GDPR comes into effect – what it means for your business

The biggest change to data protection in 20 years came into effect on 25 May 2018 with the introduction of the EU General Data Protection Regulation (GDPR). The NFRN explains what this means for your business and what you need to do to comply.

Are you an HND retailer or Store2Door member? Do you currently store the names and addresses of customers or staff on a PC or on paper? Do you also store any other details such as financial or banking information in the same way?

If you have answered yes to any or all of these questions then you may be considered an entity that handles personal information and you will need to comply with the General Data Protection Regulation (GDPR) which took effect on May 25.


So what exactly is the GDPR?

Businesses have an ever increasing need to use information about people and the government understands the need to increase the protection and rights of individuals in order to safeguard and respect their privacy. It is vital that organisations in the UK across all sectors recognise the need to protect the data rights of citizens.

The General Data Protection Regulation is a set of EU laws that are designed to promote responsible use of personal information within the UK. But this is originally an EU law, so with Brexit around the corner why do we even need to follow this legislation?

Even after Brexit comes into effect, UK and European businesses will still need to interact with each other in a responsible way. Whilst it is originally EU legislation, this regulation will still come into legal effect here in the UK on May 25 2018.

The UK government understands the need to have further safeguards in place and this legislation will be introduced alongside European law in order to establish effective communication between our countries.


Which government body is administering the GDPR in the UK?

The Information Commissioners Officer (ICO) is the governmental body that administers data protection laws in the UK. It is overseeing the current changes and implementation of the GDPR law.


If GDPR is about information, what is information?

Any information about a person’s physical, physiological, mental, economic, cultural or social identity in electronic or paper format is considered by this regulation.


What should I do?

If you are currently storing information about a person such as a staff member, individual business associate or any other personal information, on a PC, mobile phone, via email, or any other software linked to your business you may be required to register your details with the Information Commissioners Office (ICO), the governmental body that administers data protection laws in the UK.

And, if you offer HND or belong to Store2Door and you answered yes to the three questions posed earlier, you should also contact the Information Commissioners Office directly for more information on how GDPR affects your business and what you need to do.

You can contact the ICO Government helpline on 0303 123 1113 and select option 4 to be diverted to someone who can offer more support and guidance. Please note this is a government helpline and not an NFRN administered number.


What if my business does not comply?

Failure to comply with the GDPR can leave you in a bit of a pickle. Not only do you risk fines of up to £20 million, or 4 per cent of your organisation’s annual turnover (whichever is the greater figure), but it can also cause irreparable damage to your business’s reputation.


Here's how it affects you

To further help HND retailers who hold personal information about customers and rounds on their computer to stay compliant, we asked the main providers to outline what support or advice they can offer.

Most systems hold information about the titles required, frequency of delivery and monies owed. They will also include the names, addresses and holiday information about their HND customers. Other data stored could be telephone numbers or email addresses and some retailers may have customers’ bank details. All this information is counted as personal data and falls under the new GDPR requirements.

Here’s what the software providers had to say:

Retail Data Partnership: We have a programme to ensure compliance with GDPR on our HND and non-HND customers to cover our direct customers (retailers) where all data is encrypted. We are in the process of establishing procedures for supplying them with details of the data that we hold on them, and procedures for erasing their data at their request. We will be fully compliant by the deadline in May, as we have already completed most of the work on this.

PaperRound: We have undertaken a lot of development and process work on this extremely important subject including:

  1. Making sure that our cloud server on Amazon Web Services is very tightly secured and tested for security against penetration by an expert third party.
  2. Using encrypted data transfer between the cloud server and the newsagent device (the same as banking apps).
  3. Providing the newsagent with the ability to give a customer full details of their record held on PaperRound.
  4. Allowing the newsagent to comply with a request for deletion of personal data by anonymising the customer record. Information is retained for statistical and accounting purposes only.
  5. Automatic anonymising of customer records when there has been no delivery for six months.
  6. As the security of the data is only as good as the newsagent’s own security, PaperRound will provide all customers with a paper setting out security steps that a newsagent should take to protect access to customer data.

Norcon – Newslave: What we are doing:

  1. Customers have been advised they have to nominate a responsible person to manage this data, and to ensure compliance.
  2. We are pointing customers to reference points on the internet that give relevant information on how to comply by May 20 2018.
  3. We are emphasising that compliance is their responsibility.

We use Windows which has its own password protection function on each device. Furthermore, all our software programmes have the option for extra password protection at various security levels to suit the customer. We recommend all our users utilise these added security levels.

Reposs: This legislation is only for retailers that have account customers. If a store doesn’t have any account customers then they have no need to hold any personal information about their customers, although they would have to comply with any data on staff members held. All our data files are held in compressed code so if someone was to grab a file it would be pretty hard to obtain the data as access to the computer – assuming it is connected to broadband – is password protected and the hacker would need to get the user’s ID number and password. Not even we can get access without the retailer telling us his nine digit ID number.


What about CCTV?

CCTV is a complicated area because it falls within GDPR and other regulations and codes of conduct and is impacted by how and where you have your cameras.

The Information Commissioner’s Office (ICO) has a checklist designed to take you through the compliance issues

It can be found here:

The toolkit should help you identify any data protection issues, and shows, should the authorities ask, that you are addressing the issue in a sensible and methodical manner.

How is the NFRN tackling GDPR?

At the NFRN we are dedicated to protecting and respecting your privacy. We are registered and regulated by the Information Commissioners Office. The NFRN has been actively implementing changes throughout the organisation to meet the requirements, as laid down by GDPR law.

Basically, we ensure your data is protected, not misused in any unscrupulous way, never passed onward to an external organisation unless we have your permission, and only kept for as long as is necessary to supply you with the goods and services you have asked for.

When did GDPR take effect?

The General Data Protection Regulation took effect in the UK & Ireland on 25 May 2018.

Your responsibilities

We asked the NFRN Legal Helpline about the new data protection laws and what members who kept records of customers’ phone numbers, names and addresses and orders needed to do. This is what Lesley Attu, ARAG’s UK product development manager, told The Fed. “New Data protection laws will extend the rules for collecting, storing and using personal data.

“If you store this information electronically your business is already subject to Data Protection laws and you should have registered with the Information Commissioner’s Office (ICO). You can do this online in about 15 minutes at

“If you keep a paper record, you do not have to register, although you can if you wish. You should, however, stick to good practice for managing information.

“The new laws impose additional responsibilities on businesses that collect and use personal data and heavier fines if you break the law.”

More Information

The Information Commissioner’s Office (ICO) provides helpful guidance for small businesses to help them prepare for GDPR. Visit their website at or call their helpline on 0303 123 1113 and select option 4.