Your browser is no longer supported. For the best experience of this website, please upgrade to a newer version or another browser.

Your browser appears to have cookies disabled. For the best experience of this website, please enable cookies in your browser

We'll assume we have your consent to use cookies, for example so you won't need to log in each time you visit our site.
Learn more

Getting information governance right

Information, whether it be commercially sensitive information about corporate plans or data relating to customers, is a major asset of most retailers.

Making sure you have adequate procedures and policies in place to protect data is critical for commercial success as well as compliance with legal requirements.

Alison Deighton, head of Data Protection & Privacy at national law firm TLT, recommends that retailers consider the following steps for a comprehensive information governance process. This process will assist with protecting assets and enabling the use of data in line with legal requirements:

  • Map out the categories of data held by your business and the commercial and legal significance of each category of data. For example, is the information commercially sensitive? Do regulatory obligations, such as the Data Protection Act apply?
  • Ensure you understand the different ways through which information is generated and transferred. Where does data flow into and out of the business? Which types of data are generated internally and by whom?
  • Consider the steps that need to be taken to protect and comply with legal obligations for each category of data at every stage of its journey through your business. For example, if information is commercially sensitive, how do you ensure that access to data is restricted and that those who have access treat the information confidentially? Do you have confidentiality provisions in employment contracts? Do all consultants sign confidentiality agreements before they are given access to information?
  • In relation to regulatory obligations, ensure that you have adequate policies and procedures in place to protect information in line with legal requirements. Policies and procedures need to be backed up with regular training and compliance checks to ensure that employees are aware of the processes they should be following and are periodically monitored to ensure they are complying.
  • Operational procedures need to be complemented by adequate technical and practical security measures to protect data from unauthorised access. Ensure that you obtain advice from appropriate experts on technical security requirements.
  • As well as reviewing internal procedures, consider how you are complying with data protection obligations from the customer perspective. Do you have clear and transparent privacy notices in place to inform customers of how their data will be used? Are privacy policies on websites clearly signposted? Have you obtained adequate consent for all marketing activities and do you provide easy to use and readily accessible opt-out procedures?
  • Aim to ensure that information governance obligations are embedded in the culture of your organisation by securing buy in and leadership at a senior level. 

To conclude

Failure to put in place adequate information governance processes can lead to loss of valuable assets, breach of regulatory requirements and ultimately loss of consumer trust. To prevent these consequences seek assistance when drawing up an information governance programme for your business and get expert legal advice on data protection.

For more information please contact Alison Deighton, on 0117 917 8016/ Visit

Have your say

You must sign in to make a comment

Please remember that the submission of any material is governed by our Terms and Conditions and by submitting material you confirm your agreement to these Terms and Conditions. Links may be included in your comments but HTML is not permitted.