Pints, Chips, Ice Cream.......and data protection
Data protection headaches for business owners in the hospitality sector, as lockdown is eased.
The reopening of pubs, restaurants, and some other hospitality venues was a great relief for businesses that have suffered during the lockdown. But to state the obvious, the “new normal” that has followed the easing of CONVID-19 restrictions is quite different from anything that we have experienced before. This is especially so as the law now requires hospitality venues to provide personalised service, ensure numbers of customers are restricted, and tables are pre-booked and well-spaced.
But perhaps the one obligation which is totally alien to those working in the hospitality sector is the requirement for pubs, bars, and restaurants to collect personal data from their customers before they can purchase their pint or meal. This is a new kind of obligation, and one that carries with it a new and onerous burden for business owners.
As part of the Track & Trace system, businesses are being asked to gather arrival and departure times of customers, as well as their email addresses and telephone numbers. The information must be stored for 21 days.
This level of data cllection is entirely new for businesses, and it is essential that the General Data Protection Regulation (GDPR) is adhered to. Not doing so could have costly consequences, not just in terms of significant fines, but also because of the resulting adverse publicity. Reputation is everything.
At a time when revenues and profit margins are in the sector are being squeezed like never before, businesses need to be very cautious and ensure they do not to fall foul of the GDPR when handling the personal data of their customers.
But how can this be achieved?
There are basic principles that must be complied with, which include:
- storing the data securely;
- don’t use the data for other purpsoes;
- be transparent with customers, for example by displaying a clear data protection policy; and
- destroying the data in a suitable and timely manner.
In addition, it is crucial that should a data breach occur, the Information Commissioner’s Office (which regulates data protection law in the UK) is notified. Failing to tell the ICO about a notifiable breach is itself an offence which can also attract a fine.
It is imperative that the personal data being collected is NOT used for any other purposes, for example direct marketing, profiling, or data analytics. And it goes without saying that businesses must absolutely ensure that they and/or their staff do not use personal date for unauthorised or criminal purposes, which has already happened in some countries.
As a rule of thumb, businesses which handle all the personal data they have collected in a reasonable and sensible way, have nothing to be concerned about. The ICO is usually pretty understanding when it comes to minor, unintentional, breaches of the GDPR.
For example, last week, the ICO’s Deputy Chief Executive said this:
We appreciate the challenge that many small businesses face in introducing unfamiliar arrangements at speed. Our focus is on supporting and enabling them to handle people's data responsibly from the outset and, while we will act where we find serious, systemic or negligent behaviour, our aim is to help the thousands of businesses that are doing their best to do the right thing.
But a significant, intentional, or easily avoidable failure to comply with the strict rules surrounding the collection and retention of personal data is a serious matter, and businesses who flout data laws do so at their peril. The ICO will not be so lenient in these kinds of situations.
More red tape at this difficult time is hardly what businesses need. But believe me, the admin that the new regulations require is nothing when compared to the worry and costs of an ICO investigation!