Our customers include a number of the UK’s leading pub and restaurant management companies and we have been discussing with them how they can most effectively support the UK’s Government’s data retention requirements for Covid-19 track and trace - Government Track and Trace Data Retention Guidance.

The Government stipulates that you should “keep a temporary record of your customers and visitors for 21 days, in a way that is manageable for your organisation”. This may be a simple requirement for single venue pubs and restaurants, but how do you ensure this data is appropriately stored, protected and deleted when you have 100’s of establishments across the country (and beyond)? Given this type of personal data is covered by the General Data Privacy Regulation (GDPR) and the implications of mismanaging this data is significant.

I thought it would be useful to share some of the considerations and measures being taken to ensure the data is effectively managed.

There are already many instances of misuse of the track and trace data either through employee ignorance of the privacy regulations, or outright wilful abuse. Whether its companies using the data for marketing purposes, or serving staff personally contacting female customers through their contact details, there needs to be better control of this data.


It is important to remember that you not only have to gain consent to store data, but also state the specific purpose it will be used. The tweet above illustrates a pretty minor infringement, but we need the ICO to demonstrate a less passive and ineffectual approach to building awareness and policing businesses’ obligations under GDPR.

The ideal approach to meeting this Government requirement is for the data to be stored and managed centrally. This will enable appropriate encryption, access control and automated deletion processes. Whilst there is nothing that says the data can’t be held in a local paper-based bookings calendar (as traditionally has been the case for smaller businesses), deleting and restricting access to the data is difficult in these circumstances. Indeed, a corporate Data Protection Officer (DPO) would find it difficult to ensure compliance with GDPR.

The Government’s requirement for companies to store this data should be seen as an opportunity rather than an overhead. Leveraging strong data privacy practices as a company differentiator and demonstrating transparency with your customers on how their data is treated will be a great selling point at a time when the trading environment is extremely challenging.

Our customers, just by the very nature that they use eSpyder to manage their GDPR compliance are among the very best companies in the UK for effectively managing personal data and minimising the cost of managing and reporting on compliance. Incorporating this temporary data retention requirement into their on-going operations is easier than for a majority of companies. That said now is the ideal time to get your Data Privacy operations fit for the most challenging trading environment in living memory.

Agility is going to be the key to survival and this albeit minor requirement, highlights how effectively managing the customer data you hold will be a critical success factor. Managing personal data can be time-consuming, costly and frankly, not a core business activity. Reducing those costs and resource commitments whilst enhancing your company’s reputation with customers will greatly benefit the company’s business growth and profitability.
I would love to hear your thoughts or discuss your company’s situation. Please feel free to start reach out to me at Chat .