GDPR for the leisure and hospitality sector: five things bar and restaurant operators need to know09 Feb 2018
On 25th May 2018, the General Data Protection Regulation (GDPR) will take effect. The GDPR will have a wide-ranging impact on almost every business operating in the UK and beyond and will raise particular issues for those businesses operating in the bar and restaurant sector.
The headline grabbing fines (being up to the higher of €20 million or 4% of global group turnover) will be the focus of many businesses in respect of their approach to data protection. However, potential reputational damage and individual compensation claims should also be considered as risk factors alongside such fines.
The wide scope of the GDPR can be daunting and difficult to manage for many, so we have set out below five key steps to help bars and restaurants in kick-starting their GDPR compliance journey.
1. Review the personal data you are holding and create a data register. When carrying out this exercise you should consider, at least, the following questions:
• How are you using the personal data?
• How long have you held the personal data and how was it initially collected?
• What is your lawful basis for holding/using this personal data?
• Are there any transfers of the data to other companies/entities (whether within your group or outside of this)?
• Do you carry out any profiling or automated processing of the personal data?
• Does anyone process the personal data on your behalf?
2. Update your privacy policies/notices (or create them if you do not have them):
• The information gathered from your personal data audit will assist you with this.
• On collection of personal data, the GDPR requires certain information to be provided to individuals in a transparent, easily accessible way using clear and plain language. Such information should be tailored to the personal data the individual is providing to you. This means you may need different privacy policies for, by way of example, your reservations system, mailing list sign-up, competition entries, recruitment and Wi-Fi registration.
3. Communicate with individuals whose personal data you are holding:
• If you are relying on consent as your lawful basis for processing data, a ‘GDPR-compliant’ consent will be necessary to enable you to continue using the personal data following May 2018.
• This generally means consent will need to be “opt-in”.
• If you do need to contact individuals to refresh consent, you should ensure that you have a lawful basis under the existing Data Protection Act 1998 and, importantly, seize the opportunity between now and May 2018 to carry out this exercise (doing so afterwards could place you in breach of the GDPR).
• Consider offering incentives for responses to the email. There are legal requirements you will need to follow and advice should be taken on a bespoke basis.
• The GDPR provides that certain direct marketing may be carried out under the lawful basis of “legitimate interest” – and therefore that consent may not be required. This will, of course, depend on the specific marketing activities and would require a detailed analysis to determine the validity of this lawful basis for your marketing. We would recommend that further advice is sought if you propose to rely on this basis.
4. Review your Wi-Fi registration:
• Information used to register for free Wi-Fi access will constitute personal data, as will IP addresses collected through an individual’s use of Wi-Fi.
5. Remember, the GDPR impacts your employees too:
• Employee data (names, contact details, personnel records and (sometimes) email content) is personal data relating to your employees and will need to be dealt with in accordance with the provisions of the GDPR.
• Employees will need to be trained to ensure they comply with the provisions of the GDPR on your behalf. A high turnover of staff (as is the case for many bars and restaurants) makes having an effective training programme in place (and documentation of this) very important.
• Beware: unruly employees (even those that have had training) could place you in breach of the GDPR and subject your business to large fines – see the recent Morrisons case for a recent example of this.
The GDPR may seem daunting at first but it can be used as a positive way of communicating and building a relationship with your customers. If you would like further information in respect of the GDPR, please contact James Wall on 0161 838 7996.