*Reassuringly dull cyber security e: info@normcyber.comt: +44 (0) 203 855 6215

Data protection headache for Hospitality & Leisure sectors


How compulsory data collection rules for the hospitality & leisure sector could cause data protection headaches for some.

The government has introduced new rules (which came into effect on the 24th September) that apply to restaurants, cafes/canteens, bars and public houses/pubs, clubs, hotels, museums, leisure centres, and close contact physical services like hairdressers and sports therapists. The effect of these rules is that these businesses are now legally required to obtain the contact details of customers, (previously, this collection was only encouraged).

From a data protection perspective, these new rules* mean that:

  • signage/privacy notices must be updated
  • A QR Code must be displayed “in an appropriate place” so that visitors with smartphones can scan the code to “check in” if they have downloaded the government’s new contact tracing app
  • Contact details must be obtained from staff, customers and other visitors/guests. The government has set out exactly which details must be requested. Organisations must ask for name, contact telephone number (failing which contact e-mail address, failing which postal address – in that order), and date and time of entry. The exceptions to this are when the individual concerned has scanned the QR code, or the organisation has reason to believe that they can’t do that for disability/health reasons, or that they are under 16 years of age.
  • Organisations are legally obliged to refuse entry if the information requested has not been provided or it has reason to believe that the information is incomplete or inaccurate (this obligation applies only to the hospitality sector, not leisure/tourism, etc.).
  • Organisations must securely retain the above details for 21 days (the same period as before, but now enshrined in law), and destroy them as soon as reasonably practicable after that. (Meanwhile, they must provide the information to relevant authorities if so requested “as soon as reasonably practicable”).

*this list is not a comprehensive.

Failure to do any of the above without reasonable excuse is a criminal offence punishable on summary conviction by a fine, and directors/officers could also be criminally liable if the failure was with their connivance/consent or due to their neglect.


Many organisations will, understandably, struggle to understand and comply with these rules. Failure to do so will mean that police officers are empowered to issue “fixed penalty notices” for these failures of £1,000 for the first offence, but increasing in tiers of £1,000 up to £4,000 for the fourth or further offence.

However, in addition, failure to process the names, contact telephone numbers, e-mail/postal addresses – all of which is personal data – in accordance with the GDPR will expose organisations to the risk of fines or other enforcement action by the ICO, causing a real data protection headache for the hospitality & leisure sectors. It is therefore essential that all organisations affected by these rules understand their legal obligations under data protection law.

If your organisation is looking to comply with the requirements of the GDPR then take a look at how our CSaaS and DPaaS solutions can help.

Appointing NormCyber as our virtual DPO has given Ferrero the best of both worlds – access to data protection experts who understand what we stand for as a business, without the hefty overheads usually associated with appointing an in-house DPO.

Harpreet Thandi
Regional Counsel, UK & Ireland, Ferrero

We were looking for a virtual DPO service that offered all of the benefits of a fully qualified data protection lawyer, without the overheads of an in-house hire. The DPaaS solution from norm. has been invaluable in helping us to ensure we respect the integrity of our customers’ personal information, while using it to continue to deliver differentiated products and services which support our growing customer base.

Mike Whitfield, Compliance Manager

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group