- Hospitality operators: how to stay GDPR compliant when reopening
Hospitality operators: how to stay GDPR compliant when reopening
Hospitality operators: how to stay GDPR compliant when reopening22nd September 2020 - Published by Kuits data protection team
On Saturday 4th July, after 102 days in lockdown, the leisure and hospitality sectors reopened to the public, and were required to implement the safety measures set out in the government’s guidance.
One of these new measures will be the requirement to collect customers’ and visitors’ personal information to assist with the UK’s contact tracing efforts. This measure was made law on 18 September 2020.
How to stay compliant
Below, we have outlined some simple steps operators should follow to ensure you are compliant with data protection laws when collecting customer and visitor data for this purpose:
- What information do you need to collect? You are required to collect every single person’s information and not just, as some operators had been doing, the contact details of the lead person. You should collect their name, contact phone number (or, if no phone number is available, email address or, if no email address is available, postal address) and date and time of visit. If the customer is part of a group, you should also record the number of individuals in that group. If the customer will interact with only one staff member, the name of that staff member should be noted in the record. By 24 September, you will need to provide customers with the option of scanning a QR code rather than providing this information directly to you.
- Your business’ name and contact details;
- The information you’re collecting;
- The fact that the information will be used for track and trace purposes and may be shared with NHS contact tracers, if requested;
- The fact that your lawful basis for processing is compliant with a legal obligation; and
- How long the information will be kept (see below).
- You should not use the personal data for any purpose other than to comply with a valid request to assist the UK’s track and trace efforts. You should not add these people to your marketing databases.
- Ensure you securely store the data you collect. If you collect the personal data on a computer, iPhone or tablet, make sure this has a secure password to access it. In addition, if a number of employees have access to the device, store the personal information in a drive which only a small number of those employees have access to. If you will be storing the personal information on paper records, make sure you lock these paper records away when not being used and do not leave them in public view.
- Erase the data after 21 days – you are not permitted to hold this personal data for any longer than the 21 day period, starting on the day the personal data was collected. If you have collected the personal information digitally, delete all files from your desktop, recycle bin and back-up cloud storage. If you have hard copies of the personal information, ensure that you securely shred all paper documents.
What if someone refuses to provide their data for this purpose?
It is now mandatory by law for all hospitality businesses to collect contact details from customers to assist the NHS Test and Trace programme and operators are required to take all reasonable steps to prevent entry by a person who has not provided this information. We have published the full details here.
If you would like any specific advice in respect of the compliance of your business, please contact James Wall in the Kuits data protection team at firstname.lastname@example.org or on 0161 838 7996.