch

Contact us today

Whatever your legal needs, our wide ranging expertise is here to support you and your business, so let’s start your legal journey today and get you in touch with the right lawyer to get you started.


Get in touch

For general enquiries, please complete this form and we will direct your message to the most appropriate person.