New legislation around data protection come into force in just nine months’ time but how many people in the eating and drinking out sector are talking about GDPR? Roberts Lands of Howard Kennedy sets put why it matters to your business.

There’s no mistaking that the General Data Protection Regulation (GDPR) is going to hit the restaurant sector (and indeed everyone else), regardless of Brexit. It comes into force across Europe in May 2018 and the Government intends to transpose it into a new Data Protection Act, so that it stays in force even after we leave the EU.

Let’s start with the good news. The current obligation to register with the Information Commissioners Office (“ICO”) will be abolished. Along with the criminal offence of failing to do so.

In its place, the GDPR introduces raft of “data governance” obligations which put the emphasis on organisations carrying out self-assessment exercises and documenting their data processing. The idea is to move away from box-ticking registration, to a culture where the use of personal data is scrutinised and justified.

Businesses are encouraged to adopt “data protection by design”, meaning that they should think about the data protection consequences of all their activities. They should regularly audit the data they hold and document the reasons for doing so. They should train staff in data protection and adopt good practice techniques such as “pseudonymisation” to make it harder to identify individuals (for example, by using employee numbers instead of names in statistical analysis).

That represents a cultural change for some in the restaurant sector, who might not be used to thinking too deeply about data protection issues, despite holding large amounts of personal data about their staff and customers.

Where an activity might impact on privacy more seriously, such as installing CCTV in a restaurant, monitoring the behaviour of customers online, or processing sensitive personal data, organisations will be required to carry out formal “Privacy Impact Assessments” to document the risks and the safeguards to be put in place. In certain cases, they will also have to notify the ICO of the Privacy Impact Assessment and seek permission before undertaking the proposed activity.

Organisations also have transparency obligations, meaning that it will be obligatory to say more about what they are doing. These requirements go beyond the typical privacy policy we see today. In addition to setting out the purposes for processing and the identity of the data controller, they include explaining the legal basis for the processing, the period(s) for which the data will be retained and people’s legal rights- including that they have a right to complain to the ICO.

Businesses will therefore need to update their privacy policies and look at whether additional statements and disclosures need to be given, including at the point of data collection. This is especially true if a business is relying on the individual’s consent. Under the GDPR consent must be “unambiguous” and separate consents are required for each processing activity. Individuals must be presented with a sufficiently granular and genuine choice.

Direct marketing is important for many in the restaurant sector and much has been written on the impact of GDPR on direct marketing. But it may come as a surprise to some to hear that the GDPR doesn’t say very much about direct marketing and doesn’t necessarily even require that consent is obtained for it. However, there’s another set of data privacy rules, the Privacy and Electronic Communications Regulations 2003 (known affectionately as “PECR”) which do require consent for direct marketing to individuals by email and SMS. Those rules are due to be updated next year, to coincide with the GDPR, but the replacement for PECR is currently still in draft. In the meantime, the ICO has become very much more active in recent months in enforcing the existing PECR rules and have clamped down on certain practices, to the surprise of the likes of Morrison Supermarkets, Moneysupermarket, Flybe and Honda (all of whom have all been fined by the ICO this year for direct marketing offences).

The obligations in the current Data Protection Act 1998 apply only to “data controllers” (organisations which exercise control over the processing of personal data), but the new GDPR also applies to “data processors” (those who process data on behalf of others). This means that many businesses which are not subject to the current regime, will now be liable. Further, data processors will now have an obligation to inform the data controller if the processing they are asked to undertake is unlawful. Meaning in effect that suppliers will have to police their customers’ activities.

Data processors will also have an obligation to notify data controllers if there is any unauthorised loss or damage to personal data. And the data controllers themselves will have an obligation to notify the ICO within 72 hours of such an event. Unless an exemption applies, they will also have to inform the individuals whose data has been compromised. At the moment, only communication service providers (think “Talk Talk”) have to do this, but soon it will apply to all industry sectors.

Individuals have greatly enhanced rights under the GDPR and ensuring that they can exercise those rights will place an additional burden on business. The existing “subject access” right (broadly the right to see the information processed about you) will be extended. In addition, individuals will have new rights, such as the right to erasure (aka the “right to be forgotten”), a new right to require organisations to “restrict” processing while complaints are investigated and a right to “data portability”. Portability is similar to subject access, but data has to be provided in a machine readable format and an organisation can be required to send the data directly to a new data controller. In other words, customers can ask a business to port their data to a new provider. This may help some businesses in lowering barriers to entry to certain markets, but it also means that businesses must develop systems to cope with portability requests.

The GDPR will make some things easier for businesses, especially those who trade across Europe, as the law will be harmonised to a greater extent. However, for a great many it will make life that bit harder, especially in transitioning to the new regime. Further, the potential fines for getting it wrong are to increase massively. Currently, the ICO can fine up to £500,000. This will rise to the greater of 20 million Euros or 4% of the worldwide turnover of a business. Given this, businesses may want to examine their insurance cover and should in all cases ensure the data protection is moved higher up the boardroom agenda.

Robert Lands is head of intellectual property at Howard Kennedy LLP