News
Collecting customer info - what to keep in mind HOW LONG SHOULD YOU RETAIN CUSTOMER DETAILS AND WHAT KIND OF INFORMATION SHOULD YOU BE COLLECTING? HOTEL & CATERING REVIEW TALKS TO CONOR HOGAN AT BSI TO GET THE FACTS
F
ailte Ireland guidelines for restaurants and cafes state that businesses must have the name and contact details of one person in each party, for example the person who books the table. That person should be advised to keep a record of who is in their party in case it’s required for contact tracing in the future. Details must be securely retained for one month and this also applies to pubs. According to Conor Hogan, Global Privacy Practice Lead at BSI, the best advice he can give hospitality businesses is to keep it simple. “Given the challenges currently facing businesses, it’s advisable not to over-complicate things. You want the process of collecting and retaining information to be as seamless as possible.” Keeping it simple boils down to three main points, says Conor. Be transparent – Businesses have a responsibility to be as transparent as possible with both staff and customers. “Explain to your customers as clearly and succinctly as possible what information you are collecting, why you’re collecting it and what you will be doing with it. Many firms already collect personal information for restaurant bookings so don’t over-engineer anything. Don’t over-collect – Only collect the information that you actually need. It’s also important that a robust process is put in place to destroy or delete the information once it’s no longer needed. “Only get contact details for the lead person in a group. Firms mustn’t use information collected for contact tracing for advertising or marketing, for example. And if you’re recording the information in your usual bookings software or in physical books, make sure you have a process in place to remove those entries when no longer required.”
Keep it secure – A simple bookings diary is likely sufficient but don’t leave it lying around. “If you are investing in a new piece of software, then careful due-diligence is required to ensure security and privacy-by-design measures should be engineered into the solution so that fundamental rights can be protected. Be alert to ‘quick fixes’ or ‘magic technology solutions’ because as controller, you are responsible for maintaining the confidentiality and integrity of the information and protecting the rights of your customers.” Anything that a business is doing with personal data for the purpose of contact tracing needs to be carried out in compliance with GDPR, says Conor. “GDPR is often seen as an inhibitor to business but actually GDPR was written with a special provision included in it for the circumstances surrounding a pandemic. It makes specific exceptions or provisions for how the government could process personal data and how private enterprises can process personal data within the context of a pandemic. I think everything needs to be considered within the context of what the country and the world is going through in managing a response to the pandemic.” Other countries are handling the requirement to collect and retain data a little differently. “The New Zealand government has developed an app that lets customers scan a QR code as they enter a premises. The business doesn’t have access to that information, it’s stored on the individual’s device. If someone that has visited a premises subsequently tests positive, they can update their app and anyone else that happened to be in that location at that time will get a notification to say they may have been exposed to the virus. It means that businesses don’t have to worry about contact tracing. I think it’s a good example of how technology can be used, how privacy can be protected and how additional obligations can be removed from businesses.”
ISSUE 8 2020 | HOTEL
015_HCR_August 2020_Newsv3.indd 15
CATERING REVIEW
15
28/07/2020 11:38
