GDPR fines: does your in-store customer management process put you at risk?

By Imogen Wethered, CEO and co-founder of a cloud-based technology platform, Qudini

Wethered: create GDPR compliance procedures for each scenario

As retail moves away from transaction-focused retail to service-oriented in-store offerings, many retailers are implementing initiatives to improve their in-store customer experience. 

Initiatives include:

  • Queue management: store hosts/concierges who greet customers and take their names as they enter a store to manage them in a queue for service 
  • Appointments: enabling customers to book one-to-one appointments with advisors in advance
  • Events: allowing customers to register for workshops and events being hosted in-store.

Many retailers are still capturing customer details using paper and pen to support these initiatives. Yet, they may have failed to realise that even capturing Customer Data using pen and paper is subject to GDPR regulations and non-compliant processes put them at risk of fines.

Here are the processes retailers should seek to implement to manage in-store Customer Data in a GDPR compliant manner, whether using paper and pen or a digital system.

The GDPR risk for retailers

Businesses who are lax with Customer Data – especially when managing in-store customers for queues, pre-booked appointments or events – are increasingly likely to be fined by the ICO (Information Commissioner’s Office).

These fines are now much heavier than before. For example, last year Facebook was fined £500,000 by the ICO over the Cambridge Analytica scandal. At the time, this was the maximum fine it was allowed to impose. 

Now, with the updated EU-wide legislation, there are two tiers of administrative fines that can be levied as penalties for GDPR non-compliance:

  1. Up to €10 million, or 2% annual global turnover – whichever is greater; or 
  2. Up to €20 million, or 4% annual global turnover – whichever is greater.

Given Facebook’s worldwide revenue was $40.7bn (£31.5bn) in 2017, under the current regulations, the ICO could have imposed a fine of up to £1.26bn (4% of revenue).

Big fines are already biting

In July, 2019, British Airways were issued a fine of £183 million caused by a data breach that compromised the personal details of around 500,000 customers. In the same month, the multinational hotel chain, Marriott International, received a fine of £99 million for failing to protect the data of some 339 million guest records.

Such massive fines are recognised as the beginning of a new era. It’s time to put GDPR firmly back on the agenda.

Does this sound like you?

Qudini offers a range of digital solutions to help retailers stay GDPR compliant

Do you still use clipboards, paper and pen to take down customer details to manage in-store queues? Do you book appointments and events in paper diaries? Do you capture sensitive personal data like names, addresses, emails and telephone numbers on paper? If so, you are not alone. Many major High Street retailers are still working in this way.

Every single one of these Customer Data capture methods risks not being GDPR compliant. It’s simply too easy to store or dispose of paper-based, personal data inappropriately. If this is you, urgent attention is needed.

Imagine loose pieces of paper on pedestals. Clipboards left in plain sight in stores. Sales reps who accidently leave their paper diaries in a car, on a train or in a pub. Not to mention the risks when employees leave the business, taking their paper diaries with them. 

In these kinds of environments, properly managed security measures are very challenging. The opportunity for human error is huge and the financial and reputational risk to businesses could be devastating. 

More and more breaches are being reported

At a data protection conference held by the International Association of Privacy Professionals in London earlier this year, Stephen Eckersley from the UK’s ICO said there had been a “massive increase” in reports of data breaches. He expected a total of around 36,000 in 2019 alone. This turns out to be an underestimate, as The Guardian reports that data protection complaints have almost doubled year-on-year from 21,019 to 41,661.

Be GDPR safe: how to capture customer data on paper records at queues, appointments and events

When it comes to in-store customer management on paper and pen, such as writing down the names of customers joining a queue or booking onto an appointment or event, you should:

  • create GDPR compliance procedures for each scenario by ensuring all written Customer Data is never left unattended and stored in locked cabinets, or preferably, shredded or incinerated
  • assign GDPR compliance officers for each store location
  • provide initial and on-going staff training
  • ensure your regional managers carry out regular spot checks
  • ensure secure storage methods for offline data and secure disposal procedures (like shredding or incineration), and more.

Or for real GDPR confidence, go digital

Today, there are digital alternatives to paper records which put GDPR processes automatically in place. 

Digital tools, such as Qudini’s, ensure stored Customer Data is:

  • encrypted
  • only accessible to store staff with a secure password and only whilst the customer is in the queue or has an upcoming appointment
  • set to delete automatically at the appropriate time, whether immediately, an hour or a week later
  • ISO27001 compliant and protected against vulnerabilities.

Better customer service, built in

In addition to enhancing GDPR compliance, Qudini also enables retailers to:

  • Improve sales and loyalty through a better informed and more engaging customer experience
  • Improve store productivity and resource allocation through tools that reduce workplace stress and help your staff to better manage their shop floor activities
  • Capture unique insights on your brick-and-mortar operations.

How Qudini can help you

Qudini offers B2B SaaS software that helps retailers grow their profitability through creating fantastic customer experiences and improving in-store operations. Their solutions include a digital Queuing System, Appointment Scheduling software, Event Management software and Task Management software.

To learn more about how to manage customers in a way that is GDPR compliant and rich with added benefits, go to: or visit:


Imogen Wethered is the CEO and co-founder of Qudini, a B2B SaaS business. She co-founded Qudini in 2012 after attending a Telefonica-sponsored hackathon. Now recognised on the Forbes 30 Under 30 list, Imogen and her team count global retailers Samsung, O2, Specsavers, Thomas Cook, John Lewis, Telefonica Global and IKEA among their clients.