Blog, news & updates

Tracking and tracing? Are you complying with the GDPR?

With the Government asking Hospitality and Retail businesses to help them track and trace the spread of the Coronavirus through recording of customer details, businesses will still have to make sure that they are following and complying with the GDPR. But just how easy will it be to do that? 

GDPR Compliance when tracking and tracing

What sectors does this guidance apply to? 

  • hospitality, including pubs, bars, restaurants and cafés
  • tourism and leisure, including hotels, museums, cinemas, zoos and theme parks
  • close contact services, including hairdressers, barbershops and tailors
  • facilities provided by local authorities, including town halls and civic centres for events, community centres, libraries and children’s centres
  • places of worship, including use for events and other community activities

What information do they need to collect? 

For staff: 

  • the names of staff who work at the premises
  • a contact phone number for each member of staff
  • the dates and times that staff are at work

For customers and visitors: 

  • the name of the customer or visitor. If there is more than one person, then you can record the name of the ‘lead member’ of the group and the number of people in the group
  • a contact phone number for each customer or visitor, or for the lead member of a group of people
  • date of visit, arrival time and, where possible, departure time
  • if a customer will interact with only one member of staff (e.g. a hairdresser), the name of the assigned staff member should be recorded alongside the name of the customer

What are businesses doing? 

For a quick win, many businesses have turned to existing booking/recording technology that's already out there, apps such as 'Time to Spare' and '' help venues easily and quickly record customer information all in a 'fully GDPR compliant manner'. 

Others are using booking systems or electronic forms to store customer information. 

The main point is...

It all has to be done within the rules of the GDPR

Here are some tips: 

  • Don't take irrelevant information. You only need to take things like names, contact numbers, date of visit and arrival/departure times. 
  • If possible, try to use one of the apps mentioned above that store information safely. 
  • Avoid using pen and paper. Not only will you have to type it all up at a later date, but you also run the risk of misplacing or losing it. 
  • Train all staff with simple, but effective GDPR training that provides certificates. 
  • Do not use the information collected for anything other than sharing with the NHS test and trace, if requested. Using this information for, let's say, marketing, would be a breach of the GDPR. 
  • Only store the information for 21 days. 
  • If a customer wishes to not share their information, they can opt-out. 

The easiest way to comply? 

The easiest way to make sure that your staff are complying with the GDPR when collecting, storing and processing customer information, is through iHASCO's GDPR Training

In just 35 minutes your staff will have a thorough understanding of the key principles of the GDPR. They'll understand how to handle data with integrity and confidentiality and understand how it affects their role.  

We've now delivered over 400,000 training sessions on the GDPR and we also have a refresher course that can be completed in just 15 minutes for those who already have an understanding of the GDPR.

Try our GDPR Courses for free today or request a quote and we'll be in touch.

GDPR Training
Chat with us!