Review all personal data you hold for employees and customers:
- Is it correct/up to date?
- Is it still relevant?
- How long should you keep it?
- When can it be securely deleted?
- Where is it securely stored and who has access to it?
Do you have a lawful basis for holding and processing the personal data? We have provided a few options here but you must be clear which ground is most appropriate:
- Consent – this requires that specific and informed consent is provided from individuals for a specific purpose such as direct marketing campaigns. You must provide a clear ‘opt in’ and should always offer customers an ‘opt out’
- Legal obligation – this is where you have an obligation laid down by law to obtain, process and store the data. A good example is for employee records and your obligation to disclose salary data to HMRC;
- Legitimate interest – where appropriate this can be the most flexible lawful basis but you must be able to show that processing of the personal data is necessary for your legitimate interests, except where they are overridden by the interests or fundamental rights and freedoms of the individual. A good example would be the use and operation of CCTV, which will collect personal data to ensure you maintain a safe and secure environment. You must provide signage confirming that CCTV is in operation.
Review/prepare policies and procedures regarding the data you hold in consideration of the above two points.
Review customer records for reservations/bookings, which may include names, addresses and phone numbers.
ID verification: licensees have a legal obligation to implement age verification procedures and you should ensure you have clear policies in line with the above points.
The fundamental principles of the regulation relate to accountability and transparency and individuals’ rights with regard to how their personal data is used.
The Information Commissioner’s Office (ICO) has detailed advice guides on its website and also provides a helpline service on 0303 123 1113.
Read The Morning Advertiser's feature on data protection regulations here.