What sort of data are we talking about here?
If your business retains personal data like names, addresses, phone numbers, HR records and customer lists you need to comply.
Any catering business owner should already be keeping staff records, which will need to be audited. If you have email subscriber lists for marketing purposes, you will need to include this data too. And if you’re a restaurant owner, you’re likely to have data from customers’ bookings on record, which will qualify for GDPR too.
What do I need to know?
The most important requirements of the regulation include that data security breaches need to be immediately reported to the Information Commissioner’s Office (ICO) – ideally within 24 hours. What’s more, individuals will have greater rights concerning the way businesses use their personal data (you can check those below).
The forthcoming regulation will set a stricter standard for the consent you need to gain to process personal data and will impose much higher fines for failure to comply (up to 4% of your business’s annual turnover or €20 million – whichever is higher).
Enhanced rights for individuals
Under the new regulations, all individuals whose data you hold will be entitled to the following enhanced rights:
• To access their information
• To have inaccuracies corrected
• To have information erased
• To prevent direct marketing
• To prevent automated decision making and profiling
• To data portability
With regards to the second point – to have inaccuracies corrected – this includes having errors corrected in the lists held by any other organisations with whom you have shared inaccurate information. Both you and the other organisation will need to correct inaccurate records. For this reason, it’s really important that you know who you share personal data with and document it.
The 10 step GDPR checklist for caterers
1. Make sure anyone in the business in a supervisory or decision-making role is aware of the changes and give one individual the responsibility of overseeing compliance.
2. Provide your staff with training on how to handle personal data at work.
3. Perform an audit of all personal information that you hold, the source of each data and the details of any exterior organisations with whom the personal data has been shared. Check mobile devices, the cloud and written records and complete an exhaustive search.
4. Review your privacy policies and identify any areas which will need to be updated to comply with the new regulations.
5. Review your current data protection policies and make sure that they comply with newly enhanced employee rights (remember, those new rights are outlined above).
6. Make a policy and records of the details of any data transfers, the reasons for them and details of how the data will be protected once it’s transferred from the employer.
7. Make sure you are able to provide a copy of an individual’s personal data should they make a reasonable request to see it.
8. Review the way your business processes personal data and identify and document the legal basis for processing.
9. Have a method statement for obtaining consent and a means of recording that consent has been given. If you currently hold any data that doesn’t meet the GDPR consent standard, refresh the consent and make a record.
10. Put procedures in place (and document them) that will detect, investigate and report on any breaches of personal data.
Need more help?
For more information about the GDPR and how to make sure you are complying, visit the ICO website. There’s a wealth of information to help business owners comply by 25th May there, including a thoroughly detailed PDF called ‘Preparing for the General Data Protection Regulation – 12 steps to take now‘.