uk-businessgdprcompliancetrust

GDPR and Customer Reviews: What UK Businesses Actually Need to Know

By Michael Latham
GDPR and Customer Reviews: What UK Businesses Actually Need to Know

GDPR and customer reviews occupy an odd space. Most businesses either panic about it (and do nothing for fear of getting it wrong) or ignore it entirely (and stumble into problems they didn't see coming). The reality sits somewhere more manageable than either extreme, and according to ICO enforcement data, review-related complaints make up a tiny fraction of the cases they actually pursue.

This isn't legal advice. If you're dealing with a specific complaint or ICO inquiry, talk to a solicitor. But here's the practical guidance that covers 90% of what UK small businesses need to know about reviews and data protection.

Key Takeaways

  • Review data is personal data under UK GDPR, even when posted publicly
  • "Legitimate interest" is usually the right lawful basis for review management (ICO guidance on legitimate interests)
  • Never reveal customer details in public responses that the reviewer didn't share themselves
  • Soft opt-in lets you email existing customers for reviews without explicit consent under PECR

What Counts as Personal Data in a Review?

A customer review contains personal data whenever it includes information that could identify a person. The reviewer's name, their account profile, specific details about their experience ("I came in with my daughter on her birthday"), location data, photos. All personal data under UK GDPR.

Here's what trips people up: even if the reviewer posted the review publicly and voluntarily, it's still personal data. The fact that someone chose to share something publicly doesn't remove your obligations as a data controller if you collect, store, or process that information.

When you pull reviews into a management platform, aggregate them into reports, or store them in a CRM, you're processing personal data. You need a lawful basis for doing so. The ICO defines personal data broadly, and a 2023 survey by the DMA found that 67% of UK consumers expect businesses to handle their review data with the same care as any other personal information (DMA, 2023).

Why "Legitimate Interest" Is Usually Your Best Lawful Basis

UK GDPR gives you six lawful bases for processing personal data. For review management, the one that almost always applies is "legitimate interest."

Your legitimate interest is straightforward: monitoring and responding to customer feedback to maintain service quality and business reputation. The ICO has specifically acknowledged that businesses have a legitimate interest in processing publicly available personal data for reasonable business purposes (ICO legitimate interests guidance).

You still need to pass the three-part legitimate interest assessment:

  1. Purpose test — Is there a genuine business reason? Reputation management, service improvement, customer engagement all qualify.
  2. Necessity test — Do you need to process this specific data to achieve that purpose? You can't manage reviews without reading the content, which includes personal data.
  3. Balancing test — Do the individual's rights outweigh your interest? Generally no, since the reviews are already public and the reviewer chose to share the information. But this can shift if you're doing something unexpected with the data.
  4. Documentation — Write a one-page document explaining your reasoning. Keep it on file. The ICO can ask for it.

What You Can and Can't Say When Responding Publicly

Data protection padlock on digital background

When you respond to a review publicly, you're publishing information in a public forum. Get this wrong and you've got a data protection problem on top of an unhappy customer.

Don't reveal additional personal information about the reviewer. If a customer named "John S." leaves a negative review about a dental appointment, you can't respond with "We're sorry about your root canal treatment on 14 March." You've just revealed health data and a specific date, information the customer didn't share. That's a breach.

Don't confirm someone is your customer if they haven't identified themselves as such. If someone reviews under a pseudonym and you respond with "We can see from our records that you visited on [date]," you've linked their anonymous review to your customer database in a public space.

Do keep responses general about the customer and specific about your actions. "We're sorry about your experience. We've reviewed our procedures and made changes" is safe. It addresses the concern without revealing anything about the individual.

Do move detailed discussions offline. "I'd like to look into this further, please email us at [address]" is both good customer service and good data protection practice. For more on response techniques, see our guide to responding to negative reviews.

How Long Should You Keep Review Data?

If you're using a review management platform, you're storing copies of review data. UK GDPR requires you to keep personal data only as long as you need it for your stated purpose.

For most businesses, keeping reviews for the lifetime of the business listing is reasonable. Reviews are an ongoing record of your reputation, and platforms like Google keep them indefinitely anyway. But if you're exporting customer data from reviews into other systems (CRM, marketing lists, spreadsheets), you need to think about whether that additional storage is necessary and proportionate.

Practical guidelines:

  • Review content and ratings: Retain as long as the review exists on the source platform. If a reviewer deletes their review on Google, remove it from your system too.
  • Customer contact details extracted from reviews: Only keep these if you have a specific, documented reason. "We might want to contact them someday" isn't sufficient.
  • Analytics and aggregated data: Once you've anonymised review data into statistics (average rating, sentiment trends, common themes), it's no longer personal data. Keep it as long as it's useful.

Can Customers Force You to Delete Their Review Under GDPR?

This causes the most confusion. A customer contacts you and demands you "delete their review under GDPR." What do you actually need to do?

If the review is on a third-party platform (Google, Trustpilot, Facebook), you don't control that data. The platform is the data controller for reviews on their servers. The customer needs to contact the platform directly to request removal, or delete it themselves.

If you've copied the review into your own systems, the customer can make a right to erasure request (Article 17) for the data you hold. You'd need to delete their review data from your platform unless you have an overriding legitimate interest, which, for a standard review, you probably don't.

If the review contains defamatory content, the analysis is different and you should get legal advice. But for standard review management, respect erasure requests for data you control and redirect customers to platforms for data you don't.

Sending Review Requests: The Consent Question

Sending review requests by email or SMS involves electronic marketing rules under PECR (Privacy and Electronic Communications Regulations), which sits alongside GDPR.

Good news: if someone is an existing customer and you're asking them to review a service they've already received, this falls under the "soft opt-in" exception. You don't need explicit consent, provided:

  • You obtained their email or phone number during the course of a sale or service
  • The review request relates to the service they received
  • You gave them the opportunity to opt out when you first collected their details
  • Every message includes an easy way to unsubscribe

If you're contacting people who aren't existing customers, you need explicit consent. But since you're asking for reviews of services already rendered, this scenario rarely applies. For more on asking for reviews without the awkwardness, see our guide to review generation.

One thing to watch: automated review request platforms that send messages on your behalf are processors under GDPR. Make sure your data processing agreement with the platform is in order.

What Your Privacy Policy Should Say

GDPR Compliance Checklist for Reviews Document your legitimate interest basis for processing reviews Update your privacy policy to cover review collection and responses Train staff on GDPR-safe review response practices Verify your review platform has a valid Data Processing Agreement Establish a process for handling erasure (right to be forgotten) requests Include unsubscribe options in all review request communications
Based on ICO (Information Commissioner's Office) guidance for UK businesses

Your privacy policy should mention review management if you're using any tools to collect, aggregate, or analyse reviews. Specifically:

  • State that you collect and process review data from public platforms
  • Name the platforms you monitor (Google, Facebook, Trustpilot, etc.)
  • Identify "legitimate interest" as your lawful basis
  • Explain how long you retain review data
  • Provide contact details for data subject requests
  • If you use a third-party review management tool, name it as a data processor

Most template-generated privacy policies miss the review management angle entirely. Adding a short paragraph covers you. If you're monitoring reviews across Google Business Profile, Facebook, and Trustpilot, mention all of them.

The Practical Checklist

Here's what most UK small businesses need to do, in order of priority:

  1. Document your legitimate interest assessment for processing review data. One page is fine.
  2. Update your privacy policy to mention review collection and monitoring.
  3. Train staff on public responses: no revealing personal details, no confirming customer identity, move detailed discussions offline.
  4. Check your review platform's DPA (data processing agreement) is signed and current.
  5. Have a process for erasure requests: know what data you hold and how to delete it.
  6. Include an unsubscribe option in all automated review request communications.

That's it. Six items, most of which take under an hour to sort out. GDPR and reviews isn't the minefield people imagine. It's a short checklist that, once completed, lets you manage your reviews with confidence.

Frequently Asked Questions

Do I need consent to reply to a customer's Google review? No. Responding to a publicly posted review is a legitimate business activity. Just don't reveal personal information the customer didn't share in their review.

Can I use review data for marketing purposes? Aggregated, anonymised data (average ratings, sentiment trends) is fine. Quoting individual reviews in marketing materials requires more care, particularly if the reviewer is identifiable. Best practice: ask permission before using a specific review in promotional material.

Does GDPR apply to reviews left by business customers (B2B)? If the review identifies an individual (named employee, sole trader), yes. If it's purely about a company with no personal identifiers, UK GDPR doesn't apply. But most reviews mention people by name.

What happens if I get a Subject Access Request about review data? You have one month to respond. Provide all personal data you hold about the individual, including review content stored in your systems, any notes staff have added, and communication history related to the review.

Reviewdar is built with UK data protection requirements in mind, with data processing agreements and retention controls included. See how we handle review data →

Ready to transform your review management?

Join thousands of UK businesses using Reviewdar to manage their online reputation.

Start Free TrialView Pricing
Back to all posts