How pubs can stay on top of GDPR

By Poppleston Allen

- Last updated on GMT

Core values: The fundamental principles of GDPR relate to accountability, transparency and individuals’ rights
Core values: The fundamental principles of GDPR relate to accountability, transparency and individuals’ rights
Implementation of the General Data Protection Regulation (GDPR) on 25 May will affect all organisations from head office level down to individual premises. While this is a complex area, below are some general comments:

Review all personal data you hold for employees and customers: 

  • Is it correct/up to date?
  • Is it still relevant?
  • How long should you keep it?
  • When can it be securely deleted?
  • Where is it securely stored and who has access to it?

Do you have a lawful basis for holding and processing the personal data? We have provided a few options here but you must be clear which ground is most appropriate:

  • Consent – this requires that specific and informed consent is provided from individuals for a specific purpose such as direct marketing campaigns. You must provide a clear ‘opt in’ and should always offer customers an ‘opt out’
  • Legal obligation – this is where you have an obligation laid down by law to obtain, process and store the data. A good example is for employee records and your obligation to disclose salary data to HMRC;
  • Legitimate interest – where appropriate this can be the most flexible lawful basis but you must be able to show that processing of the personal data is necessary for your legitimate interests, except where they are overridden by the interests or fundamental rights and freedoms of the individual. A good example would be the use and operation of CCTV, which will collect personal data to ensure you maintain a safe and secure environment. You must provide signage confirming that CCTV is in operation.

Review/prepare policies and procedures regarding the data you hold in consideration of the above two points.

Privacy policy – this must provide a summary of the type of information you hold, how you use it, how it is stored, how long it is stored for and who to contact at your organisation about data protection. The policy should be clear that customers have a right to request what information you hold about them, their right to amend any incorrect information and the right to have personal data erased. Erasure is not an unrestricted right as you may have a lawful ground for retention, such as a legal obligation. Where relevant, privacy policies must be readily available on your website.

Review customer records for reservations/bookings, which may include names, addresses and phone numbers.

ID verification: licensees have a legal obligation to implement age verification procedures and you should ensure you have clear policies in line with the above points.

The fundamental principles of the regulation relate to accountability and transparency and individuals’ rights with regard to how their personal data is used.

The Information Commissioner’s Office (ICO) has detailed advice guides on its website ​ and also provides a helpline service on 0303 123 1113.

Read The Morning Advertiser​'s feature on data protection regulations here​.

Related topics: Legislation

Related news