By Robert Cohen, barrister at 5 Essex Court (

As if COVID-19 had not already made life hard enough for the hospitality industry, recent news stories have high- lighted that businesses may also be running a GDPR risk. In particular, reports indicate that the operators of Wagamama have been reported to the Information Commissioner (ICO) because of their handling of test and trace data.What then is the law on this issue, and should businesses be worried?

The GDPR, of course, applies to all companies or people processing personal data. Businesses are likely to already have policies in place to address it. But those policies may need to be updated in the light of COVID-19. Collecting and storing

the names and addresses of customers does involve ‘processing’ their personal data.All such processing must be carried out in a way that complies with the GDPR. Of course, many businesses have sub-contracted the means by which they collect contact tracing details to other companies.This is fine, but it does not mean that the GDPR issues go away: the original business is still required to comply with the law.

Anecdotal evidence suggests that some organisations have treated the names and addresses that they now hold as being a marketing windfall: an opportunity to get to know their customers and to tailor PR opportunities.This is really dangerous for the businesses concerned. It may get them on the wrong side of a hefty ICO fine or lead to court action.The GDPR says that when a business processes personal data it must do so “lawfully, fairly and in a transparent manner”. Such businesses must also make sure that personal data is “collected for specified, explicit and legit- imate purposes and not further processed in a manner that is incompatible with those purposes”. It is a breach of these principles for a company to say that they are collecting personal data for contact tracing and then to use it for marketing. Doing so is not ‘fair and transparent’ and involves collecting data for a legitimate purpose and then using it ‘in a manner that is incompatible with’ that purpose.

The possible issues do not end there. Data Controllers should be able to explain the lawful basis that they have for collecting personal data in the first place. Unfortunately, answering this question will depend where the business is located in the UK: each of the Home Nations has adopt- ed slightly different requirements. However, it will usually involve businesses being able to explain that they are required by law to collect the data or that they are collecting it for the purposes of legitimate interests that they are pursuing.

It is also unlawful for a business to collect more personal data than is required or to retain the data that they collect for more than a limited period. Still more risks arise from security: any personal data that is collected must be stored in a secure manner.

The ICO are aware of this issue and have issued guidance on the subject.That guidance, which is available on the ICO website , sets out a number of helpful suggestions. For instance, it indicates that contact tracing data should not normally be retained for more than 21 days.The ICO are likely to be understanding of isolated errors. But they will be much less tolerant of businesses which try and feed the data they collect into their marketing efforts: the regulation of electronic marketing is an area in which the ICO have always taken a robust approach.

Is there a way round this? It is true that if a customer is given a completely free choice they can consent to their personal data being stored for a longer period and for marketing purposes. However, the ICO have regularly reminded companies that this must be a genuinely free choice. It is not acceptable to tick the consent box in advance, or to require individuals to opt out. It should also be de-coupled from the contact tracing process so that it is easy to provide contact tracing details with- out agreeing to marketing.

The last thing that anyone needs at the moment is further costs and problems associated with COVID.The easiest way to avoid GDPR issues is by insulating contact tracing data from the rest of the business.