Coffee Shop Innovation Expo logo

26 & 27 NOV 2019


GDPR: Data Protection And The Hospitality Sector

Unconcerned about data protection?  If so, now if definitely the time to fix that.  Everything changes in Spring 2018 with the advent of the General Data Protection Regulation (GDPR).  Like it or loathe it, this broad new piece of European legislation has been five years in the making, and is set to completely rethink the way that businesses collect, process and use personal data.  Brexit has not affected its implementation, and the UK is now fully subscribed to the roll-out of the GDPR, which comes into force on the 25th May 2018.

The regime introduces significant new obligations affecting the vast majority of businesses, as well as massively increased potential fines for breaches of the new legislation.


The hospitality sector will be particularly affected by the new changes because the use of personal data is an integral part of their everyday work.  ‘Personal data’ covers just about any information which is capable of identifying an individual. Customer lists, bookings, orders, correspondence, reservation and management software, apps, promotional discount memberships, direct marketing and social media communications (to name a few) all involve the collection and processing of personal data, and any business which undertakes such activities needs to be up to speed with their changing obligations in advance of the legislation taking effect in order to avoid the heavily-increased new fines.


The maximum  penalties for non-compliance are becoming more severe, with the upper limits on fines increasing to the greater of €20,000,000 or 4% of annual turnover (not profit).  With many smaller hotels, restaurants and coffee shops yielding modest profit margins, such penalties could have devastating consequences.  And while the principle of ‘proportionality’ still applies, we anticipate that data protection authorities will not be overly lenient on organisations  that are found to have breached the new regulation.  This is because one of the changes is the removal of the requirement to notify the data protection authority of a controller’s data processing activities.  The registration fees were a key source of funding, and the authorities will now need to find a replacement source.  Most likely, this will come in the form of revenue generated from fines.


With many hospitality-sector businesses previously taking a ‘laissez faire’ approach to data protection, hotels, restaurants, coffee shops and ancillary service companies now have their work cut out for them to ensure compliance and avoid fines under the new regime.  Data protection is not a simple area; businesses of all sizes are potentially vulnerable, and we have seen from our own experience even high street restaurant chains and international franchises getting it wrong. Common mistakes we have previously encountered include, amongst many others:

• Not providing a privacy policy on a website;

• Failing to register with the ICO as a data controller;

• Accidental collection of ‘sensitive’ personal data;

• Failing to store personal data securely;

• Inability to honour subject access requests;

• Keeping personal data longer than necessary;

• Failing to collect valid consent for various processing activities, including transfers and direct marketing;

• Failing to provide the option to opt-out of direct marketing communications, and failing to honour opt-out requests;

The advent of the GDPR, and the greater risk of penalties, means that businesses should start being proactive in resolving any such problems prior to the new regulations coming into force.  


There are a great number of changes being introduced by GDPR.  Part of it consolidates and builds upon the existing law, but there is also a significant expansion in the range, depth and breadth of the regulated activities and compliance obligations.  Most importantly, businesses should be aware of the following:

• New rights.  Data subjects will enjoy additional rights in relation to how their personal data is processed, and businesses will need to have systems in place to deal with any requests by data subjects to exercise those rights.  Data subjects will enjoy the right to erasure, the right to portability, the right to object to certain processing activities, and the right to know what personal data relating to them is being processed;

• Consent.  There are new, stricter requirements for the obtaining of consent from individuals to process their personal data.  This is particularly relevant in relation to marketing.  Consent must be clear, voluntary, separate and revocable.  Businesses will have to carefully evaluate whether existing consents will be valid after the GDPR; 

• Accountability. Businesses will be responsible for the consequences of data processing activities, and, crucially, must be able to demonstrate compliance with a range of new requirements and principles;

• Notices.  Stricter requirements will be introduced relating to the information businesses provide individuals about how they process their data.  Policies will have to be accessible and transparent and include specific information about how data is handled and who to contact;

• New Concepts. A number of new concepts are being introduced by the GDPR.  Privacy by design and by default urges businesses to build into their processing systems intrinsic protections for data subjects.  Privacy impact assessments may need to be conducted, prior consultations with authorities may be required in certain circumstances, there must be a legitimate basis for transferring data to certain jurisdictions, and the use of pseudonymisation is being actively promoted as a mechanism for compliance; 

• Documentation.  Businesses will be required to maintain detailed documentation in relation to the data they process and their compliance with the new regime;

• Data Processors. A range of new compliance obligations will be imposed on data processors.  They will have direct obligations to maintain written records, designate data protection officers (where required) and notify controllers of breaches, amongst others;

• Notification.  The GDPR imposes specific requirements in relation to breaches.  Businesses may be required to notify data protection authorities and/or data subjects within specified time periods (72 hours).


Henry Herbert and Nicholas Ball, partners at Herbert & Ball LLP, will be discussing the changes introduced by the GDPR, how to prepare for and meet the requirements of the new regime in cost-effective ways and the commercial advantages and benefits of complying with, and being seen to comply with, the GDPR.

Herbert & Ball LLP specialises in data protection, corporate and commercial, franchising and intellectual property and information technology. We can assist you with data protection compliance. For further information and a free initial consultation, please email or call 020 7866 2402.