Pubs, restaurants, hairdressers and other hospitality businesses are being asked to collect and record visitors' personal data in an effort to assist with contact tracing. The obligation to design and implement GDPR-compliant personal data collection, storage and contact tracing capability is a significant burden, particularly given the fact that governments around the world have struggled to do this lawfully. On top of this, businesses have only ten days in which to come up with a plan before the official reopening date of 4 July.

Key questions business will need to address include, among others:

  • What data do we need to collect?
  • How are we going to collect the data?
  • How and where are we going to store the data?
  • Do we have a GDPR-compliant privacy policy in which we tell visitors how we will use their data?
  • How long will we store the data for?
  • How will we deal with data subject access requests and other data subject rights?

For many businesses, particularly given the short time frames, a risk-based approach will need to be taken whereby the most immediate and pressing issues are addressed first to get a system in place ready for opening. Business will also need to remember that personal data can only be used for the purpose for which it was collected. For example, email addresses and other contact details cannot be used for marketing purposes unless visitors have given their specific consent to be marketed to.

How long this situation will last nobody knows, but it places a significant burden on one of the industries that has been hit hardest during the pandemic. The ICO has said it is actively assessing this situation and will be monitoring developments, so watch this space for further comments.

If you have any questions or need any advice or guidance, please get in touch with a member of the data privacy team.