The following is a contributed piece written by Tom Dryden of McGill & Partners.
As of July 04, pubs, restaurants, bars and a number of other businesses across the UK have been permitted to re-open their doors after months of forced closure. The next phase of the UK government’s plan to return the country to some sort of normal will be a huge relief to business owners and pub punters nationwide, although it will not be without its significant challenges.
Among the number of COVID-19 safety guidelines that these businesses will be required to adopt, the government has requested that the contact details of customers and visitors are recorded and retained for 21 days to assist with the UK’s contact-tracing efforts. This is important, but it brings with it several data protection headaches for the hospitality and retail industry.
The government announced that it would “work with the sector to make this manageable”, meanwhile the Information Commissioner’s Office (ICO) said that “key data protection principles must be considered so that people’s data is handled responsibly”. Government guidelines on how to properly approach this additional data protection burden have been released, while the ICO has reminded companies of their obligations to abide by the GDPR’s core principles by releasing six key data protection steps for organisations recovering from COVID-19.
Clearly, there are obvious data protection pitfalls for businesses, many of whom will not be used to collecting and handling such a volume of customer data. There is a distinct worry that staff will be improperly trained in how to collect and handle customer contact information, and the rush for businesses to adopt third party applications to manage the collection and storage of data may come with hasty configuration or security flaws.
The fears of the hospitality sector are not without precedent, after a Subway sandwich employee in New Zealand was suspended when a woman from Auckland alleged harassment by the Subway employee who used the contact details she had left in store to approach her on social media, by email, text message and phone.
It is easy to foresee the potential scope of the problem for chains of pubs and restaurants. Should UK organisations fall foul of their data protection obligations, they may find themselves facing two areas of potential liability under the GDPR: regulatory action by the ICO; and private claims for compensation by individuals for damage or distress caused by a breach or misuse of data.
What are the implications for my cyber insurance if I have to adopt new customer information practices?
In short: very few, hopefully. A well-drafted cyber policy should include coverage not just for a breach of customer data, but also broader data protection considerations such as wrongful collection or handling of customer information. If you are a customer-facing business approaching the renewal of your insurance, you will likely face additional scrutiny and questioning from underwriters around some of the practices you are adopting to ensure the safe collection, handling and retention of customer information. It is also worth clarifying that the government guidelines stipulate that businesses “should” rather than “must” adopt the new track and trace practices.
Those businesses adopting new track and trace protocols should:
- Carefully consider the method by which you are collecting and storing customer contact information. Preferably adopt a third-party booking application such as OpenTable or Quandoo and not via pen-and-paper forms. Third party applications will bring their own security and operational considerations, however, and may not be practical in all cases.
- Consider rolling out additional staff training on your obligations around the collection and handling of customer information.
- Ensure you have implemented a strict data retention policy that maps out a process to delete collected contact information following the expiry of the 21-day window. Also consider a sunset procedure to phase out the practice at the end of the crisis.
- Check the language of your cyber insurance policy. A good wording will already include cover for wider breaches of data protection legislation, including wrongful collection, processing or retention of data, and not just disclosure of personal data. However, not all cyber policies were created equally. There are a number of forms in the market whereby data protection liability coverage is triggered only by an actual or suspected breach of data, and some even include explicit exclusions for wrongful collection, or limit coverage by craftily constructed GDPR “extensions”. Work with your broker to ensure you have language that adequately addresses your increased data protection risk.
While the ICO appears sympathetic to the data protection challenges faced by organisations in responding to the COVID-19 outbreak, there are certainly a number of thorny privacy issues that re-opening businesses face. If your pub or restaurant chain has done well to last through a global pandemic, a subsequent ICO investigation may just be a step too far!
Tom Dryden, Partner, Financial Lines, McGill and Partners
Tom Dryden and Noona Barlow from McGill and Partners will be joined by a panel of experts including Mark Camillo, Head of Cyber, EMEA – AIG and Ben Hobby, Partner - Baker Tilly for a webinar, ‘Navigating the cyber insurance labyrinth’, at 2.00pm BST, July 22, 2020. To sign up to attend visit: https://mailchi.mp/mcgillpartners/cyberwebinar
The contents of this publication, current at the date of publication, are for reference purposes only and set out the views of the author. They do not constitute legal advice and should not be relied upon as such. Specific advice about your particular circumstances should always be sought separately before taking any action based on this publication.