What should businesses be doing to uphold privacy laws?
Two years after it became regulation, GDPR is a term that is familiar to most of us. For many businesses, it has become part of normal working practices to understand the data we use, how we store it and the risks we take if we fall outside of the regulations.
But like many things over the past few months, to some, GDPR is about to take on a whole different meaning for both businesses and the people that work within them and one of those sectors that are going to have to think quickly and carefully about GDPR and the implications of non-compliance is hospitality.
What is GDPR?
To summarise the regulation, The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy. At the core of GDPR are seven key principles: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability.
The pubs are reopening!
On 23rd June, Boris Johnson announced that pubs, along with other sectors of hospitality, would be able to reopen, but under stricter guidance including the gathering of client data to assist with the NHS test and trace operation. Although many sectors of hospitality have been gathering customer data for some time and have had over 2 years to adapt to GDPR, for many pubs and their employees, this is not a regular occurrence and there are fears that GDPR may well be overlooked while businesses focus on the nuts and bolts of getting back to work.
What can pubs do to ensure they are complying with GDPR?
At Amdas, we are quite good at hunting out information but try as we might, we could not find any official guidance for pubs, not even on the ICO website. That said, the ICO does have data protection steps for organisations in regards to Coronavirus recovery, so this is as good a place as any to start. In brief, the guidance is:
Only collect the data that the NHS test and trace operation requires. Do not use this as an opportunity to gather information about your clients for unsolicited marketing purposes.
Inform customers how and why their data is being stored.
Pub owners are being asked to keep a temporary record of customers for 21 days. Do not store data for longer than is necessary.
Keep the data you gather securely.
Only use the data you take for the purposes you outline when informing customers as to why you are taking it. In this instance, it is purely for the NHS test and trace.
Ensure that you have clear guidance for staff on what data they need to take from customers, what they need to tell customers, and what to do with that data once it has been taken.
For some larger pub chains, technology may well play a part in GDPR compliance and there are more than likely already systems in place to ensure GDPR compliance. But for smaller chains and independent pubs, the paper may form the basis of how this data is collected. If this is the case, you need to consider creating individual forms for clients to complete and have a secure space where this data is kept at all times and is not accessible by anyone other than your staff.
There is nothing ‘simple’ about GDPR and we hope that in the coming days, there will be some more specific detailed information coming from the government to help businesses with this aspect of reopening. The hospitality sector, like many businesses, has suffered considerable financial losses during the last 3 months, and now, with hope on the horizon, not taking a close look at how you manage data privacy could see you slapped with an unwelcome fine.