May 25 2018 is D-Day in Europe – or Data Day. Actually, to single out Europe is a bit of a red herring – the General Data Protection Regulation (GDPR) affects anyone anywhere in the world who controls or processes data of people living in the European Union.
That includes us – hard Brexit, soft Brexit or no Brexit. The UK is in when it comes to the GDPR. Our own Data Protection Bill currently going through the parliamentary process will encapsulate GDPR principles.
But what does it mean? For pubs, the new rules are bringing much tougher scrutiny of the way they handle customers’ data. How they gain consent, how this consent is recorded and what they then use that data for. Customers also have the right to see that data and ask for it to be deleted. And that’s before we mention the potential for huge fines if a business fails to robustly protect this personal data.
New charges dwarf current fines
The trade might want it to go away but there is no getting away from it. All businesses must comply.
Those who fail to do so risk a maximum penalty of €20m (£17.7m) or 4% of total global turnover for the previous year, whichever is highest.
A comparison with the potential penalties under the UK’s existing Data Protection Act 1998 is like comparing Smirnoff with water – a mere £500,000 maximum.
And while pub groups that accidentally ‘CC’ a bunch of customers’ email addresses, instead of ‘BCC’, might not want to be hit with the maximum fine, the huge potential penalty packs an important message – data breach is a serious business. Ignore the law at your peril.
Small and medium-sized pub operators would be wrong to think they are less likely to be hammered than the Mitchells & Butlers and Ei Groups of this world.
The GDPR is all about the size of the risk, not the size of the organisation, so no one should not be lulled into a false sense of security.
Data, for the purpose of the GDPR, is anything that can identify an individual.
Identifiers can be a name, number, location data, internet protocol (IP) address, or, potentially, even a description of a truly unique tattoo and its bodily location. It can also be “pseudonymised” information that can be linked back to specific people.
There has, undoubtedly, been much speculation and scaremongering and this has been partially because our own new Data Protection Bill has yet to complete the parliamentary process.
Right to store information
It may also be that a lot of people are trying to make an awful lot of money. Oliver Boardman, head of digital and IT at Fuller’s, says the number of technology providers that have “jumped on the bandwagon to offer magic solutions to GDPR is incredible”.
Richard Eden, senior operations manager at Upham Group, agrees. He says there are a lot of “consultants” charging “enormous fees”, but precedents will not be set until the first few cases emerge showing how far, in practice, people will have to go.
The purpose of the GDPR is to give people greater control over their data. They can ask for it to be edited, restricted or erased and they should be able to do this at any time.
It is incumbent on businesses to check that any third parties they use that handle their employees’ or customers’ personal data comply – whether it is a cloud computer service based in Tokyo or a marketing agency based in Hawaii.
When it comes to employee data, companies will have several lawful reasons for obtaining and processing their data, Poppleston Allen solicitor Richard Bradley says.
These include where details are necessary for the performance of a contract or for compliance with legal obligations such as those in relation to tax and payroll processing.
“Organisations should still have policies and procedures in place to ensure that only the required information is stored and that it is appropriately secured and destroyed where there is no longer a lawful reason to retain it,” Bradley says.
A request from an individual to have their information erased is not an unrestricted right because there could be a legitimate reason for data to be retained to comply with other legal obligations, Bradley adds.
“Operators must have a legitimate reason to collect personal information about their customers and obtain consent, where required to do so,” says Bradley.
“Importantly, consent must be freely given and customers (data subjects) must make a positive step when providing consent, which prevents automatic opt-in/sign-up by using pre-ticked consent boxes, for example. Where operators obtain consent they should store this for future reference.”
Richard Eden, senior regional operations manager at Upham Group, which owns pubs in Hampshire, Buckinghamshire, Sussex and Wiltshire, says the business has been preparing for the GDPR since autumn.
He thinks the ICO will adopt a ‘common-sense approach’ to enforcement.
“We’ve mainly been looking at the IT side of it, making sure all our data is encrypted from sites to our servers at head office.
“If a customer says they want us to wipe all their data, that’s fine; we can do that and that’s fairly simple.
“The main area where it’s going to come into effect is for customers, but standard data protection policy already requires people to sign in for marketing. The only difference now is that you have to sign in per category, so you’ll end up with four or five different boxes.”
Eden thinks the GDPR is “fairly low risk” for “a relatively small business” but Upham will put in a policy to ensure it is following the rules to the best of its understanding.
“I imagine some very large companies are really going to struggle with it because the data is going to be held in so many different places,” says Eden.
Bradley says several areas may be of particular importance to pub operators, such as:
- Direct marketing campaigns: consent must be freely given for this purpose
- ID verification: operators have a legal obligation to implement age verification procedures but if copies of ID documents are retained, for example by an ID scanner, operators must review what is stored, ensure it is secure and record how long the data is kept before deletion
- CCTV recording: CCTV footage may be retained for the prevention and detection of a crime, and licensees may have a condition on their premises licence that requires storage for a minimum period, such as 31 days. All footage must be securely stored and deleted when no longer required. Customers must also be informed where CCTV is in operation
- Customer reservations/bookings: diaries might be kept, which contain customer names and contact details (table reservations, for example). Operators must remain vigilant as to who has access to this information and how long it is retained. Customers may not be pleased if their personal information is kept for weeks or months after visiting the premises.
Bradley advises that marketing campaigns should always be permission-based and a clear explanation provided as to what information will be used for.
“Customers should be provided with a simple method by which they can opt out of marketing messages, and a clear system for dealing with complaints should be implemented.”
The Information Commissioners Office (ICO), the regulator for this area of legislation, says businesses must appoint a data protection officer (DPO) if they carry out “large-scale” systematic monitoring of individuals. Such monitoring could include online behaviour tracking.
Or they might carry out large-scale processing of special categories of data – such as race, ethnic origin, religion, trade union membership, sexual orientation – where permission must have been given to collect these for one or more purposes. The same applies to data relating to criminal convictions and offences.
The ICO points out, however, that an organisation must have sufficient staff and skills to discharge its obligations under the GDPR, whether it is obliged to appoint a DPO or not.
Fuller’s Boardman believes the GDPR is “a very well intentioned piece of legislation” and the group endorses the need to protect individuals’ privacy.
“But the scope is also very broad and we are working through our processes and systems in priority order,” he says.
Fuller’s is looking at what constitutes personal data in the context of running a business. “We have trading relationships with business customers where some of the personal data is in the public domain, but some is not.”
The only safe way of dealing with this is to view all data as personal, says Boardman, but this extends the scope.
“Think about mobile phones – we all have business contacts and process data every time we make a phone call. We need to ensure that we keep the intent of the legislation in mind which is to keep private data private.”
While some talk about ‘grey areas’ of the legislation, Boardman says: “This isn’t just about grey areas, it is also about the fact that so much is covered by the regulation and the reasons for processing data are so broad – communicating with customers, managing employees, booking hotel rooms and selling online.
“Many of these processes are reliant upon integrated third-party suppliers, each of whom needs to understand the impact of GDPR on their business before a common understanding can be reached on what needs to be done.”
However, he adds that we live in a digital world where data is a fundamental part of running a business and it is right that this data is processed appropriately and this is an opportunity to give it some focus.
“I think once the deadline is out of the way, the hype may reduce and hopefully a new norm of standards will be reached.”
Fuller’s is currently discussing the appointment of a DPO, assessing the merits of doing this in-house or outsourcing it.
It is likely to give employees in key data processing roles face-to-face training but Boardman says it is important that all employees understand the importance of data privacy.
“There is likely to be an element of face-to-face in this but we have recently launched a digital internal communication and learning tool for all of our employees – Fuse.
“This gives us a way of communicating both structured learning and also little and often communication which will be a great way of reinforcing the message.”
The British Beer & Pub Association (BBPA) has highlighted ICO guidance about compliance to its members.
BBPA chief executive Brigit Simmonds says: “As an association, we are employing consultants to ensure that we comply with the regulations too but, of course, most of our data is held in support of our member companies and not for commercial gain.”
Putting the consumer first
Kate Nicholls, chief executive of newly formed UKHospitality, notes “concern” among businesses, and stresses there will be no option to pass down liability to agents and third parties.
“The GDPR fines are also a particular worry for hospitality businesses as they will be calculated as a percentage of turnover. In a relatively high-turnover, low-net-profit-margin sector, this is going to be critical,” she says.
Poppleston Allen’s Bradley says the important thing is not to panic.
“The elevated fines that could be applied for breaches of the GDPR have been well advertised, but the aim of the new legislation is not about fines but about putting the consumer and individual first,” he says. “The ICO has been clear that it is committed to providing continued advice and guidance.”
More information: The Information Commissioner's Office website has a handy 12-step guide to help you prepare for GDPR and a checklist to avoid getting caught out.