The much-anticipated re-opening of businesses in the food and drink sector has been given the green light for 4 July, a welcome decision for both those in the industry and consumers.
However, the opening of these businesses comes with additional responsibilities and requirements which specialist lawyers are warning could leave businesses falling foul of the data protection rules.
Amy Peacey, a senior associate in the commercial team with national law firm Clarke Willmott LLP, says businesses will need to review and update their data protection knowledge and processes quickly in order to open their doors on the 4th.
“The loosening of the lock down restrictions comes as a welcome relief to businesses within the retail and food & drink sector. However, the ability to reopen will impose upon business owners’ additional requirements they will not have encountered before, in addition to ensuring effective social distancing measures are in place for both employees and customers,” said Amy.
“The Government has requested that businesses keep a temporary record of their customers for 21 days, in a way that is manageable for the business, to assist the NHS Test and Trace scheme with requests for that data if needed.
“Many businesses who take bookings will already have systems in place for recording customer details such as restaurants, hotels, and hair salons, however, there will be several establishments who do not collect customer details currently such as pubs and cafes which will need to change their processes.
“Becoming data collectors means that these businesses are subject to data protection rules under the Data Protection Act 2018 and the General Data Protection Regulations (GDPR). Data will need to be stored securely and only kept for reasonable period of time. Businesses will need to think about who can access this information, how they inform customers of their policies and also about how they ensure the information given by customers is legitimate.”
It is likely that many businesses will come across customers who will not co-operate with the Government’s proposed requirements. It is unclear at this stage the specific obligations that will be imposed upon businesses in relation to the collection of customer data and the transfer of such data to the NHS Test and Trace scheme.
The Government is working with industry bodies and the Information Commissioners Office (ICO) to provide detailed guidance on how businesses should design their customer data collection systems to be compliant with data protection legislation and these new requirements. The Government has said that it will provide detailed guidance to businesses “shortly”.
With the lack of guidance at this stage and many businesses looking to open in early July Amy has set out below a few points to assist businesses with their obligations under the Data Protection legislation.
- You must make sure that any personal data collected for compliance with Covid-19 requirements is not used for any other purpose such as sending marketing communications about offers or promotions.
- When collecting personal data from your customers only take what you need such as a name and telephone number/email address.
- You must provide your customer with a privacy notice setting out why you are collecting the data and what you will be doing with it. This will need to include amongst other things, details about using the information to contact them in the event of a Covid-19 outbreak and passing the information to the NHS (if required) for the purposes of the NHS Test & Trace scheme.
- You need to have in place clearly documented processes for how your business will collect, store, and dispose of customer personal data. You will also need to make sure that all your employees are aware of and follow the required processes.
Amy said: “We’re all looking forward to life returning to as near to normal as possible and it’s great that the Government are taking these restrictive measures to allow for the safe opening of businesses but without more guidance and businesses being stringent in their data collection procedures, this could turn into a data protection nightmare.”