The 4th July is upon us, and with it, the country’s “end of hibernation” in the words of Boris Johnson. For many of us, this also means finally being able to return to our favourite pubs, bars and restaurants for a drink which, after the last three months, it is safe to say has been well and truly earned.
As we all know, whilst this is a momentous occasion, the coronavirus has not disappeared. The risk of local flare ups of cases will only increase now that people have more freedom to meet and socialise with each other in different venues.
To mitigate this risk, the government is instructing pubs and other non-essential businesses to keep a record of all their customers so that they can be contacted and recommended to take a test and/or self-isolate if someone else at the venue tests positive for the coronavirus.
So far, there is a distinct lack of clarity about exactly what information businesses should be collecting, how they should collect it and how they should use it going forward. One thing is for certain though: by being required to collect such personal information, businesses are going to have to be more mindful of their obligations under the GDPR and Data Protection Act 2018.
This new data protection legislation has not only increased the obligations businesses have in relation to the personal data they process but also the size of the fines that could be imposed for non-compliance. It is therefore important that businesses understand what they are required to do in order to remain compliant with the law.
For some businesses which already operate a booking/reservation system, this may not be too much of a change from the norm, albeit they will likely be collecting more data on more customers as of 4th July. However, for the humble pub landlord or landlady, the new rules may require a significant change in their approach to data privacy.
Data privacy is a major concern for many customers and businesses will need to undertake an assessment of the current measures they have in place to ensure the security of any personal data they collect and implement changes where appropriate. For example, the days of keeping bookings in an open book behind the bar may well be numbered, as more businesses move to more data-secure online booking systems such as OpenTable or ResDiary.
Some businesses will be tempted to use the extra data they collect on their customers to send them marketing information. After all, these businesses have been unable to properly trade for months and will be keen to attract as many people as possible to help increase their cashflow and make up for the lean months of lockdown. However, the laws around marketing consents (particularly when it comes to members of the public) are stringent and businesses should seek to understand their obligations before pursuing such initiatives.
The other concern that businesses may have is how long they will need to retain customer data for. The law states very clearly that data should not be stored for longer than is necessary. If no cases are reported from customers attending a certain venue for a period of one month, the question arises as to whether the personal data of customers whose data was collected at the start of that month should be deleted as one would have expected people to develop symptoms of the coronavirus by that time. However, that has to be balanced against the risk of someone who catches the virus at the venue but is asymptomatic.
More guidance is certainly needed from central government to assist businesses in complying with the government’s instructions and data protection law. The Information Commissioner’s Office (the UK body responsible for data protection) has said it is “assessing the potential data protection implications of this proposed scheme and is monitoring developments”.
However, in the meantime, it would appear businesses will be left to work it out for themselves whilst trying to deal with the clamour for long awaited pints and proseccos.