Software company TAAP and data compliance experts OSP Cyber Academy found 90% of venues were using pen and paper when they researched procedures at venues in the Essex and London area.
Publicans should be aware there are risks associated with this method, such as that a physical clipboard or log could fall into the wrong hands, the companies said.
When pubs do not comply with GDPR and data protection compliance rules, they risk fines from watchdog the Information Commissioner's Office (ICO). There could also be legal actions from no win no fee claims lawyers who specialise in data breaches.
Irene Coyle, data protection officer at OSP Cyber Academy, said: “Lots of customers are rightly worried about handing over personal data. Many businesses are struggling to implement effective data protection compliant registration systems. Covid-19 has brought a whole new issue for small businesses like pubs and cafes which are not used to handling customers’ personal data."
She added: “Worryingly, no-win, no fee claims lawyers used to pursue whiplash and PPI claims will look at this area. When they do, it could raise the possibility of legal actions in the tens of thousands of pounds.”
A fine of up to 4% of annual turnover can be incurred from the ICO, in addition to reputational damage. This would mean a pub with a yearly turnover of £100,000 could face a fine of £4,000 for failing to meet data compliance guidelines,
This is in addition to the risk of passing on coronavirus through surfaces touched by lots of customers, the two companies said.
Findings from the sample of about 15 venues come as the sector has assured the public that the vast majority of pubs are following guidance on this matter confidently and correctly.
Emma McClarkin, chief executive of the British Beer & Publication (BBPA) told Sky News: “The majority have been working incredibly hard to implement these [guidelines] and are doing rather well at it.
“Some of them have invented their own apps and QR code systems in order to adapt and fill in the gaps of the Government’s [contract tracing] app which is not up and running but we hope will be very soon.”
Trade associations have said any method of data recording is acceptable as long as the system used can record the necessary information and keep it secure for 21 days before it is securely destroyed.
The BBPA has encouraged pubs to consider data protection in its risk assessment and offered guidance in an industry briefing document about how to cooperate with NHS Test & Trace.
The briefing states: "Manual collection or pen and paper is also permitted, though you may want to consider the hygiene consequences involved with shared pens, etc, as well as data protection rules that do not allow other customers to see private information."
Measures of risk mitigation could include cleaning shared stationary between users, making hand sanitiser accessible at this point of service, and not leaving details on public display such as in a book other pubgoers can view.