Hospitality establishments are doing their best to adhere to new guidelines, but the consequences of this remain up for debate
Cybersecurity experts across the UK are raising concerns over the potential risks of adhering to Government Track and Trace guidelines in pubs and restaurants. The new plan, calling for establishments to keep a register of all visitors, has already been met words of caution and an encouragement for businesses to take care when processing large volumes of personal data.
These new rules state that all hospitality venues must maintain a record of contact details from customers for 21 days, in order to help track coronavirus infections.
Although a specific method for collecting data has not yet been determined, the government has recommended using a booking system similar to those found in certain restaurants and hairdressers.
Are you more at risk of data theft now?
For hospitality businesses, data collection is already a large part of day-to-day service. When a customer pays using a credit or debit card; when IDs are scanned at the door; when purchasing food for delivery – all of these instances require the passing on of information.
However, a formal register of guest details marks a new data point for businesses, one which understandably leads to concerns about exploitation as it provides hackers with a fresh target.
These kinds of ledgers are commonly seen in hairdressers and other establishments, but on paper. However, the use of paper and pen is unlikely in this instance as customers could provide false details which would lead to problems with infection tracing.
As such, the likelihood is that iPads and spreadsheets will be used for simplicity and accuracy. But experts are concerned that these systems will be offered with little or no authentication. By combining multiple data breaches, and collecting information of visitors to various businesses, cybercriminals could effectively build a record of their movements.
How to adhere to new guidelines and comply with data protection law
Despite these concerns, there are measures businesses can take to ensure that their data is as protected as possible whilst adhering to the Government’s guidelines.
Establishments should aim to collect the minimum amount of data possible, which is likely to be a name, contact telephone number of email address, and the date and time of their visit. The inclusion of other details only increases the fallout of any potential breach. You should also keep the data for as short a period as possible, i.e. 21 days. Any longer, and you are only increasing the risk of theft.
Once this period has passed, the data should be deleted entirely and securely. Any paper copies should be completely destroyed, rather than simply being thrown in the wastepaper bin. And while holding the data, ensure that it is not used for any purpose other than Track and Trace. Details gathered for adherence to Government ruling should not be free to use for marketing and other purposes.
Keep your customers informed and keep the process as simple as possible. Let your visitors know that these are measures required by the Government. And if you’re asking them to fill in a form, make sure it can’t be viewed or photographed by others.
By sticking to these standards, hospitality businesses can reduce the risk of data theft to their establishment, while also doing their part for public health.
Speak to experts
Data protection can feel like a minefield, which is why the best course of action is often to seek help from experienced GDPR consultants who can help you get to grips with your requirement while keep your business and customer data safe. While this may feel like an unnecessary cost at an already uncertain time for organisations, it is always important to bear in mind that the potential damage of failing to adhere to data protection laws is significantly greater than the outlay on doing things right in the first place.