Retail & Data Protection – Article 1: Why retailers should be talking about privacy

Since the GDPR became law in 2018, the way retailers use data has developed exponentially. The ways to collect and use data have grown – loyalty schemes have become more sophisticated, AI tools are now embedded across marketing and ops teams, and customer journeys are increasingly data-driven. Since COVID19, a myriad of tools are now available to retailers to monitor the productivity of their workforces, assist with recruitment, analyse customer service interactions, handle complaints, keep stores secure, and generally understand their customers through online tracking, heat mapping, and other sophisticated analytics.

Many of these technologies involve the processing of personal data, which triggers legal and regulatory obligations under data protection laws.

While technology has developed, the legal and regulatory principles have (largely) not changed.

Legal obligations in the face of new technologies

While it sometimes feels as though regulators are ‘catching up’ with innovative tech, regulators such as the ICO have drafted guidance to help organisations apply the law to new technologies in recent years.

As retail moves at such a fast pace, it is easy to implement new technologies and processing activities without fully assessing the legal and regulatory risk posed by that activity. Retrospectively risk-assessing can miss opportunities to mitigate risks and demonstrate compliance with data protection laws. Getting ‘Legal’ involved at the right time is important to be able to manage and mitigate these risks in partnership with the business and foster a culture of ‘Privacy by Design and Default’ as required under GDPR.

It’s a good time to take stock, and ensure compliance is adequately covered and where possible used to retailers’ advantage to both comply with applicable law, and increase customer trust and confidence.

Here are some key reasons why data protection should be at the top of the agenda in 2025, and beyond:

1. Cyber security risks 

Cyber-attacks are now prevalent in the retail sector. Throughout 2025, we have seen multiple security incidents caused by malicious actors take place and in addition the risk of human errors causing data security issues can never be 100% eliminated. Our clients are advised to always prepare for an attack, as it is not a question of ‘if’ but ‘when.’ Preventative measures should be taken alongside business continuity, disaster recovery and breach plans. We advise clients to have a breach plan in place and undertake tabletop exercises with key members of senior leadership so they are prepared to deal with the effects of a breach and implement mitigation measures to protect personal data and ultimately maintain trust with customers and/or staff. Data breaches are not just about ICO enforcement, but managing wider reputational and financial risks which are inevitable where a key breach takes place. Particularly in retail, there are material operational impacts which can go hand in hand with cyber breaches (for example, loss of sales where key systems are impacted, as has been the case with many high-profile incidents).

2. A changing marketing landscape -and new opportunities

While many including the UK government have commented on how the GDPR has put ‘red tape’ on organisations, there are certain relaxations which have been introduced to our existing laws through the Data (Use and Access) Act 2025 which is a UK-specific piece of legislation. While fines for non-compliance with direct marketing rules will increase from £500,000 to the UK GDPR ‘ceiling’ of £17.5m or 4% of annual global turnover, whichever is greater, other changes to cookies rules will make it easier to deploy ‘low risk’ analytics cookies without consent, which will be a welcome change for those operating in e-com or who otherwise want to track use across their websites and social media platforms.

As direct marketing has attracted the most regulatory enforcement out of all data breaches and issues since the introduction of GDPR, coupled with new consumer laws and AI guidance, this is an opportune time for retailers to review their current marketing practices for compliance, and make the most of the relaxation on cookies rules which will be implemented shortly.

3. AI is attracting regulatory enforcement

AI a key which the ICO is watching and as such retailers should ensure they have considered appropriate risk assessments, policies, and privacy information where personal data and AI processing are concerned. In 2025 the ICO published the outcomes to its consultation on Gen AI, commenting that transparency is key. It has also noted it is “stepping up” its supervision of AI and biometric technologies to ensure people can trust that their personal data is used in ways that both drive innovation and earn people’s trust. Areas of focus appear to be: automated decision making in recruitment; facial recognition technology; training large language models; and agentic AI. Any retailer should be prepared to justify their data processing activities and ideally have documents to back up those positions.

New activity which may be deemed as intrusive will also need consideration as to how such activities are communicated to individuals, including whether their consent is needed, or otherwise how they are informed of the relevant activity and are able to opt out. Essentially, the more intrusive the processing, the more likely more considered and thorough risk assessments are needed to verify they are not falling foul of applicable laws, and importantly, to document how risk is mitigated, even where it cannot be eliminated entirely.

This article is the first in a series exploring privacy and data protection in retail. Take a look at the other articles here.

Article 2 – Legitimate interest processing | Knowledge | Retail | Gordons

If you would like any advice on privacy, contracts or AI, please contact one of our experts.