GDPR calls for several core technologies to be deployed in order to operate a proactive approach to cybersecurity.The most disruptive of these web and mobile applications from an adoption viewpoint is the requirement that all data is kept encrypted at all times. Previously, encrypting data during transfer across public facing networks has been sufficient to comply with Data Protection legislation. When GDPR comes into effect, data must be encrypted when it is captured, transferred, processed and stored.

From an operational point of view, a business must begin to proactively identify and evaluate risks to data security and implement business processes to mitigate these risks. Furthermore, there is a requirement for all actions performed on datasets, such as analysis, reporting etc., to be managed by a data controller, who takes responsibility to ensure that the data is kept secure at all times.

Make Consumer Data Available

With GDPR consumers have an increased level of protection when it comes to how a company captures and uses their private data. Under General Data Protection Regulation (GDPR) every individual has the right to request to see a copy of all data a company has on them. This data must be provided to the individual promptly and in a format suitable for accessing using basic technologies such as a web browser or text editor.

Additionally, every individual now has a “right to be forgotten” meaning that upon request, the business must delete all data that it has stored associated with the person.

Manage Internal Data

In a similar way to consumer data being made available to consumers and also the right to be forgotten, employees of a company will have new rights under GDRP with regard to the data the company stores about them.

Every employee has the following rights under GDPR:

  • To be informed of how their private data will be used.
  • To have access to all data pertaining to them on request.
  • To have any mistakes in data stored about them corrected.
  • The right to prevent their personal data being processed if they wish.
  • The right to take their personal data with them when they leave the company.


For grocery vendors, this means that key business systems such as vehicle scheduling, HR management, payroll etc. must now conform to the above employee rights.

Revise Data Collection Methods

GDPR will have some serious effects on the way that a grocery business can collect information about its customers. This will affect many proven ways that retailers have used private data in the past to maximise sales and generate revenue.

Browser cookies, the use of third-party consumer data, as well as any way that digital information is used to track consumer actions such as loyalty schemes and referrals, are all affected by GDPR.

The single change under GDPR which has had this effect is the new requirement for all private data to be anonymised. What this means is that all data that is stored must traceable back to a specific person. In other words, it is now illegal to capture and store a person’s contact details along with transactional data such as website tracking data.

Modify Marketing Communications

Grocery retailers, especially those that operate some form of e-commerce platform, or use any form of digital marketing, are going to need to rethink their marketing approach to become compliant with GDPR.

Under GDPR two key requirements entirely change the face of digital marketing, these are:

  • Data can only be captured for a specific relevant purpose. This means that capturing additional consumer data at the point of sale in order to remarket to them at a later stage is now illegal.
  • Consumers must give consent for all data captured about them to be used by the grocery retailer. Meaning that no data can be captured without telling the consumer how it will be used, and the consumer giving their consent.


In Conclusion

GDPR is a massive change to the way that every organisation will need to operate. Grocery retailers who rely on digital channels for marketing and sales will need to make some extensive revisions to their business processes as well as changes to core technologies to become compliant.

This short article has really only scratched the surface of the implications of GDPR for grocery retailers. The full GDPR guidelines take up several volumes.