Skip to main content

Ensuring your business is GDPR compliant post-lockdown

Ensuring your business is GDPR compliant post-lockdown
Click to enlarge
Ensuring your business is GDPR compliant post-lockdown
Siobhan Stirling - Sharp Minds Communications for Capital Space by Siobhan Stirling - Sharp Minds Communications for Capital Space
Owner/Director - Sharp Minds Communications Ltd

Since the outbreak of Covid-19 every business, small or large, has had to change the way it operates. Among the changes effected by the pandemic is the level of information now required to operate safely in the workplace – from taking the details of every customer who enters our premises to asking staff to certify their Covid or vaccine status. With restrictions now down to a bare minimum, it can be tempting to think that you can revert to the old ways of operating. But some of the pandemic changes are here to stay, and new ways of working mean rethinking data protection. We guide you through the steps you need to consider to keep GDPR compliant in the new landscape.

Updates to the GDPR rules

All data collected by any business is regulated by the Information Commissioner's Office (ICO). Since May 2018 it has been tasked with ensuring any data held by a business is stored and used within the legal boundaries. There are seven main principles concerning GDPR – and Covid-19 has affected each one:

  • Lawfulness, fairness and transparency : You need to consider how newly requested data from staff and customers or clients impacts on their notion of fairness, and be prepared to explain to them why it is necessary.
  • Purpose limitation: You need to ensure the information that you collect is used only for the means to which the data subject has consented and deems fair.
  • Data minimisation: You must also ensure the additional information you collect is what is required by the Government to aid Test and Trace and nothing more.
  • Accuracy : You have to be accurate in your collection methods to ensure in the event of Test and Trace being required the relevant people can be contacted.
  • Storage limitation: You must retain data long enough to satisfy the need of the Government/NHS Test and Trace, but no longer.
  • Integrity and confidentiality (security): All members of staff must understand the sensitivity surrounding the data they are obliged to collect from customers and feel confident handling such information. Additionally, you need to make sure staff feel confident when they are obliged to provide additional information regarding their health directly to you.
  • Accountability: As a business owner, you are accountable for correct GDPR practices and guaranteeing that other members of staff involved in data collection are fully informed of their personal responsibility to uphold GDPR regulations.

Although the ICO has been more lenient in these unprecedented times, it is key to ensure you are still compliant, especially considering the additional information your business now retains. So what does this look like in practise?

GDPR and data about your business customers

Many businesses are now required to take customers’ details to ensure NHS Test and Trace can continue to reduce transmission of the virus – and, despite controversy over ‘pingdemic’, it looks likely that this will continue for some time. The data you are likely to collect includes name and contact details, whether that be phone number, email address or postal address; arrival time should also be recorded and, where possible, departure time.

The hospitality, tourism and leisure industries, close-contact services, community centres and village halls must request details of all visitors (with limited exceptions, such as those under the age of 16 or with insufficient mental capacity to do so). In addition, they must also keep records of the assigned staff member and the venue’s staff shift patterns. This enables the right people to be identified if there is a recorded Covid-19 case.

Information such as time of arrival, names and contact numbers are a normal request when booking at most restaurants or salons, but extending this to walk-in customers takes it to a new level.

You also have to make sure that your log of customers’ personal details is kept secure and out of public reach; if the log is a digital document, a strong password is vital. It’s also vital these details are not used for any other reason and should be kept entirely separate from any marketing lists.

To comply fully with GDPR these details should only be stored for a finite amount of time. The responsibility of protecting this data should be clearly outlined, including the importance of storing it for 21 days (allowing 14 days for incubation and a further seven for NHS Test and Trace to be completed). After 21 days these details should be disposed of in a responsible manner, for example by shredding the data. It’s important that enough members of staff are fully trained in this to ensure consistent compliance, particularly if your staff work shifts.

Although most people have become accustomed to giving their details with the reopening of the economy, making sure that staff understand what information they have to collect and why equips them with the right response if a customer challenges them, as well as ensuring you have confidence in your compliance with both the Government rules and GDPR.

GDPR and staff details

The nature of the pandemic and its effect on the general health of the population has a direct impact on the sensitivity of the information your business now needs to operate responsibly.  Employees are keen to get back to the office; it has been a period of isolation and the resumption of normal life is something that many are looking forward to.

However, there will be some who are not as confident, especially those who have been shielding or who live with a vulnerable person. Therefore,  it becomes vital to assess the situation of employees, in terms of both their mental and physical health; this information is sensitive and so it’s important to treat it with significant consideration. Reassuring staff you will be treating it confidentially and only using it in the current, unusual situation should encourage them to be more comfortable discussing their personal circumstances. It’s also important to note that you minimise the data stored to what is necessary for you to reduce any risks and to store it securely.

A complication may arise if a member of staff has legitimate reasons for requesting a different work pattern from colleagues, for example continuing to work from home as other staff return to the office. Expert HR advice may be sensible to help you navigate your way through your need to respect individual confidentiality but also engage and communicate with your team so they are all on board with your reshaped business.

Ultimately GDPR is put in place to protect us all. Similarly the need for additional information at this point is driven by the need to protect everyone from the direct threat of Covid-19 and all of the intricacies that continue to come with it. By communicating this clearly with staff and customers, everybody will feel safer and more protected, both from the virus and data breaches.

To find out how Capital Space could benefit your growing business,
call 0800 107 4667 or email