Data protection warning for hospitality sector

Expert Insights

In the last few years, the processing of personal data by the hospitality and tourism industry has increased exponentially due to government regulations and guidance such as track and trace, to curb the spread of Covid.

It meant many restaurants, pubs and venues were thrown in at the deep end when it came to handling and securing personal data. It was a scary time, especially for smaller venues, as they focused on survival without a long-term understanding of the responsibilities associated with the data they collated on customers, visitors, and staff.

In the UK, data protection laws, including GDPR are underpinned by a set of principles. Principles such as ensuring personal data collected is accurate and ensuring only data which is necessary is collected.

If we go back to the beginning of 2021, data collected for contact tracing by restaurants, bars, and cafes served a clear purpose and, as a result, customers were more willing to hand over personal details. Now that the government has withdrawn its guidance for contract tracing, collecting this data is less relevant. Customers might therefore legitimately question why their data is still being stored and what it is used for. Businesses need to be able to answer that question honestly and openly.

When data is no longer needed, businesses should be safely deleting it. If you’re in this situation you may find it a good idea to set retention periods for contact tracing data and reminders for deletion.

Additionally, there must be appropriate security measures in place to ensure personal data is processed and stored safely. IT systems remain a constant target for hackers, and businesses will have a much bigger headache if their system is breached, and it contains a large amount of ‘legacy’ data which could easily have been deleted months or even years earlier.

GDPR requires businesses to demonstrate ‘accountability’ for compliance purposes, meaning business leaders must take responsibility for ensuring best practice.

One of the more positive legacies from the pandemic is that those hospitality businesses who were able to evolve their processes to meet their new data protection responsibilities will find it easier to maintain a strong data protection and privacy framework.

However, those who fail to keep up could be at risk of reputational damage, fines, and even private claims because individuals are becoming more data-savvy and they understand their rights more than ever.

The moral of the pandemic has been safety first. We got through the past two years by minimising risk and that’s the important lesson we encourage you to take forward – don’t take a risk by not fulfilling your legal obligations. In some circumstances directors can be personally liable for data breaches or other failures.

If you’re struggling to keep up with your data and GDPR responsibilities, the friendly team of legal experts at Harper James offer a data protection health check, providing an action plan, training and support to ensure your business is compliant.