Data protection for retail
As a retailer, you are likely to hold and use a wide variety of personal information, both from the people you employ through to your customers.
The UK General Data Protection Regulation (GDPR) revolutionised the way we manage data. Organisations breaching the GDPR face penalties of up to €20 million or 4% of global turnover, whichever is highest.
Our specialist lawyers are here to advise and assist you with your strategic approach to handling data within your organisation. We have considerable knowledge and experience advising on the day-to-day use of data within your business, as well as privacy issues associated with behavioural advertising and location information, browser-generated information and device recognition technologies.
What we do
- Retail sector experience – we have been advising retail clients for over 30 years, and have an established retail and commercial practice, advising a wide range of household names, both nationally and internationally. Our retail client base of over 180 retailers includes many luxury brands and high street names, with portfolios of over 3,000 properties.
- Developments in privacy laws and guidance - we regularly advise clients on the implications of developments in privacy laws and guidance. We understand how the GDPR impacts UK businesses and can help make it clear how to comply and remain compliant in a cost-effective way.
- Draft and review of contracts – we support our clients in drafting and reviewing contracts, licensing agreements, service agreements, privacy notices, and other policies and procedures to help ensure compliance with European data protection rules. We advise on complaint website privacy notices, website terms and conditions and cookies policies.
- Data protection issues associated with marketing activities – we help our clients deliver compliant marketing activities such as obtaining consent for marketing communications, the use of suppression lists and the purchase and sale of marketing databases.
- Supporting data breach management - we provide legal support to clients at all stages, including preparation and prevention, training, crisis management and resolution and recovery. We have strong connections with third parties who can provide specialist non-legal support, for example, threat intelligence, IT security specialists, ethical hackers/penetration testers, public relations and credit monitoring. We can manage the process to ensure a coordinated approach protected by legal privilege. We offer a range of services advising companies on their internal approach to data protection and privacy and data breaches.
- Responding to and undertaking law enforcement requests for access to personal data - we advise clients on managing requests for information from a wide range of UK and overseas law enforcement bodies. In the UK, we have advised clients on complying with mandatory and discretionary requests, always mindful of the risks arising from the Freedom of Information Act. We have, working with overseas counsel, advised clients on their obligations to comply with non-UK authorities.
- Responding to and undertaking subject access requests (SARs) - we regularly receive instructions to advise on SARs. Clients appreciate our strategic guidance about how to respond and whether to resist, for example, by relying on case law and the application of exemptions. We have a wealth of experience in dealing with and successfully defending our position with the ICO. We can also call on a team of paralegal and junior fee earners to assist with the disclosure process.
- Training and updates - we offer bespoke on-site training for clients in a range of sectors on data protection and cybersecurity issues. Our wider programme of training and legal updates also enables you to stay informed on developments in privacy laws and guidance.
- Transfer of data outside the European Economic Area - we have both the experience and the relationships to enable us to upscale resources to support clients with privacy advice in its overseas jurisdictions. This includes advising on the use of Safe Harbor certification and the use of model clauses and binding corporate rules.
- Development of new technology - we have worked on cutting edge technologies to capture, analyse and learn from data with the likes of Experian and Capital One.
Featured experience
FTSE retailer: major enterprise cloud hosting
Advising a FTSE retailer on the data protection implications of a major enterprise cloud hosting deal and advising on the data protection implications of numerous different technologies including cloud systems, apps, financial technologies, CRM systems etc.
Global brand: hacking of customer database
Advising a global brand on cyber security following the hacking of its customer database. The advice covered compliance with UK, Irish and German data protection laws, engagement with regulators and law enforcement agencies, reputation management, communications with affected individuals and legal proceedings against its service provider.
Games Workshop: data protection and privacy
Advising Games Workshop in relation to a number of data protection and privacy issues including the implications of introducing CCTV into its stores worldwide and whether it is possible for Games Workshop’s international stores to carry out criminal record checks on employees in those countries and any relevant considerations in respect of this.
Experian: data flows, data maps and international data transfers
Working with Experian to understand its data flows, data maps and international data transfers.
Related expertise
Key contacts
Caroline Green
Senior Partner
Richard Nicholas
Partner
You may be interested in...
Legal Update
How to negotiate better ‘green’ provisions in your leases
Opinion
The Metaverse's influence on real estate: Implications for commercial retail clients and law firms
Guide
How to manage retail sector supply contracts and avoid disputes
Legal Update
Pitfalls for retailers to avoid when offering access to ‘buy now, pay later’ products
Opinion
Supreme court rules on retail tenant's service charge bill
Published Article
Consumer duty part 3 - 'The drill-down' into the 'cross-cutting' rules
Press Release
Browne Jacobson’s retail lawyers advise Wilko on its strategic £48m sale and leaseback of Nottinghamshire distribution centre to DHL
Legal Update
Is this the end for free returns?
Earlier in the year a number of fashion retailers, boldly announced the introduction of a charging fee for returning any product purchased via their online store. Yet, despite this commercial, and perhaps somewhat controversial decision, at least one major fashion giant that adopted this approach has recorded ‘historic highs’ in its September profits. Browne Jacobson partner, Cat Driscoll who heads up the firm’s commercial team in Manchester and is also head of its Fashion & Beauty sector discusses whether this change has put the average consumer off and whether the days of free returns are long gone.
Published Article
AI generated designs on retail products
Every AI will have its own terms of use. DALL·E 2’s Terms of Use dated 3 November 2022 specify that as between a user and Open AI, a user owns their prompts and uploads. Open AI also assigns to the user all rights in any images generated by DALL·E 2 for that user (subject to the user complying with those Terms of Use, and to a licence to use inputs and output to develop and improve the services).
Published Article
Consumer duty part 2 - 'The drill-down' into the 'cross-cutting' rules
Opinion
Don't look down
An engineering company in Tyne and Wear was fined £20,000 after a worker fractured his pelvis and suffered internal injuries after falling through a petrol station forecourt canopy, whilst he was replacing the guttering.
Published Article
Luxury brands and sustainability – The challenges and solutions
Legal Update
Data reform in the UK
Since the UK left the EU and are now able to move away from the EU data protection regime, the UK government have implemented a national data strategy with the aim of reducing the burden on organisations but maintaining a high data protection standard.
Legal Update
W (No.3) GP (Nominee A ) Ltd and another v J D Sports Fashion Plc (Nottingham County Court, 22 October 2021)
The County Court refuses the landlord’s request to include a turnover rent in a statutory lease renewal.
Legal Update
Macey v Pizza Express (Restaurants) Ltd [2021] EWHC 2847 (Ch)
A landlord did not demonstrate the requisite intention required to oppose a statutory lease renewal underground (g).
Legal Update
Stonecrest Marble Ltd v Shepherds Bush Housing Association Ltd [2021] EWHC 2621 (Ch)
Where a lease provides a comprehensive scheme of repair and insurance, the court will not imply terms to cover any gaps in that scheme.
Press Release
Wolverhampton based Slick Stitch secures major contract with high street retail giant
Legal Update
Capitol Park Leeds Plc and another v Global Radio Services Ltd [2021] EWCA Civ 995
A tenant who handed back an empty shell of a building had complied with a condition of its break option to give vacant possession of the property.
Opinion
Handing back an empty shell of a building did not prevent a tenant from exercising a break clause
Break rights have proved a fertile source of litigation over the last few years. More often than not, tenants have found themselves on the wrong end of the decisions. However, a Court of Appeal decision yesterday has bucked that trend.
Opinion
Commercial landlord and tenant: Ban on evictions extended
Stephen Barclay the Chief Secretary to the Treasury has today announced that the ban on commercial evictions is to be extended to 25 March 2022.
Legal Update
Sara & Hossein Asset Holding Ltd v Blacks Outdoor Retail Ltd [2020] EWCA Civ 1521
A landlord’s service charge certificate was conclusive as to the sums payable by a tenant under a lease.
Opinion
A landlord’s service charge certificate was conclusive as to the sums payable by a tenant under a lease
The Court of Appeal has ruled that the wording of a service charge clause precluded a tenant from challenging the sums claimed by a landlord.
Published Article
Top tips for implementing ‘Data Protection by Design & Default’
The GDPR requires all businesses to implement ‘Data Protection by Design & Default’ but what does that mean in practice and how can businesses practically comply?
Training
Richard Nicholas provides a data protection update
As part of our regular updates for in-house lawyers, Richard takes a look at what has changed in data protection law over the last six months
Training
Ros Foster talks about developments in information law including the recent Morrisons case
Ros takes a look at liability and risk arising from data protection legislation and the Freedom of Information Act.