The gradual relaxation of lockdown restrictions in the UK brings both opportunity and complexity as businesses get ready to reopen their doors in a new way in order to keep both staff and customers safe and secure.
One of the next sectors to open in the UK will be the hospitality industry in England on 4 July. As a result pubs, restaurants and cafes will be required to make changes to the way they work in order to meet requirements laid out in the UK Government guidelines to assist the Track and Trace initiative by keeping a temporary record of client and visitors for 21 days.
As we navigate these new challenges and adapt to new working procedures, it is important to ensure that we continue to prioritise people’s privacy and that data protection legislation is adhered to.
Reopening plans must include a process to address privacy and security risks and here we discuss the top three key considerations for businesses as they get ready to open their doors:
1. Determine what privacy looks like
Creating a clear and straightforward set of guidelines that every member of your organisation can both understand and explain will be essential in smoothing the transition into this new way of working. The basic principles should be as follows:
- Proportionality is the overarching principle. If you request excessive personal data, people will either refuse and therefore not visit you, or even worse, provide false information.
- Apply the 21-day retention period carefully — other services may require that you hold it for longer — and apply it rigidly, including ensuring that it is deleted when the 21 days are up.
- Request only the minimum data you need. This will of course depend on your type of business and may already be included in information you already require. For example, hotels and restaurants taking bookings. Take care to ensure that any additional personal data you request can be justified and clearly linked to the current circumstances.
- Transparency and openness about the personal data you need and what you will do with it, is essential. Data protection law requires that people understand what personal data you want from them and why prior to it being collected and processed. You will need to comply with this law across all data you will be collecting.
- Ensure you can respond to people exercising their privacy rights. The law allows people to request copies of their personal data or to object to it being processed. You do not require a complicated process for this but it must be built into whatever procedures you are following to enable you to open safely on 4 July 2020. It is also worth noting that you do not need to instantly delete people’s data if they ask you to do so, for example, keeping it for 21 days after someone has worked at, or visited, your premises is allowable.
2. Look after the personal data you collect
Collecting personal data is key to reopening the economy effectively. A careful, responsible approach to holding this data is key to ensuring that both staff and customers returning to the hospitality industry feel confident that both their health and their data are in safe hands.
- Personal data must be held securely. People are increasingly aware of the value in their personal data and are more frequently insisting that it is kept secure when they hand it over. A compromise of the personal data that you collect could completely destroy your relationship with your valued customers.
- Access to personal data must be controlled. One of the important parts of looking after people’s data is ensuring that access to it is limited to only those who need it for their work.
- Give the same love and attention to physical records as you do with electronic ones. We recognise that some businesses will not want or have time to implement an online solution and will choose instead to use paper records. This is fine, but those records must be kept just as safe and secure as any others; the information is the same. They should only be accessible to those who require the data.
- Ensure you have a robust and easily implemented plan to follow in the event that something goes wrong and personal data is compromised.
3.Have a communications plan and communicate it
Getting your communications right is important, not just for your own people so they understand how things will work and their role in it, but also for customers and other stakeholders so they are clear what is happening and what they need to do.
- Ensure that everyone is clear about who is in charge of communications, and what their role is. This will help to ensure that anything you send out is consistent and has been through the right checks before being published.
- Make sure your own people understand your approach and how it will work in reality. Whatever plans you put in place for opening next month must be communicated to your employees in good time. It makes sense to allow them time to confirm they are happy that it will work, or to raise any concerns or questions they might have.
- Know who you will communicate with in government — For example, NHS Test and Trace, Health & Safety Executive (HSE) or Public Health England (PHE) — and what information they will require if you are alerted that a customer or one of your own people has symptoms or is a confirmed case.
- Establish a low-risk method for communicating with your own people and/or relevant customers only — avoid emails to everyone. You do not want to exacerbate a problem with a compromise of personal data because you have inadvertently sent an email to everyone who has visited.
NCC Group’s privacy team supports clients all around the world. Our services range from Data Protection Impact Assessments, through to Information Mapping and Data Protection as a Service.
For more information contact your dedicated account manager or email infosec@nccgroup.com.