What GDPR means for hospitality operators

Currently, the UK hospitality market is facing pressures from all sides. We have Brexit, the National Living Wage and increases in food prices, business rates and rents, together with people shortages across front and back-of-house. If that wasn’t enough to contend with, the latest challenge is the imminent arrival and enforcement of GDPR, which will become law on Friday 25 May. , Steve Elcock, CEO of HR platform elementsuite, walks restaurant operators through what they need to know, and do, to ensure they’re compliant by the deadline.

The Facts

The EU’s General Data Protection Regulation (GDPR) is the result of four years of work by the EU to bring data protection legislation into line with new, previously unforeseen ways that data is now used. The UK currently relies on the Data Protection Act 1998, but this will be superseded by the new legislation. A lot has happened since 1998, most importantly, the emergence and adoption of the internet. So, for a moment, think about yourself and over the years, the abundance of data accumulated about you – and not just across the internet. It’s a scary thought isn’t it? This has resulted in an incredible amount of personal data being held by numerous companies across the globe – many of whom, fail to protect it properly.

Put simply, the new enforcement aims to give consumers back control over their personal data. The wake-up call for hospitality operators is that GDPR will introduce tough fines of up to 2% of annual turnover for those who fail to protect personal data, across both their own people and customers. Some 2% of any operator’s turnover is detrimental to the bottom line, and especially so in the current climate. To put this into context, if you’re a medium sized operator with seven sites, turning over a weekly average of £25,000 a week per site, you could be facing a fine of £182,000. It’s worse if you’re an operator on a global scale, with potential fines set at up to €20 million (just over £17.5m) or 4% of annual worldwide turnover, whichever is bigger.

Interestingly, a study by cyber security firm, NCC Group found that if the GDPR had come into force in 2016, the fines would have skyrocketed from £880,500 to £69m. Importantly, back in June 2017, casual dining giant, JD Wetherspoon, announced they were deleting their 700,000 strong email customer database, choosing instead to promote special offers and deals through their social media channels and website.

As an operator, what should I be concerned about?

There are two data categories to be aware of – ‘personal data’ and ‘sensitive personal data’.

1. Personal Data

The GDPR applies to ‘personal data’, meaning any information relating to a person who can be directly or indirectly identified. It applies to your own people and customers. For example, if you hold their name, location and address.

2. Sensitive Personal Data

This category will relate more to past and current employees, as opposed to customers. The GDPR refers to this as “special categories of personal data”. This relates to information concerning; racial or ethnic origin, political opinions, religious beliefs, physical or mental health, or criminal offences.

What’s it all about and what do they want from me?

At the heart of GDPR is an individual’s rights. Moving forward, it will mean that operators must disclose the intended use and duration of any data. It will be important to gain permissions each time any new use of people or customer data is suggested. The GDPR will require operators to carry out a thorough review of how they collect and use personal data, and in turn, demonstrate that their data compliance practices and procedures are in line with the regulations.

Four areas operators must consider

1. Accountability and Governance

Training staff in data protection awareness is crucial, together with managing information risks in a structured way. It will become law that at least one person in every business is trained on GDPR. For multi-site or global operators, I’d recommend recruiting an in-house GDPR officer.

2. Lawfulness, fairness and transparency

You need to be clear on what personal data you is hold, where it came from, who it is being shared with and what operators do with it. This will become a lawful requirement for holding information, together with a clear process for obtaining individuals consent

3. Individuals’ rights

Hospitality operators must be aware of its people and customer rights. This includes privacy notices to individuals, obtaining consent, responding to requests to access data, ensuring information is kept for a valid purpose and is up-to-date or purged when no longer required.

4. Data security, international transfers and breaches

Implementing appropriate security measures and an effective process to identify and manage any personal data breaches is vital. It is important for operators to also provide an adequate level of protection for any personal data processed by others being used outside of the EU.

Five tips to prepare for GDPR

1. Take GDPR seriously!

Irrespective of whether you’re an independent or multi-site operator, take GDPR seriously. No business wants to handover 2% of its turnover to fines.

2. You can’t do it all…

And this is important. Empower a member of if that’s not enough to take it seriously, operators need to nominate a ‘Data Protection Lead’ or ‘Data Protection Officer’ to sit within the organisations structure.

3. GDPR is not optional

The fine and association with non-compliance is not worth it.

4. Know your Data

Operators must know and document the personal data they are collecting – where it is stored, who it is being shared with, and what they are doing with it. Policies must be easily accessible to employees and customers at all times – transparency is key here.

5. Embrace the GDPR – Gain a competitive advantage

Operators that embrace GDPR will reap the rewards of securing and controlling their data. When the regulation comes into effect in May, businesses from all industries will only be interested in working with partners that can demonstrate effective control over their data – even third-party non-compliance can leave a company liable to fines. Offering transparency in relation to personal data will also provide an excellent opportunity for operators to build trust with their customers and employees.

In summary, it is crucial that operators don’t view GDPR as a time-consuming, box-ticking exercise, but as an opportunity to increase operational efficiencies and revenue generation. Remember, data continues to be king. By consolidating data and ensuring that both the customer and employee information is up-to-date, operators will have better insight into their customer’s views, buying behaviours and revenue hot-spots. By truly understanding the data held within a business, operators should look to streamline and unlock previously untapped, valuable information and insight, turning GDPR into a money-maker, rather than a money pit.