GDPR compliant stamp data protection privacy

The new General Data Protection Regulation (GDPR) came into force across the European Union on 25 May 2018, bringing with it a raft of new data protection and privacy obligations. 

In response, major UK grocery retailers - like most businesses - have updated their privacy policies and created dedicated data privacy hubs for consumers.

The stakes for the grocers are high in this new era of data privacy, says Mark Roy, chairman and founder of REaD Group.

”Knowing whether someone prefers broccoli over carrots is one thing, but knowing which medicines they buy and how frequently they buy them at the pharmacy shelf is quite another.”

“Supermarkets have traditionally benefited from a unique relationship with customer data, through the existence of loyalty schemes. They therefore have the most to gain, and indeed lose, from this shake-up. 

“Today’s post-GDPR world comes with new responsibilities and dangers. Knowing whether someone prefers broccoli over carrots is one thing, but knowing which medicines they buy and how frequently they buy them at the pharmacy shelf is quite another.”

While it’s clearly important for businesses to be GDPR compliant - or at least show they are on a journey towards compliance - the scope and sheer complexity of the new data regulations means there is a fair amount of uncertainty around exactly what is required.   

So how are the UK’s supermarkets interpreting the new data requirements? 

We asked a panel of four data protection experts to review their privacy hubs and share their thoughts on key differences, best pratice - and what needs to be improved.

Note: The privacy hubs were reviewed in the week after 25 May and reflect the information that was provided at the time.

Our panel of experts

Lara Keening, Egil Bergenlind, Matt Brown and Inderjit Mund

Matt Brown (top left), Inderjit Mund (top right), Egil Bergenlind (bottom right) and Lara Keenan

  • Lara Keenan, partner at Child & Child, Globalaw
  • Egil Bergenlind, founder and CEO of DPOrganizer and former data protection lawyer
  • Matt Brown, partner and head of commercial (Liverpool) at Brabners
  • Inderjit Mund, data practice director at Jaywing 


What are the key differences between supermarkets?

Egil Bergenlind: “Tesco and Sainsbury’s both have a page to display the traditional privacy notice as well as a privacy centre, or hub, where the reader can explore the supermarkets’ use of data in further detail.

Waitrose and Morrisons have more traditional privacy notices, with expandable sections where readers can click to learn more about different topics such as personal data processed, data subject rights, or third parties that personal data is disclosed to. 

Asda also has a privacy centre, but the information is more traditional. It does, however, let the visitor choose information based on who they are, eg. an employee or a customers, allowing them to be presented with more relevant information about how their data is used.”

What’s working well?

Lara Keenan: ”In its privacy policy, Morrisons presents a clear breakdown of the types of consumer data it collects, which is well arranged under relevant headings. Morrisons refers to specific examples, such as collecting data about a customer being pregnant, which will enable the supermarket to target customers with maternity wear or nappies nine months later, for example. The amount of technical data listed is also very comprehensive, suggesting Morrisons has put great thought into exactly which types of data is being captured.”

Read more: How GDPR can help SMEs and startups level the playing field

Matt Brown: “There are lots of positive elements to the supermarkets’ privacy hubs. The layout and way of communicating key information shows that thought and work has gone into preparing for GDPR. At this stage, this is exactly what the ICO will want to see – major retailers taking ownership for the data they process and making this information accessible to customers.”

Lara Keenan: “Overall, Tesco demonstrates a well laid-out policy for compliance with GDPR, adopting a layered approach that encourages the ICO and helps customers navigate their way around the new policy. Tesco just needs to ensure it always has evidence to justify its ‘legitimate interest’ basis for data processing and collection and keeping that under review. It should also consider publicising that legitimate interest as part of its policy.”

Morrisons privacy hub 3


Morrisons won praise for providing a detailed breakdown of the types of customer data it collects

Egil Bergenlind: “Asda explains the various legal grounds and outlines quite extensively that it relies upon for its various processing activities. Waitrose explains the legal grounds and connects them to the processing activities, which is good. But I like that Morrisons goes a step further and includes a table where the relationship between the type of personal data being used, the purpose of processing it, and the applicable legal grounds is clearly outlined.”

Read more: Ready or not for GDPR?

Lara Keenan: ”Waitrose collects comprehensive data around consumer-behaviour, storing personal data ranging from our clothing size to our skin colour. However, it does provide legitimate justification for its data collection, also maintaining strong links to its provider’s individual privacy policies. Overall, Waitrose demonstrates a solid GDPR compliance strategy, providing useful examples of how and why a consumer’s data may be relevant, making it is easy for consumers to understand exactly how their data is being used.

Is the language easy to understand for consumers?

Inderjit Mund: “As one would expect, all policies cover the topics the ICO recommends: from the personal data they use; how they use it; why they can use it; through to what to do to stop them using it. However, some explanations are easier to digest than others. Phrases such as “data controller”, “legal bases”, “legitimate interests” are prevalent with the expectation the reader will be familiar with this phraseology, like those of us that have been living and breathing the GDPR since 2016.”

Egil Bergenlind: Tesco’s privacy policy is written in language that is quite easy to understand and certain key terms are explained through pop-ups (eg data controller). The rest of the privacy centre contains graphics and descriptive texts in easy to understand language. Asda is also easy to understand and based on short notices that give a very general overview, while Morrisons has adopted an easy to understand keyword-oriented style.

JS privacy hub 3

Sainsbury’s makes extensive use of bullet points, helping to break up complex information

Egil Bergenlind: ”Sainsbury’s mostly uses a bullet point style with full sentences. The language used in the privacy policy is slightly legalese, but the rest of the privacy hub provides more description and adds context, which is helpful. Waitrose, too, uses language that might be a bit too legalese for the average member of the public to quickly and easily understand.”

Where is room for improvement?

Lara Keenan: “Sainsbury’s does not consider data surrounding customers’ shopping preferences as ’personal data’, yet it claims to use personal data to ’personalise your shopping experience with us’. This seeming contradiction means Sainsbury’s is open to challenge here because it hasn’t clearly identified the data it is holding. Further, it fails to justify the processing of each category of data.”

Egil Bergenlind: “Tesco breaks down the legal grounds for each purpose of processing but does not connect these clearly to the different legitimate interests behind this processing. Sainsbury’s lists the legal grounds but does not connect them to specific processing activities.”

Lara Keenan: “Under the heading ’What information do we collect and how do we use it?’ Asda fails to clearly identify the data it is holding, confusing the question of ‘what’ with ‘how it is used’. This is a poor showing in a post-GDPR world. Only upon rooting through an overly complicated system of drop down boxes is it possible to find a statement on the collection of customer shopping preferences. The supermarket also fails to list examples of what data is collected when a consumer purchases products via a cashier (as opposed to using a scan-and-go machine).”

Read more: Why GDPR could spell data upheaval for retailers

Matt Brown: “It’s fair to say the hubs are not the finished article. There is a notable lack of detail from almost all of the supermarkets on what lawful basis they are using to process data. This is something the ICO will expect to improve over time, along with more specific information on how data is used, how long it is stored for and what third parties it is shared with. The key takeaway here is that the supermarkets need to be much more granular in outlining how and why they process data, and how they have secured the right to do so – was consent given or a legitimate interest identified, for example? The other challenge is to ensure there are processes in place behind the scenes to fulfil the commitments these privacy policies outline.”

Who does it best overall?

Lara Keenan: ”Without doubt, in my view the standout supermarket for GDPR compliance is Morrisons. It provides comprehensive and legally compliant information, which is clearly sign-posted, if a bit excessive.”

Egil Bergenlind: “Sainsbury, Asda and Tesco have all made a real effort in trying to build trust with their customers, which is great. Tesco’s and Sainsbury’s privacy centres/hubs have plenty of information, presented in relatively easy to understand language, with helpful graphics to guide visitors.”

Asda privacy hub 2

Asda’s clean and clear presentation impressed experts

”But sometimes being presented with a lot of information can be overwhelming, especially to the average member of the public for whom data processing may be a very alien concept, and people can struggle to understand what is relevant to them.

This is where Asda really comes out on top out as a result of its reader-centric approach - it allows visitors to only receive information relevant to them, by encouraging them to specify who they are (e.g. a customer or an employee) before digging into details.”

Inderjit Mund: ”Asda’s privacy centre stands out as the most consumer friendly and readable. Effort has been expended into translating the GDPR into plain language, with a creative spin and visual sign-posts to make serious content more interactive to encourage them to read more (not just as a tick box exercise). Furthermore, they tailor information depending on the type of individual (employee, customer, supplier etc).