GDPR compliance for UK hospitality in 2026

Last updated: 11 April 2026

GDPR has been law in the UK for nearly eight years now, yet most pub operators are still handling customer data in ways that breach it without realising. You probably think compliance means ticking boxes on a form—it doesn’t. It means understanding exactly what personal data you’re collecting, why you’re collecting it, who can access it, and what happens when you close the doors for good. If you run a pub in the UK, you’re a data controller, which means you have legal responsibility for every customer email, phone number, staff record, and payment detail that passes through your business. The good news: compliance doesn’t require expensive consultants or complex systems. It requires clarity, consistency, and the right processes. This guide covers what GDPR actually means for your pub, which data matters legally, and the practical steps to stay compliant in 2026.

What GDPR Means for UK Pubs

GDPR is not a regulatory suggestion. It’s law in the UK and enforced by the Information Commissioner’s Office (ICO). The most effective way to understand your GDPR obligation is to recognise that any information that identifies a specific person—their name, phone, email, address, payment card, or even IP address—is personal data, and you are responsible for it.

What makes it binding on you is lawful basis. You cannot collect someone’s email address just because they gave it to you once. You need a legitimate reason: they opted in to marketing, they requested a booking, they’re your employee, or you’re fulfilling a contract. That’s lawful basis. Without it, you’re storing data illegally.

The second thing most pub operators miss is the right to erasure—the right to be forgotten. If a customer asks you to delete their data, you must do it within 30 days. If you can’t delete it because your till system doesn’t allow it, that’s your problem, not theirs. Many pubs find this out when an old regular rings up and demands to be removed from the email list—then discovers the email list is lost in a spreadsheet from three systems ago.

As a practical example: when I was selecting systems for Teal Farm Pub in Washington, Tyne & Wear, data retention was a non-negotiable requirement. We needed to know exactly where customer data lived, how long it stayed there, and how quickly we could delete it. That forced clarity alone prevented what would have been months of GDPR headaches later.

The penalty for breach varies. The ICO can issue fines of up to £20 million or 4% of global turnover for the most serious violations. For a small pub, that’s unlikely. But a breach notice goes on your record, damages reputation, and may prevent you getting insurance. It’s worth doing right.

Which Customer Data You’re Actually Collecting

Customer data collection in pubs happens in five places: email signup forms, loyalty schemes, phone reservations, card payments, and WiFi logins. Most pubs handle these without realising they’re becoming a data controller for each one.

Email lists and marketing

This is where most breaches start. You collect emails for a quiz night mailing list, run a summer promotion, then never clean up the list. Five years later, you’re still storing names and email addresses of people who never opted in to general marketing—they only wanted to know about one event. That’s a breach.

The rule is simple: you must have explicit consent to email someone, and they must be able to unsubscribe in one click. If you’re using a spreadsheet instead of proper email software, you’re not compliant. A spreadsheet won’t give unsubscribe functionality. If you’re using an email provider, they should handle GDPR for you—but you still need to check your data retention. How long does that provider keep deleted emails? Where are backups stored?

Loyalty schemes and rewards

Loyalty cards, phone number entry for discounts, digital membership schemes—all of these require explicit consent to store the data. If a customer gives their phone number to save 50p on a round, they haven’t given you permission to text them about upcoming events. You need separate, active consent for each purpose.

Many pubs use third-party loyalty platforms. Those providers should have a Data Processing Agreement (DPA) in place with you. If they don’t, you shouldn’t be using them. Ask them for it. If they won’t provide one, they’re not GDPR-compliant, and neither are you by association.

Reservation and booking data

Phone reservations, event bookings, private function enquiries—all create data. You’re storing names, phone numbers, sometimes addresses or dietary requirements. The lawful basis here is straightforward: you need the data to fulfil the booking. But what happens after the event? Delete it. If you keep it in case they rebook next year, that’s not lawful basis—that’s hoping for future business. Keep it only as long as you need it.

Payment card data

This is critical. If you handle card payments, you must be compliant with both GDPR and PCI DSS (Payment Card Industry Data Security Standard). Never store full card numbers. Never. Your payment processor should handle all card data. You should only see the last four digits in your till records. If your EPOS system is storing full card details, you’re breaking two laws at once.

When evaluating pub EPOS systems, always ask: where does card data go? Does it tokenise (mask) the card number? Is payment processing handled by a PCI-compliant third party? If the EPOS provider stores the card, don’t use it.

WiFi login data

Offering free WiFi in your pub is great for customers. But capturing email addresses at login? That’s data collection. You must tell people what you’re collecting, why, and how long you’re keeping it. Most WiFi systems have a privacy notice built in—use it. And delete that data regularly. You don’t need customer WiFi logins from three years ago.

Staff Records and Privacy in the Workplace

Staff data is separate from customer data and requires separate safeguards because employment creates additional privacy expectations. Your employees have a right to privacy in their employment records, and they have rights over their personal data even though you’re their employer.

What data you can legally keep

You need: name, address, phone number, email, emergency contact, tax code, national insurance number, payroll records, and disciplinary history for your own records. That’s it. Anything else—medical records, social media checks, personal references beyond what you need—needs consent and a clear reason.

Many pubs ask for more data than necessary during hiring. Asking for a Facebook profile link? That’s unnecessary. Keeping a photo on file longer than the employment term? Probably unnecessary. Storing handwritten notes from conversations that later become disciplinary? That creates a trail of evidence you might not want.

Payroll and third-party providers

If you use payroll software, a scheduling system, or an HR platform, you must have a Data Processing Agreement (DPA) with that provider. The provider becomes your data processor. They’re handling staff data on your behalf, and you remain responsible if they mess up.

Check your contracts. Many payroll providers don’t automatically include a DPA—you have to request it. If they won’t provide one, they shouldn’t be handling your staff data. This is especially important when managing 17 staff across front of house and kitchen as I do at Teal Farm. The sheer volume of records means that a single breach could expose dozens of people. Using a provider without a DPA agreement is leaving yourself exposed.

Disciplinary and grievance records

Keep these. But with a time limit. After an employee leaves, you can keep records for up to six years for legal protection (unfair dismissal claims). After six years, delete them unless there’s a specific legal reason not to. Don’t keep records indefinitely.

CCTV in the workplace

If you have CCTV covering staff areas (back room, kitchen, office), you must notify employees. CCTV covering customer areas is different (you must display a notice, but the notice is for customers). In staff areas, employees have heightened privacy expectations. You can record for security, but you can’t use footage to spy on break room conversations or toilet areas. Be clear about what is and isn’t recorded.

Payment Systems and Compliance

Every pub takes payments. Every payment involves data. GDPR compliance in payments means understanding what your till system does with that data and who has access to it.

Card payments and tokenisation

Modern EPOS systems use tokenisation. This means the card reader encrypts the card number and sends a token to your processor. Your till never sees the real card number. This is PCI-compliant and GDPR-compliant. If your till displays a full card number to the staff member, or emails receipts with full card numbers, you’re exposed. Check your current system today. Test a card payment and ask: can the cashier see the full card number? If yes, fix it.

Cash payments and customer data

Cash transactions don’t involve personal data, so they’re not a GDPR concern—unless you’re capturing contact details at the till. If you’re asking for email or phone “just in case they want a receipt,” you’re creating data unnecessarily. Don’t do it unless you have a clear reason.

Contactless and digital wallets

Contactless payments, Apple Pay, Google Pay—all of these are handled by the payment processor, not you. Your till gets a token. No personal data reaches you. These are the most GDPR-friendly payment methods available.

Card decline and retry logic

This is subtle. If a customer’s card declines, your EPOS should not retry the payment multiple times automatically. Each retry is a transaction attempt. Multiple attempts on a declined card can look like fraud and create unnecessary processing. One attempt, one outcome. If it declines, stop and ask the customer to try a different card or method.

Data Breaches and What to Do

A data breach is when personal data is accessed, disclosed, or lost without permission. This includes: a staff member forwarding customer emails to the wrong group, a laptop with unencrypted customer records being stolen, a till system being hacked, or old backup tapes being discarded without wiping.

You must report a data breach to the ICO within 72 hours if it poses a risk to individuals, even if you’re unsure whether it’s serious. The ICO would rather get a report from you about something minor than find out you hid a breach. Hiding a breach is a much bigger offence.

Steps when a breach happens

• Stop the breach immediately. If it’s a security issue, take the system offline.
• Document what happened, when it happened, and what data was involved.
• Assess the risk to individuals. Did anyone’s bank details leak? That’s high risk. Did an old contact list leak? Probably low risk.
• If high risk, contact the ICO and affected individuals within 72 hours.
• If low risk (like a contact email being forwarded to the wrong person within your own company), you may not need to report it to the ICO, but you should still document it.

Prevention is easier than reporting

The breaches that hurt pubs most are the ones that could have been prevented with basic hygiene:

• Encrypt laptop and tablet hard drives if they contain any customer or staff data.
• Use strong passwords and change them when staff leave.
• Don’t email personal data. If you must, encrypt it.
• Lock down access to your till system. Not all staff need access to view customer records.
• Wipe devices properly before selling or recycling old till terminals and computers.

When we set up systems at Teal Farm, encryption wasn’t optional—it was a prerequisite. We don’t store backup files on a USB stick in the office. Everything goes to a secure cloud provider with data encryption. It sounds paranoid until it’s not your problem to fix.

Building a Simple Compliance Checklist

GDPR compliance is built on knowing what data you have, why you have it, who can see it, and when it gets deleted. You don’t need a 40-page policy. You need a simple, written system that actually works.

The minimum: a data inventory

List every place where you collect or store personal data:

• Email list (source, how often cleaned, who can access)
• Loyalty scheme (what data, how long kept, how to delete)
• Till system (what data stored, where, how encrypted)
• Payroll system (what data, stored where, how secured)
• Scheduling software (staff access, data retention)
• CCTV system (what areas covered, how long footage kept, who can view)
• WiFi system (what data collected, retention policy)

For each one, write down: what personal data is there, who has access, how long is it kept, and how is it deleted. That inventory is your GDPR roadmap. It takes two hours to build and saves you months of confusion.

Privacy notices

If you’re collecting customer data (email signup, loyalty scheme, WiFi login), you must tell them what happens to it. A simple notice at the till or on your website is enough:

“We collect your email to send you event information. You can unsubscribe anytime. We delete emails after 12 months of no contact. Your data is stored securely and never shared with third parties.”

That’s clear, honest, and GDPR-compliant. You don’t need legal language. Plain English is better.

Data Processing Agreements with third parties

Every software provider you use should have a Data Processing Agreement. Email them asking for one. If they ask what it is, direct them to the ICO website. Most reputable providers have them ready to go. If they don’t, they’re not treating GDPR seriously—and you shouldn’t be using them.

When considering pub IT solutions, always ask about DPAs before signing up. It’s not optional.

Staff training

Your staff are your first line of defense. They need to know: don’t email customer data, don’t write down passwords, don’t leave registers logged in, lock your screen when you step away. A 20-minute conversation beats a 200-page policy document. When running pub onboarding training, make GDPR and data security a standard part of the session. It takes 10 minutes and prevents most breaches.

Annual review

Once a year—say, January—review your data inventory. Have you added new systems? Are you still collecting data you don’t need? Have you deleted old records? Change it if it’s not working. GDPR compliance isn’t set-and-forget. It’s a living system.

One practical insight that only becomes obvious after actually running a pub: the cost of non-compliance isn’t the ICO fine. It’s the hours you spend explaining to a customer why their data appeared somewhere they didn’t consent to, the reputation damage when staff accidentally email customer lists to the wrong group, and the panic when you can’t find old records to delete when someone asks. Compliance takes six hours upfront. Non-compliance takes weeks to fix.

When calculating staffing costs using a pub staffing cost calculator, remember to factor in that staff data processing needs securing, and that security requires care during hiring, payroll, and scheduling. It’s not just about compliance—it’s about staff confidence that their information is safe.

For more information, visit pub profit margin calculator.

For more information, visit pub drink pricing calculator.

For more information, visit pub staffing cost calculator.