Staff and customers’ data must be safe

In the second part of his article on GDPR, lawyer Stephen Connolly details the various ways licensed trade businesses must look after personal data

There are a number of areas where GDPR applies to the trade, including personal data about licence holders

WHILE the General Data Protection Regulation (GDPR), which became law in the UK in May, to a large extent simply reiterated the law as it previously stood, a number of new obligations were introduced.

For the licensed trade, these obligations include:

• Holding required statutory information about personal licence holders: The Licensing (Scotland) Act 2005 requires that a personal licence holder (PLH) must be appointed for any premises which sells alcohol.

Holding personal data about the PLH will clearly be required to allow the data controller (ie. the licensee/organisation) to comply with its legal obligations. As such, there will be a legitimate basis for organisations to hold and process such data.

• CCTV: CCTV is always a tricky issue. A person’s image will be personal data. Again, an organisation must have a legitimate reason for using CCTV footage and it must be used appropriately (useful guidance can be obtained from the Information Commissioners’ Office website).

Most obviously, CCTV will be used for security purposes. This would be a legitimate basis to hold and process data obtained by a CCTV system.

However, the use of CCTV should not go beyond what is required to allow for the security of the establishment and should be confined to use in public places.

It is also important to ensure any footage obtained is not held for longer than is necessary and is not accessible to third parties without legitimate cause.

• Sign-in books for private members’ clubs: The Licensing (Clubs) (Scotland) Regulations 2007 require clubs to keep a book setting out where a non-member of the club is supplied with alcohol by the club (where no occasional licence is in effect).

It is required to record the date the alcohol is supplied, the name and address of the guest and the name of the accompanying member.

Again, the GDPR does not trump clubs’ obligations to keep a guest book and it is important that the rules laid down in the regulations continue to be adhered to.

• Marketing: a significant amount of marketing for pubs, clubs and hotels is done by way of emailing promotional materials to (potential) customers.

In the vast majority of occasions, the only way a business can lawfully do this so as to comply with the GDPR is by having the data subject’s consent to hold the required personal information (name; email address).

The GDPR introduced more stringent rules on obtaining consent: it must be positively given by the data subject and it must be made clear to them what they are consenting to.

Any email sign-up form must allow for the data subject to positively agree to receive marketing communications; pre-ticked boxes providing for this are no longer permitted.

Where consent is given for one purpose, an organisation cannot rely on that consent for another purpose. So if an email address is requested from a customer to issue a receipt, that email address cannot then be used to issue marketing emails, unless the data subject has expressly consented to this.

In the same way consent can be given, it can be withdrawn, so if any data subject asks to be removed from a mailing list and for their data to be deleted by the organisation, this must be done and no further emails sent.

The above deals only with whether or not an organisation has a legitimate basis to hold and process the types of personal data discussed.

However, this is a starting point for GDPR obligations and other duties will come into play if/once a legitimate basis has been established:

• the need to issue a privacy statement to data subjects advising them of the personal data which is held and the use to which that will be put;

• the need to ensure personal data is only held for as long as it is required to fulfil the legitimate reason being relied upon;

• the need to ensure that the data is held and stored securely;

• the need to ensure that the personal data held remains accurate; and

• the need to ensure the data subject’s other rights under the GDPR are observed (eg. the right to make a subject access request; the right to erasure of data, etc.).

• Stephen Connolly is a partner at Glasgow legal firm  Miller Samuel Hill Brown.