Say a U.S. based quick-serve restaurant opens a new location in France. That restaurant is now held to the policies set forth in the GDPR, despite it being headquartered in the United States. In fact, many restaurants operating in both the U.S. and the EU are working towards universal privacy compliance, given impending new domestic privacy regulations and on-going requirements of the GDPR.
But what about restaurants operating outside of the 28 EU member states? It may be assumed that U.S. restaurants without stores in the EU, especially those operating out of a single location, can simply disregard the GDPR entirely-—but this may not be the case. Because the GDPR aims to protect the data of EU individuals, regardless of where they are, U.S. restaurants that regularly serve individuals from the EU may be required to comply if they are collecting personal information. This is particularly relevant to restaurants that operate out of tourism hotspots across America, such as New York City or Las Vegas. Those that regularly retain the personal data of EU individuals, through things like credit card payments and loyalty programs, must handle that data with a process that aligns with GDPR standards.
The GDPR’s impact was felt around the world, and lawmakers everywhere are considering how they can modernize their data protection practices. Noncompliance with policies, procedures or misuse of personal data can have hefty legal, reputational and financial consequences. With such stiff penalties—four percent of annual revenue or €20 million, whichever is greater—restaurant operators will need to go beyond simply checking the box and truly make an overall commitment to responsible information governance and data privacy.
At the same time, balancing EU and U.S. data privacy regulations could prove challenging for restaurants, particularly as regulations continue to evolve. For example, the California Consumer Privacy Act will become effective in 2020, requiring Californian restaurants to provide information on how customer data is being used and imposing restrictions on data sharing for commercial purposes. A thorough assessment of risk exposure to current and upcoming data privacy laws can help restaurants be prepared to implement necessary changes.
How can restaurants implement an effective GDPR program?
The GDPR seeks to enforce the expanded data privacy rights of individuals in the EU and in doing so requires adequate protection from businesses both within and outside of its borders. In other words, if your restaurant deals with the personal data of individuals in the EU in any way, then the GDPR likely applies to you.
How it applies to you depends on whether you are a “controller” or “processor” of EU personal data. Controllers determine data processing goals and make decisions on how personal data will be used, while Processors collect, store and process personal data based on instructions from the Controller. In many cases, restaurants act as both. See below for more details on the obligations of both role under GDPR.
GDPR compliance needs will vary between restaurants, based on how well their business activities support the expanded personal data privacy rights of individuals in the EU. Enacting an effective GDPR program could prove to be particularly complicated for franchised restaurants, especially those who have an array of customer touchpoints across channels. These multiple touch points range from point-of-sales, to e-commerce and loyalty programs, as well as mobile applications, kiosks, ERP systems and even e-mail.
For starters, restaurants should consider some common questions when it comes to implementing their data privacy program, including:
- If a data subject wishes to delete their data, how will I locate their personal data? How will the company decide what can be deleted and what is required for regulatory or legal retention purposes?
- If a consumer data subject wishes to gain access to their personal data, what can the company provide to them? What format will it be delivered?
- What personal data does the company retain and for how long?
- Do we work with vendors that are provided access to consumer data?
- Do we have employees that may make data subject requests and does the company understand how to address those requests?
- Can the company meet the 30-day deadline? Will 60-day extensions be requested?
Data subject requests are by far one of the most complicated aspects of complying with the GDPR because consumers want to know:
- How their personal data is protected.
- Where their data is located, and who has access to it.
- How to correct personal information.
- Whether the company has consent to use or share their personal data.
Overall, GDPR requires that businesses, including restaurants, take a holistic approach to privacy governance. Keep in mind that GDPR was established with the understanding that data privacy will continue to evolve, and the enforcement of personal data privacy rights will need to change accordingly. Even U.S. -based restaurants without EU locations must be prepared to protect customer data through comprehensive privacy programs, with the goal of driving a culture of data privacy and protection throughout the company. Restaurants who both confirm their current policies address GDPR requirements and establish robust, responsive data privacy philosophies will be best equipped for the new era of data privacy.
If you have any questions about how GDPR can affect your restaurant, contact Mark Abrams at 404-874-6244 or fill out the form below.
Copyright © 2018 BDO USA, LLP. All rights reserved.