Personal data and data protection may not spring to mind when you think about your local grocery store, butcher, off-licence, or restaurant. However, those in the food and beverage industry should assess how they manage information they collect, for example information collected through loyalty card programmes, mailing lists and e-receipts. The General Data Protection Regulation or GDPR, which comes into force on 25 May 2018, will regulate the use of information that may be used to identify an individual i.e. personal data.
Obligations under GDPR
GDPR provides a comprehensive set of obligations, which businesses must adapt to when dealing with personal data. The GDPR requires that a number of details must be provided to customers when you process their personal data. This includes providing customers or individuals with information about what personal data is being processed, how it is being processed, why it is being processed and who the personal data is being disclosed to. This is important because it could include third parties e.g. marketing agencies who assist in loyalty card programmes.
Five points to remember
From a practical perspective, collecting information is an important part of providing good customer service and ensuring customers get a more tailored and bespoke service. With that in mind, we set out five points which a business in the food and beverage industry must give priority consideration to in preparing for GDPR.
Accountability: Under GDPR businesses must be accountable and in a position to demonstrate, and in most instances document, the manner in which they comply with data protection law. This may include refreshing fair processing practices, reviewing privacy notices, and rethinking consent capture mechanisms. For many, this will mean revisiting data protection wording on websites, online application forms, interactive voice recordings, call centre scripts, proposal and application forms, renewal notices and annual account statements. Legal Basis for Processing Personal Data: For GDPR, businesses will have to identify the legal basis upon which they process personal data and the purpose for this processing. Broadly, the GDPR offers six legal bases which are consent, contracts, legal compliance (with another law), protecting the vital interests of a person, public interest and legitimate interest. In the food and...