In my previous article “Data protection in the COVID-19 pandemic” I commented on the impact of Coronavirus on GDPR, an impact which could potentially be negative.
As many of us are eagerly looking forward to being free to pop back to our local pub from the 4th July, we learn that this will (quite sensibly) be subject to certain restrictions and conditions.
In one such condition, the government urges (so not compels??) venues to keep “a temporary record of customers and visitors for 21 days, in a way that is manageable for your business”. The reason, apparently, is to enable the data to be used for NHS Test and Trace (still not yet properly functioning, as I understand it) to prevent or curtail clusters of infected people or local outbreaks, should cases of coronavirus be reported in your local pub or restaurant. Pubs should not, of course, use your data for the purpose of bombarding you with unsolicited marketing emails, but will they be tempted?
Of course, many pubs and pub chains already have some customers’ personal data from when those customers have registered for free wi-fi. Many of us have suffered the consequences of that. The government says any information should be kept “in line with data protection legislation”.
Here are three of the key rules – which should apply equally to the new GDPR (“General Data Pub Registration”):
Lawful, fair and transparent processing
- Lawful means all processing should be based on a legitimate purpose.
- Fair means companies take responsibility and do not process data for any purpose other than the legitimate purposes.
- Transparent means that companies must inform data subjects about the processing activities on their personal data.
Limitation of purpose, data and storage
This means collecting only that data which is necessary, and not keep personal data once the processing purpose is completed. In this case this would appear to mean 21 days. Note also that only necessary data should be requested – no more.
Data subject rights
Pub customers will still have the right to ask what information the pub holds about them, and what the pub or company does with this information. Remember too that a customer has the right to ask for correction, object to processing, lodge a complaint, or even ask for the deletion or transfer of his or her personal data.
A couple of questions come to mind, such as:
- Will pubs abuse this as an excuse to harvest and use more information than is absolutely necessary?
- How will we know if a pub or chain is sharing or even selling the data?
- What happens if a customer requests that his or her personal data be deleted before the 21 days is up? Would a refusal constitute a violation of this important consumer right?
Finally, please do not let these concerns taint your enjoyment of your first pint down the pub after more than 3 months! Just remember you will probably have to download an App to place your order and pay for your drinks…. perhaps this will be known as a “barcode”.
Author’s note (for the benefit of fellow pedants):
Data is often treated as a plural noun in writing related to science, mathematics, finance, and computing. Elsewhere, most English speakers treat it as a singular mass noun. This convention is well established and widely followed in both edited and unedited writing.
High Skills Partners’ articles are provided for your interest and do not constitute advice, legal or otherwise. We aim to be informative, thought-provoking and to reflect our experience, whilst striving for accuracy and correctness.
© 2020 High Skills Partners Limited