As a new regime of laws on data protection (GDPR) and privacy sweep across Europe, business owners now have an added weight on their shoulders; not breaking the law. To put it simply, the General Data Protection Regulation (GDPR), is a recently launched law, designed to protect the personal data of European Union (EU) citizens. As a means of achieving this objective, the law sets forth a heavy responsibility on businesses to take active measures to eliminate the possibility of data breaches. Preparatory measures undertaken in the past few months alone have changed the way business activity is carried out. Now that the law has finally taken effect, which part of a restaurantâs business will it have the most effect on? Our blog this week examines this.
First off, an understanding about the overall changes wrought by the GDPR is essential to understand how your business activity is likely to be affected, going forward. Designed to harmonise the laws across the EU, the GDPR, makes several key changes to the law pertaining to data security and customer privacy. Overall, these include:
Basically, all companies processing the personal data of subjects residing in the EU must comply with the regulations. Thus, whether you reside in the EU or not, if your business falls under this criteria, measures to ensure compliance must be taken.
The penalties given effect by the regulation are particularly onerous and are meant to be that way. Organisations in breach can expect to pay up to 4% of their annual turnover or â¬20 Million, whichever is greater. This is reserved for the most serious of breaches. If, for instance, you fail to notify the supervising authority or your own customers about a breach, or for not conducting an impact assessment, you could be charged a lesser 2% of annual turnover. The penalties thus take on a tiered approach to GDPR breaches.
All things considered, the most rigorous change is in the area of consent related permissions. Companies can no longer hide behind unnecessarily complex legal language when obtaining customer consent. An easy-to-understand form must now be shared with the customer, outlining the specific reasons for which data is collected. The option of withdrawing consent must also be given. Apart from these, there is a whole range of data subject rights that are altered by the new law, which addresses, among others, aspects such as breach notification, the right to be forgotten, data portability, and others.
As a restaurant, data gathering is required to stay relevant and competitive. Data is thereby gathered for a variety of purposes and is used in different ways. Areas which will now require your special attention include:
If your restaurant allows customers to order food online, itâs important to take stock of what kind of data youâre collecting and how youâre storing it. It is important not just to ensure that this is done in a coherent and systematic manner, but that the relevant permissions are obtained, and your systems are capable of protecting such data.
Similarly, if you allow guests to make reservations through your website, the information, no matter how trivial it may seem to you, must be protected against external attack. Further, if youâre using third-party applications for this purpose, it remains your responsibility to ensure that such software is GDPR compliant.
If youâre engaging with your customers via email, measures need to be taken to ensure that the data from emails are stored securely and that customer data and privacy are protected in every email. Before this, however, it is equally important to ascertain that you reach out only to customers who have signed up for the newsletter in the first place, and they have the option of unsubscribing with ease.
If youâre selling products from your restaurant online, such as branded coffee, snacks, and the like, care must be taken with the way you gather customer data and how you use it. Above all, ensuring that your customers know exactly how their data will be used, through the provision of any information in this process, is crucial.
It really seems like thereâs almost no area free of GDPR influence. If customers are signing in to your restaurantâs wifi, pertinent questions you must ask yourself include, how is this personal data collected and how is it stored and you used? These concerns must be addressed before such services are offered, given the new GDPR environment in which you operate.
If your loyalty scheme has been digitised and involves the use of personal customer data, steps need to be taken to ascertain that youâre processing information in a way that data is secured, both, in terms of storage and explicit customer consent. Make sure your customers are also informed of what types of data are collected and how these will be used in the future for business activity.