As the pandemic evolved and the hospitality sector reopened, business owners struggled to keep on top of their GDPR responsibilities. Track and trace systems meant that businesses had access to more of their customer’s data than ever before. Now that most, if not all, restrictions have been lifted hospitality business owners are left wondering how they can process their customer’s data safely and securely.
Lilian Tsang, one of our data protection experts, discusses how the pandemic has created unprecedented levels of personal details for businesses to process, but the principles of how it should be processed remain the same.
Data protection laws, including GDPR are, and always have been, underpinned by a set of principles. These are the fundamentals which enshrine data protection.
‘At the heart of this is ensuring the data is accurate and that only necessary data is collected. Moreover, there must be appropriate security measures in place to ensure personal data is processed and stored safely.’
‘As we move out of the pandemic and see restrictions pretty much vanish, businesses need to adjust their mindset of only collecting data which is necessary. Businesses must also remember that if data is held for a specific purpose intended for processing now, that requirement may diminish further in the future, so always bear in mind the cycle of retention and deletion of data.’
‘The hospitality sector is a good example. Data collected for contact tracing by restaurants, bars, and cafes in March 2021 served a clear purpose and, as a result, customers were more willing to hand over personal details. Now data collection for contract tracing is less relevant. Customers might therefore legitimately question why their data is being stored and what it is used for. Businesses need to be able to answer that question honestly and openly.’
‘When data is no longer needed, businesses should also be safely deleting it. Businesses in this situation may find it a good idea to set retention periods for contact tracing data and reminders for deletion.’
‘IT systems remain a constant target for hackers, and businesses will have a much bigger headache if their system contains a large amount of ‘legacy’ data which could easily have been deleted months or even years earlier.’
‘Those who fail to prepare for this risk reputational damage, fines, and even private claims because individuals are becoming more data-savvy and they understand their rights more than ever.’
‘The moral of the pandemic in terms of data collection policies should be safety first. We got through the past two years by minimising risk. That’s the important lesson which those shaping data protection in businesses across the UK now need to take forward.’
If you're struggling to understand your GDPR and data responsibilities, then we can help by breaking it down into bite-sized chunks. Our data protection audit will provide you with an action plan, and initial training to help you meet your obligations.