The loosening of the Covid-19 lock-down in the leisure, food & drink sector in England from 4 July has come as a welcome relief to businesses (and the general public). But that relief is already qualified by concern about logistical arrangements for re-opening. As well as meeting the challenge of ensuring effective social distancing for customers and employees, many businesses will need to brush up on their data protection awareness.
The government’s high-level guidance for pubs, bars and restaurants is asking owners and operators in England to keep a temporary record of customers’ contact detail for 21 days.
The government has said that it will give detailed guidance “shortly” on how businesses in England should design their customer data collection to be compliant with law. That means businesses are being encouraged to re-open with little more than a week’s notice, and deploy new, potentially invasive, personal data collection arrangements, with no clear direction on what is expected of them in data protection terms. It is also unclear how data collection will be expected to link into the government’s much-delayed track and trace operation, adding another layer of confusion.
With so much uncertainty, and without government guidance, there are some basic steps that are key to achieving GDPR compliance for any leisure sector business preparing to re-open.
Before asking its customers for their personal data, a business should:
• Have in place clearly documented procedures for how it will collect, store, and dispose of customer personal data, and ensure all staff are aware of and follow those procedures.
• Consider if a formal data protection impact assessment is necessary, particularly if deploying new technology (such as booking or ordering software, or venue sign in systems), prior to re-opening, and take any remedial steps identified by that assessment.
• Make sure any contracts with 3rd party suppliers for new IT systems contain all the clauses required under Article 28 of the GDPR.
• Prevent customer personal data collected for compliance with Covid-19 requirements from being used for any other purpose (such as marketing) unless a lawful basis for that use has been properly established.
• Establish if the personal data being collected includes any ‘special category’ personal data (this may be a particular issue for pubs, bars and restaurants targeted at LGBT+ or disabled customers, for example), and what extra steps are needed as a result; and
• Ensure accurate privacy notices have been provided to all customers when their personal data is collected, and any consents obtained are properly recorded and auditable.
Apart from the legal hurdles, businesses have already started to identify practical problems with the re-opening arrangements which are likely to make compliance with the GDPR even more difficult:
• With individual’s conscious that being identified as having been in contact with Covid-19 is likely to lead to mandatory self-isolation, many operators see it as unlikely customers will co-operate with registration arrangements. This risks leaving them with half-complete or inaccurate personal data, and possibly disorder problems if customers are refused entry.
• It is unclear so far how (if at all) operators will be expected to transfer personal data they collect to the government’s track and trace operation, which makes it difficult to provide accurate privacy notices to customers at the point of collection of their personal data.
• There is already a proliferation of ‘quick fix’ table ordering apps being sold online, with often spurious or non-existent data protection information – the use of any such app would expose the company deploying it to a real risk of having non-compliant technical and organisational measures, and breaching the GDPR.
As with the earlier iterations of Covid-19 regulations and guidelines, businesses now have to play a waiting game – with formal guidance coming days or weeks after a Number 10 political announcement, leaving little time for proper preparation.
Despite that delay, the imminent re-opening affords businesses the chance to perform a quick health-check on their overall GDPR compliance to help inform an understanding of the next steps they need to take. And as long as those businesses take reasonable steps to ensure GDPR compliance, it would seem highly unlikely that the ICO would take enforcement action if their arrangements when they re-open do not follow to the letter government guidance which has not yet been issued.