Hospitality sector is failing on contact-tracing obligations

A little over a month since bars, cafes, pubs and restaurants in England were allowed to reopen under a loosening of the Covid-19 lockdown restrictions, thousands are failing to comply with the General Data Protection Regulation (GDPR) and data protection compliance rules associated with the mandated collection of customer information.

Currently, hospitality businesses are obliged to collect their customers’ contact details to assist in tracking and tracing any Covid-19 flare-ups, and although the majority are complying with the spirit of this requirement, new research undertaken by security software firm TAAP and data compliance specialist OSP Cyber Academy suggests that many are unwittingly breaching the law and putting themselves at risk of fines or legal action.

The two firms are now calling on the government to emphasise the need to protect customer data.

The most common failings uncovered in the joint study were the use of inadequate pen-and-paper systems to record customer information, and failure to train staff in how collected data should be used and stored, and for how long.

“Lots of customers are rightly worried about handing over personal data,” said Irene Coyle, data protection officer at OSP Cyber Academy. “Many businesses are struggling to implement effective data protection compliant registration systems. Covid has brought a whole new issue for small businesses like pubs and cafes which are not used to handling customers’ personal data.”

TAAP CEO Steve Higgon added: “After the hospitality sector reopened, we asked our staff to make notes on the systems used to record their data when they went out. The majority of venues were using pen and paper, and some customers were not giving accurate information, which will hinder track-and-trace efforts.

“It was also clear that the staff didn’t know the rules on data compliance. To test this, we followed up with the venues with a subject access request, and none of them knew the process. These requests are an essential part of the ICO [Information Commissioner’s Office] rules to ensure that personal data is stored correctly.”

Failure to follow GDPR guidelines on data compliance can incur a fine of up to 4% of annual turnover or £17m, whichever is higher. Small businesses found in breach are more likely to fall into the first bracket – a pub with annual turnover of £100,000, for example, would face a fine of £4,000.

Coyle said there is also the danger that small hospitality businesses may fall victim to no-win, no-fee law firms, which traditionally specialise in spurious ambulance-chasing claims, PPI claims and so on, but may spy an opportunity to offer their services to people who may or may not have been the victim of a data breach. The cost of fighting or settling such cases could be hugely disruptive to small firms.

To protect small hospitality businesses better against such risks, TAAP and OSP have developed a new secure identification feature for TAAP’s Visitor Book app, which was originally designed as a contactless receptionist service, and uses the QR code-scanning feature of a smartphone to generate unique visitor or customer IDs.

The feature means that customer data will now no longer be accessible to anyone other than a systems administrator, who must explicitly request access to the information in order to create a transparent audit trail.

Higgon said this would allow visitors to hospitality businesses to provide their data securely and in compliance with GDPR to allow for Covid-19 contact tracing, while business owners are protected from data misuse, whether accidental or by malicious employees.

“While it is right that businesses want to get back open, unless they take data compliance seriously, it could be costly,” he added. “Thankfully, technology is on hand to help, and we would love to see the government get the message out.”