How Can Restaurants Become GDPR Compliant

restaurant gdpr compliance

Please note: This article does not constitute legal advice. When it comes to GDPR and privacy laws, always consult a legal professional.

On May 25, 2018, new EU privacy laws will come into effect. Has a business owner, you’ve probably heard the buzz around these new laws and the reasons why they have been brought into effect. Indeed, it would have been pretty hard to miss Mark Zuckerberg’s robotic performance in front of Congress.

Facebook and GDPR

But you might not know how these laws affect restaurants and what exactly you need to do to make sure you remain compliant. This article has been written to help you better understand the impact these laws will have on your business and the steps that you need to take to make sure that you stay in line with regulations.


A GDPR Recap


Before we go any further, let’s take a second to make sure we know exactly what we are talking about.

What is GDPR?

The General Data Protection Regulation (GDPR) is data protection law that comes into effect on May 25, 2018. It has been designed to protect the personal data of EU citizens and has been called the most important piece of legislation of the last 20 years.


What does it mean for restaurants?

If you use and process data in any capacity, you need to have a lawful basis for doing so. These can be:

  • A legitimate interest
  • Necessary for performance
  • Freely given consent

In essence, you need to tell a customer exactly what you will do with their data and give them the option of choosing whether or not they allow you to do this.


What happens if you don’t comply?

Failure to comply with these new laws can result in a penalty of €20 million or 4% of your total global turnover of the previous year, whichever is higher. There will also be the damage to your restaurant’s reputation to consider, too.


Are US restaurants affected by GDPR?

Yes. Any US business, restaurant or not, that has a website and markets themselves online will be affected in some way by the legislation.

You must comply with the requirements if your company collects data about an EU citizen when they are in the UK. Even if your entire business is based in the US.

In practice, this means that if an EU citizens books a table at your restaurant from their home in anticipation of a holiday, you are required to abide all GDPR regulations.


Parts of your restaurant business that may be at risk under new GDPR rules

GDPR restaurants

As a restaurant, you handle customer data every single day, even if you don’t realize it. From writing down the address and phone number of a takeaway customer to signing people up to your loyalty scheme, you collect more data than you realize. You will need to consider how all of the following areas of your business area compliant after the law comes into force.

  • Online booking systems: If you use a third party system, it’s your responsibility to check they are compliant. If you use your own, even if it’s just writing names down in a book, you’ll need to check whether it is compliant.
  • Online ordering: Can customers order food through your website? If so what data are you collecting and how are you storing it? If you use a third-party piece of software, are they compliant? This will need to be checked.
  • Loyalty schemes: Has your loyalty scheme evolved from a card that you stamp to an app? If so you’ll need to check the data you collect, how it is stored and the permission you have to use it.
  • Email newsletters: Do you keep customers informed by email? How are those emails stored? Are they secure? Do customers know what they are signing up for when they give you their email address? Can they unsubscribe when they wish? You’ll need to answer all these questions.
  • Online stores: Do you sell restaurant-branded products through your website? You’ll need to look at the data you collect and the way that you use it.
  • Restaurant WiFi: If you require users to submit personal information to access the Wifi you will need to assess what you are collecting and how you are using it. Note, this won’t be a problem if you use Facebook Wifi.

Steps to make your restaurant GDPR compliant

This can all seem a bit overwhelming, so next, we’ll look at the key things restaurants should do to become GDPR compliant. This won’t cover everything, and you should see legal advice if you are concerned about the way in which your business complies with GDPR. That being said, these should be suitable for most small restaurants.

1. Complete a data audit

The first step is to look at all of the data that you hold about customers. Whether it is as small as their name or email or as large as their entire order history, look at what you have, where it came from, who you share it with and how/if you use it. This will let you see, at a glance, the next steps you need to take.

2. Acquire and reconfirm consent

Consent is key when it comes to GDPR rules. That means you’ll need to change how you collect data to make it clear to uses what data you collect and how you use it. So, for instance, if you collect data when they place an order, and you use it for future marketing purposes, you must state this when they make their order and give them the option of opting out of having their data used for marketing.

If you already have their data, say for example in a newsletter database, you’ll need to reach out to each user and ask them to reconfirm their consent for how you use their data. If they don’t give consent, remove them from your database.

3. Provide a way to opt-out

However, you collect data from your customers, make sure that you provide them with a way to opt-out. That means if you collect data through your online loyalty app, provide a way for them to opt out of the app itself. If you email them a newsletter, provide a way for them to opt out of the newsletter.

4. Update your website’s cookies and privacy policy

Now is the time to update your website’s privacy policy to make it clear how you collect data from the site and what you do with it. You should also refer to GDPR language. Plenty of examples can be found online. If you use software to track user behavior on your website, you should also add a cookie notification to let customers know that cookies are in use.

5. Look at the way you advertise on Facebook

Advertising on Facebook doesn’t necessarily mean you are at risk of GDPR. If you only target US users then that is okay. However, if you target worldwide, or specifically target users based in EU countries, then you must abide by GDPR. That means if you use the ad to send them to your website, your website must be GDPR compliant.


Restaurant marketing after GDPR

If you thought marketing your restaurant was tough before GDPR, it’s going to be a whole different ball game after May 25. Seeking professional help is now more important than ever. Get started today by booking a free consultation with one of our experts here at The Digital Restaurant.