Pints and privacy – easing lockdown in UK hospitality industry

Boris Johnson recently announced the largest easing of lockdown measures since restrictions came into place on March 23rd. This Saturday, English hospitality venues such as bars, pubs and restaurants will be allowed to reopen as long as they maintain social distancing rules. Under new guidelines, businesses may have to collect personal details in case customers need to be tracked and told to self-isolate.

These simple measures could help to manage the risk of the virus as we exit lockdown, but the new system does come with significant data privacy risks. If customer data isn’t properly managed and secured, hospitality businesses could be at risk of data breaches, leaks and hacks, and may face substantial fines and compensation actions.

So they must plan not just with health risks but with data risks in mind.  All staff throughout the business must be trained and understand how their roles will change as data protection responsibilities increase. Management must ensure that all staff members understand how to handle the data and, if necessary, seek official guidance to make sure their data protection responsibilities are met.

One of the biggest concerns for businesses is securing sensitive data. The best way to protect your business is to implement proper and robust security systems to safeguard personal information. This can be done through increased investment in strong and effective cybersecurity.

It is worth encrypting all personal data, while also continuously testing your business’s cybersecurity defence. Implementing strong firewalls, network-monitoring and anti-malware protections can help to combat against common threats from hackers.

There is an increased value on customers’ contact details and cybercriminals may be hoping to pounce on any security vulnerabilities. These businesses must understand that investing in strong cybersecurity can help in combating cyberattacks that may be coming their way in the next few months.

The legal and financial implications of a data breach can be crippling. The GDPR means that a business might be forced to pay a huge proportion of its profits in fines, and this does not take into account personal compensation customers could ask for.

The list of businesses that have fallen foul to a data breach is not short. Virgin Media, British Airways and Marriott Group have all been affected by data breaches in recent years, with the potential final cost reaching the billions. Airline EasyJet is one of the latest to be hit by a substantial cyberattack as well.

The past three months have been particularly tough on the hospitality industry and a data breach could be ruinous to any independent pub or restaurant that does not abide by the correct data protection regulations.

Customers of these venues should also be wary of the data they are giving away. Any business that breaches data protection laws must inform those affected. Once this happens, a breach victim may be entitled to claim compensation based on the distress caused by the loss of control of personal information. This could cost thousands of pounds per customer who claims. If fraud and monetary theft occur due to the loss of data, these costs may also need to be covered by the business.

The hospitality industry no doubt rejoiced in being told it would be able to open doors to customers again, but it cannot forget its data protection responsibilities as we emerge from lockdown. Providing security provisions and training staff on how to store data is critical if hospitality businesses are to safeguard information. If businesses fail to introduce these protective measures, they could see themselves having to pay huge fines in compensation to customers, and risk significantly damaging their reputation during a hugely important period of recovery.

Aman Johal, Lawyer and Director of Your Lawyers.


Catch the replays and discover the best talks from Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.