Mastercharge
Wireless Charging Technology for Restaurants, Cafés and Hotels
Currently, the UK hospitality market is facing pressures from all sides. The latest challenge we have is the imminent arrival and enforcement of GDPR, which will become law on Friday 25 May. Steve Elcock, CEO of HR platform elementsuite, walks restaurant operators through what they need to know, and do, to ensure they’re compliant by the deadline.
Currently, the UK hospitality market is facing pressures from all sides. We have Brexit, the National Living Wage and increases in food prices, business rates and rents, together with people shortages across front and back-of-house. If that wasn’t enough to contend with, the latest challenge is the imminent arrival and enforcement of GDPR, which will become law on Friday 25 May. , Steve Elcock, CEO of HR platform elementsuite, walks restaurant operators through what they need to know, and do, to ensure they’re compliant by the deadline.
The EU’s General Data Protection Regulation (GDPR) is the result of four years of work by the EU to bring data protection legislation into line with new, previously unforeseen ways that data is now used. The UK currently relies on the Data Protection Act 1998, but this will be superseded by the new legislation. A lot has happened since 1998, most importantly, the emergence and adoption of the internet. So, for a moment, think about yourself and over the years, the abundance of data accumulated about you – and not just across the internet. It’s a scary thought isn’t it? This has resulted in an incredible amount of personal data being held by numerous companies across the globe – many of whom, fail to protect it properly.
Put simply, the new enforcement aims to give consumers back control over their personal data. The wake-up call for hospitality operators is that GDPR will introduce tough fines of up to 2% of annual turnover for those who fail to protect personal data, across both their own people and customers. Some 2% of any operator’s turnover is detrimental to the bottom line, and especially so in the current climate. To put this into context, if you’re a medium sized operator with seven sites, turning over a weekly average of £25,000 a week per site, you could be facing a fine of £182,000. It’s worse if you’re an operator on a global scale, with potential fines set at up to €20 million (just over £17.5m) or 4% of annual worldwide turnover, whichever is bigger.
Interestingly, a study by cyber security firm, NCC Group found that if the GDPR had come into force in 2016, the fines would have skyrocketed from £880,500 to £69m. Importantly, back in June 2017, casual dining giant, JD Wetherspoon, announced they were deleting their 700,000 strong email customer database, choosing instead to promote special offers and deals through their social media channels and website.
There are two data categories to be aware of – ‘personal data’ and ‘sensitive personal data’.
The GDPR applies to ‘personal data’, meaning any information relating to a person who can be directly or indirectly identified. It applies to your own people and customers. For example, if you hold their name, location and address.
This category will relate more to past and current employees, as opposed to customers. The GDPR refers to this as “special categories of personal data”. This relates to information concerning; racial or ethnic origin, political opinions, religious beliefs, physical or mental health, or criminal offences.
At the heart of GDPR is an individual’s rights. Moving forward, it will mean that operators must disclose the intended use and duration of any data. It will be important to gain permissions each time any new use of people or customer data is suggested. The GDPR will require operators to carry out a thorough review of how they collect and use personal data, and in turn, demonstrate that their data compliance practices and procedures are in line with the regulations.
Training staff in data protection awareness is crucial, together with managing information risks in a structured way. It will become law that at least one person in every business is trained on GDPR. For multi-site or global operators, I’d recommend recruiting an in-house GDPR officer.
GlobalData's TMT Themes 2021 Report tells you everything you need to know about disruptive tech themes and which companies are best placed to help you digitally transform your business.
Find out moreYou need to be clear on what personal data you is hold, where it came from, who it is being shared with and what operators do with it. This will become a lawful requirement for holding information, together with a clear process for obtaining individuals consent
Hospitality operators must be aware of its people and customer rights. This includes privacy notices to individuals, obtaining consent, responding to requests to access data, ensuring information is kept for a valid purpose and is up-to-date or purged when no longer required.
Implementing appropriate security measures and an effective process to identify and manage any personal data breaches is vital. It is important for operators to also provide an adequate level of protection for any personal data processed by others being used outside of the EU.
Irrespective of whether you’re an independent or multi-site operator, take GDPR seriously. No business wants to handover 2% of its turnover to fines.
And this is important. Empower a member of if that’s not enough to take it seriously, operators need to nominate a ‘Data Protection Lead’ or ‘Data Protection Officer’ to sit within the organisations structure.
The fine and association with non-compliance is not worth it.
Operators must know and document the personal data they are collecting – where it is stored, who it is being shared with, and what they are doing with it. Policies must be easily accessible to employees and customers at all times – transparency is key here.
Operators that embrace GDPR will reap the rewards of securing and controlling their data. When the regulation comes into effect in May, businesses from all industries will only be interested in working with partners that can demonstrate effective control over their data – even third-party non-compliance can leave a company liable to fines. Offering transparency in relation to personal data will also provide an excellent opportunity for operators to build trust with their customers and employees.
In summary, it is crucial that operators don’t view GDPR as a time-consuming, box-ticking exercise, but as an opportunity to increase operational efficiencies and revenue generation. Remember, data continues to be king. By consolidating data and ensuring that both the customer and employee information is up-to-date, operators will have better insight into their customer’s views, buying behaviours and revenue hot-spots. By truly understanding the data held within a business, operators should look to streamline and unlock previously untapped, valuable information and insight, turning GDPR into a money-maker, rather than a money pit.
Wireless Charging Technology for Restaurants, Cafés and Hotels