GDPR for restaurants

My Restaurant and GDPR: What Do I Need To Pay Attention To?

As a new regime of laws on data protection (GDPR) and privacy sweep across Europe, business owners now have an added weight on their shoulders; not breaking the law.

To put it simply, the General Data Protection Regulation (GDPR), is a recently launched law, designed to protect the personal data of European Union (EU) citizens. As a means of achieving this objective, the law sets forth a heavy responsibility on businesses to take active measures to eliminate the possibility of data breaches.

Preparatory measures undertaken in the past few months alone have changed the way business activity is carried out. Now that the law has finally taken effect, which part of a restaurant’s business will it have the most effect on? Our blog this week examines this.

What are the changes caused by GDPR?

First off, an understanding about the overall changes wrought by the GDPR is essential to understand how your business activity is likely to be affected, going forward.

Designed to harmonise the laws across the EU, the GDPR, makes several key changes to the law pertaining to data security and customer privacy. Overall, these include:

Increased territorial scope

Basically, all companies processing the personal data of subjects residing in the EU must comply with the regulations. Thus, whether you reside in the EU or not, if your business falls under this criteria, measures to ensure compliance must be taken.

Heavy penalties

The penalties given effect by the regulation are particularly onerous and are meant to be that way. Organisations in breach can expect to pay up to 4% of their annual turnover or €20 Million, whichever is greater. This is reserved for the most serious of breaches.

If, for instance, you fail to notify the supervising authority or your own customers about a breach, or for not conducting an impact assessment, you could be charged a lesser 2% of annual turnover. The penalties thus take on a tiered approach to GDPR breaches.

Consent laws

All things considered, the most rigorous change is in the area of consent related permissions. Companies can no longer hide behind unnecessarily complex legal language when obtaining customer consent. An easy-to-understand form must now be shared with the customer, outlining the specific reasons for which data is collected. The option of withdrawing consent must also be given.

Apart from these, there is a whole range of data subject rights that are altered by the new law, which addresses, among others, aspects such as breach notification, the right to be forgotten, data portability, and others.

Which parts of my restaurant are affected by the GDPR?

As a restaurant, data gathering is required to stay relevant and competitive. Data is thereby gathered for a variety of purposes and is used in different ways. Areas which will now require your special attention include:

Online ordering platforms

If your restaurant allows customers to order food online, it’s important to take stock of what kind of data you’re collecting and how you’re storing it. It is important not just to ensure that this is done in a coherent and systematic manner, but that the relevant permissions are obtained, and your systems are capable of protecting such data.

Online booking systems

Similarly, if you allow guests to make reservations through your website, the information, no matter how trivial it may seem to you, must be protected against external attack. Further, if you’re using third-party applications for this purpose, it remains your responsibility to ensure that such software is GDPR compliant.


If you’re engaging with your customers via email, measures need to be taken to ensure that the data from emails are stored securely and that customer data and privacy are protected in every email. Before this, however, it is equally important to ascertain that you reach out only to customers who have signed up for the newsletter in the first place, and they have the option of unsubscribing with ease.

Online store

If you’re selling products from your restaurant online, such as branded coffee, snacks, and the like, care must be taken with the way you gather customer data and how you use it. Above all, ensuring that your customers know exactly how their data will be used, through the provision of any information in this process, is crucial.

Restaurant WiFi

It really seems like there’s almost no area free of GDPR influence.

If customers are signing in to your restaurant’s wifi, pertinent questions you must ask yourself include, how is this personal data collected and how is it stored and you used? These concerns must be addressed before such services are offered, given the new GDPR environment in which you operate.

Loyalty Schemes

If your loyalty scheme has been digitised and involves the use of personal customer data, steps need to be taken to ascertain that you’re processing information in a way that data is secured, both, in terms of storage and explicit customer consent. Make sure your customers are also informed of what types of data are collected and how these will be used in the future for business activity.

Key Takeaways

By understanding how your business’s operation are likely to be affected by the recently-launched data protection regulation, it makes it easier for you to take the measures necessary to ensure compliance.

Staying on the right side of the law has never been so crucial to a restaurant’s success. More than just the monetary aspect of it, respecting data laws targeted at consumers gives the public the assurance that they’re dealing with the right type of business.

Contact us at eposEX for more on how we can help your business through our range of EPOS devices and services. Helping you remain GDPR compliant, post-purchase, is all part of the deal.

Leave a Comment: