Inspired by a system used in New Zealand (who have experienced one of the lowest rates of infection in the world), the scheme requires pubs and restaurants to keep track of their customers so that they can be contacted quickly should they come into contact with a carrier of COVID-19. Personal details such as names, e-mail addresses and phone numbers should be taken in exchange for a reservation.
Whilst this takes a step in the right direction to controlling the virus, this opens up a number of privacy concerns for businesses in the hospitality industry. Any pub, restaurant or eatery that collects personal data must comply with the GDPR. The other major concern is that this turns the hospitality sector into a worthy target for cybercriminals, increasing the chances of businesses suffering targeted cybercrime.
Below, we have outlined our advice for complying with data laws, avoiding a data breach and keeping your organisation secure whilst operating in conjunction with the track and trace scheme:
Ensure employees understand your process and the implications of collecting and storing data
In being compliant with UK data laws, it is highly recommended that employees are trained and aware of the GDPR. It is of utmost importance that your employees have an understanding of the implications of collecting and storing data and that you communicate your process for doing so clearly. If you suffer a data breach and need to report it, the first thing you will be asked for is your training records, displaying staff awareness and understanding of GDPR.
We offer a low cost, fully managed GDPR Awareness E-learning course, perfect for bringing all of your employees up-to-speed with current GDPR legislation with a quick turnaround.
Find out more about our online course or request a free preview and pricing below:
Tell people what you’ll do with their data
Ensure that your privacy policy is easily accessible, transparent and up-to-date. Put your privacy policy on your website. You should outline the forms of information you will be collecting (i.e e-mail address and phone number), how and where it will be stored, how long for and the use for the data. Be honest and clear with your intentions. Practice your policy closely to comply with data protection laws.
Use digital methods for collecting data
With such little time to prepare for this change, it might seem easier to turn to pen and paper for the short term to see you through. This is not a viable or secure solution. Paper records can be easily lost, stolen or copied without you even knowing. Cybercriminals will specifically target businesses using paper to record personal details.
The government has said:
“Many businesses that take bookings already have systems for recording their customers and visitors – including restaurants, hotels, and hair salons. If you do not already do this, you should do so to help fight the virus. We will work with industry and relevant bodies to design this system in line with data protection legislation, and set out details shortly.”
Read the full guidance article
Only hold the data for the minimum requirement
Official government advice is to hold the temporary records for 21 days. To minimise any risk of this data being lost or stolen, we highly recommend that you implement a system which flags or automatically deletes records that are 21 days old.
Protect yourself from targeted cybercrime with Security Awareness Training and Testing
Cybercriminals are likely to have businesses in the hospitality industry in their sights come the 4th of July when the track and trace scheme is introduced. Adapting to the new scheme does, unfortunately, open your business up to suffering a personal data breach. The most common ways a data breach can occur are through:
- Weak passwords
- Phishing e-mails
- Phishing websites
- Social engineering phone calls
- Social media
Each method has something in common; they are caused by an employee.
By improving your employee’s awareness of these types of attacks and implementing regular testing, you will be in the best position to avoid suffering a data breach.
We offer a fully managed Security Awareness Training and Testing service, trusted by thousands of organisations to train and keep staff vigilant.