Data Protection for UK Pubs in 2026

Last updated: 13 April 2026

Most UK pub landlords treat data protection as a compliance checkbox — something to tick off and forget about. The reality is messier. You’re collecting customer data every single day through loyalty schemes, quiz night registrations, card payments, email newsletters, and WiFi logins. One data breach or poorly handled customer record can cost you thousands in ICO fines, destroy customer trust, and — if you’re unlucky — make headlines for the wrong reasons.

I’ve managed 17 staff across front of house and kitchen at Teal Farm Pub, Washington, Tyne & Wear, and I’ve seen firsthand how customer data gets mishandled without proper systems. You’re not a data controller by choice — you become one the moment you ask for a phone number or email address. The legal requirement isn’t optional. The good news is that understanding data protection in 2026 is simpler than most operators think, and it doesn’t require expensive consultants.

This guide covers what data protection actually means for a UK pub, which laws apply to you specifically, what happens when things go wrong, and practical steps you can take today to stay compliant without hiring external help.

What Is GDPR and How Does It Apply to Pubs

The General Data Protection Regulation (GDPR) is UK law that controls how businesses collect, store, and use personal data. It replaced the Data Protection Act in 2018, and despite Brexit, it remains the law in the UK as UK GDPR. This isn’t theory — it’s enforceable by the Information Commissioner’s Office (ICO), which has the power to fine you.

Many pub owners assume GDPR only applies to big tech companies or large hospitality chains. That’s wrong. If you’re collecting personal data — and you almost certainly are — GDPR applies to you. This includes:

• Card payment details (processed through your till or payment terminal)
• Email addresses (from newsletter signups or loyalty schemes)
• Phone numbers (quiz night registrations, table bookings, reservations)
• Staff names and contact details
• CCTV footage (if you have cameras in your pub)
• IP addresses (from pub WiFi)
• Customer photos (if you post them on social media)

When Teal Farm Pub ran quiz nights, we collected names, phone numbers, and email addresses for team registration. That simple act triggered GDPR. We had to tell people what we’d do with their data, and we had to keep it secure. Most operators don’t think about this because the data collection feels informal — a phone call, a scribbled note, an email. But the law doesn’t care about formality. If you hold someone’s personal information, GDPR applies.

The regulation has six core principles. Your pub must ensure personal data is:

• Lawful, fair, and transparent: You must have a legal reason to collect it, and customers must understand what you’re doing with it.
• Purpose-limited: You can only use data for the reason you said you’d use it (e.g., if you collect an email for a booking confirmation, you can’t add them to a marketing list without fresh consent).
• Data-minimised: Collect only what you actually need. Don’t ask for postcodes, birthdates, or employer details unless you have a specific reason.
• Accurate and up to date: Delete or correct information when it’s wrong.
• Kept secure: Stored safely and only accessible to staff who need it.
• Retention-limited: Don’t keep data longer than necessary.

These principles sound abstract, but they translate into concrete actions you’ll take in Section 5.

What Data Are You Actually Collecting

The first step in data protection compliance is a data audit — listing every piece of customer or staff information your pub holds and where it’s stored. This sounds bureaucratic, but it’s essential. You can’t protect what you don’t know you have.

Take a pen and paper and walk through your pub operation:

At the till and payment: Every card payment captures the last 4 digits of the card, the cardholder’s name, and transaction date. If you use a loyalty card or tap-to-pay app, you’re collecting phone numbers or email addresses too. Some payment terminals store card data locally — a serious GDPR violation if they do.

Bookings and events: Reservation books, email confirmations, and online booking systems all hold customer names, phone numbers, and sometimes dietary requirements or special requests. If you run quiz nights, you’re collecting team member names.

Marketing: Email newsletters, text message lists, and social media followers are all personal data. If you’ve got a list of 50 or 500 email addresses, that’s data you’re responsible for.

WiFi: Your pub WiFi setup collects IP addresses automatically. Some systems also ask for email addresses before granting access — that’s personal data.

CCTV: Camera footage is personal data because it can identify individuals. This includes interior and exterior cameras.

Staff records: Names, phone numbers, addresses, bank details, payroll information, training records, and performance notes are all personal data. Staff data is often more sensitive than customer data.

Handed to you informally: A customer’s email scribbled on a competition entry form. A phone number written on a table booking note. A delivery driver’s contact details. All personal data.

Now, where is this data actually stored? On paper in a drawer? In a spreadsheet on your computer? In your till system? In your email account? With a third-party booking system? Each storage location is a potential security risk if it’s not protected.

This audit takes 30 minutes and gives you a clear picture. You’ll likely find data you didn’t know you had.

Your Legal Obligations as a Pub Operator

GDPR imposes specific legal obligations on anyone collecting personal data. For a pub, the core requirements are:

1. Privacy Notice (Transparency Obligation)

You must tell customers what data you’re collecting and why. This isn’t optional. The law calls this a privacy notice or privacy policy. It must cover:

• Your pub’s name and contact details
• What data you collect (e.g., name, email, phone)
• Why you collect it (e.g., to process bookings, send newsletters, process payments)
• How long you keep it
• Who you share it with (payment processors, email marketing services, delivery companies)
• Customer rights (they can request their data, correct it, or ask you to delete it)
• How to contact the ICO if they have complaints

Where does this privacy notice go? On your website, printed at the till, on your booking form, or in an email. For wet-led pubs without a website, a printed notice at the bar works. The key word is visible — customers must actually see it.

2. Lawful Basis for Processing

You need a legal reason to hold personal data. For pubs, the main lawful bases are:

• Contract: Processing payment card data to complete a transaction (you need this to take card payments).
• Consent: The customer actively agrees (e.g., ticking a box that says “I want to receive email updates from your pub”).
• Legal obligation: You must keep certain data by law (e.g., staff payroll records for tax purposes).
• Legitimate interest: You have a genuine business reason that doesn’t override the customer’s privacy rights (e.g., CCTV for security purposes).

The most common mistake: collecting email addresses for a loyalty scheme without getting explicit consent first. If you ask customers to sign up for your newsletter, they must actively opt in — not opt out by default.

3. Data Subject Access Requests (DSARs)

Any customer can ask you: “What personal data do you hold about me?” You have 30 days to respond with a copy of their data. This is a legal requirement. Missing the deadline is an ICO violation.

In practice, a DSAR looks like an email from a customer saying: “I’d like a copy of all the data you have about me.” You must gather everything (email records, booking notes, payment history, CCTV footage if they’re on it) and send it to them within 30 days. No charge. No questions asked.

4. Data Security

You must keep personal data secure against unauthorized access, loss, or damage. This doesn’t require expensive software. It means:

• Password-protecting files that hold customer data
• Not leaving printed lists of customer names and phone numbers in the office where staff can access them without a reason
• Using secure payment terminals that don’t store full card details
• Limiting staff access to customer data (only the manager needs to see the booking list; the bar team doesn’t)
• Using HTTPS (padlock icon) on any website that collects data

5. Data Retention

You must delete personal data when you no longer need it. Don’t keep customer email addresses forever. Keep payment card data only as long as needed for transactions and disputes (usually 6 years for tax purposes). Delete booking notes after the event. Clear old CCTV footage regularly (most systems do this automatically).

Common Data Protection Mistakes Pub Owners Make

The most common data protection failures in pubs stem from poor practices, not deliberate breaches. Here are the ones the ICO sees repeatedly:

Mistake 1: No Privacy Notice

You’re collecting email addresses through a signup sheet or form, but there’s nowhere on that form explaining what you’ll do with the email. That violates GDPR’s transparency principle. The fix: add a sentence below the signup: “We’ll use this email to send you weekly specials and event updates. You can unsubscribe anytime.”

Mistake 2: Collecting Data Without Consent

You buy a customer database from another pub, or you add people to your email newsletter because they came in on Saturday night. Neither is legal. You need explicit consent. If someone hasn’t ticked a box or signed something saying “yes, email me,” you can’t email them.

Mistake 3: Not Responding to Data Requests

A customer emails asking for their data. You ignore it or think it’s not a real request. 30 days pass. The ICO takes action. This is one of the easiest violations to avoid — just respond within 30 days.

Mistake 4: Sharing Data Without Disclosure

Your EPOS system or booking platform shares customer data with a parent company or analytics service, but your privacy notice doesn’t mention it. That’s a breach. Customers should know who you share their data with.

Mistake 5: Keeping Data Too Long

You have email addresses from quiz nights five years ago that you never deleted. Why are you still holding data for people you’ll never see again? Retention limits mean you should delete old customer records on a schedule (e.g., annually).

Mistake 6: Storing Customer Data Insecurely

A spreadsheet of customer names, phone numbers, and email addresses sitting unencrypted on a shared computer. Or sticky notes with staff passwords on the till. Or CCTV footage accessible to everyone. These are security failures.

Building a Simple Data Protection Process

Compliance doesn’t require consultants or expensive software. It requires three documented processes. You can build these in a day.

Process 1: Privacy Notice

Write or adapt a privacy notice for your pub. Use this template structure:

We (your pub name) collect your personal data to:

• Process payments when you buy food or drink
• Manage table reservations and event bookings
• Send email updates about weekly specials and events (if you’ve asked us to)
• Operate pub WiFi safely
• Protect our premises through CCTV

We keep your data only as long as needed for these purposes. We don’t sell or rent your data to third parties. If you have questions about your data, contact [your name] at [email address]. You can ask us to delete your data, correct it, or provide a copy of it anytime.

Print this on a sheet and post it by the till and at the WiFi login. Add it to your website if you have one. Include it in booking confirmation emails.

Process 2: Consent Management

If you’re running a loyalty scheme, quiz nights, or email newsletter, create a consent system:

• For in-pub signups: Add a checkbox to your form: “I’d like to receive emails about specials and events.” Only people who tick that box go on your email list.
• For email signups: Use a double opt-in system. Someone provides their email, you send them a confirmation email, and they have to click a link to confirm. This proves they actually wanted to be on the list.
• For quiz nights: Tell people verbally (and note it on the signup form) that you’re collecting their name and phone number to contact them about the event. Don’t add them to your newsletter without asking separately.

Keep records of who consented and when. A simple spreadsheet works: Name | Email | Date | Consent Type.

Process 3: Data Request Response

Create a simple system for handling DSARs:

• Designate one person (usually the manager) as the point of contact.
• If you receive a data request by email, reply immediately acknowledging it: “I’ve received your request. I’ll respond with your data within 30 days.”
• Gather all data you hold about that person (email records, booking notes, payment info, any CCTV footage showing them). Don’t overthink it — just collect what’s actually there.
• Send it to them (usually as a PDF or printed document by email) before 30 days pass.
• Keep a record that you responded and when.

In practice, DSARs are rare for small pubs. But when they come, you must respond. The good news: this process takes 1–2 hours per request.

Documentation

Keep a simple record of what you’re doing:

• A list of all data you collect (from your audit in Section 2)
• Where it’s stored
• How long you keep it
• Who has access to it
• Your privacy notice (dated)
• Records of DSARs you’ve received and your responses

This doesn’t need to be complex. A one-page document per year is enough. The ICO wants to see that you’ve thought about data protection, not that you’ve hired a compliance officer.

When managing your pub’s operational data across multiple systems — from loyalty schemes to pub IT solutions — ensure each platform has a privacy notice and clear consent mechanisms. If you’re using pub management software, check the vendor’s privacy policy and understand what customer data they access.

What Happens If You Get It Wrong

Data protection violations fall into two categories: warnings and enforcement. The ICO has discretion in how it handles breaches.

Small Violations: Warnings and Guidance

If the ICO becomes aware of a breach but no one was actually harmed (e.g., you didn’t have a clear privacy notice, but no customer data was exposed), you’ll typically receive a warning or guidance letter. The ICO might ask you to provide evidence of compliance within a set timeframe. Many small pubs escape with a warning and a request to fix the issue.

Significant Breaches: Fines

The ICO can fine you up to £20 million or 4% of annual global turnover — whichever is higher — for serious violations. For small independent pubs, this is a theoretical maximum. In practice, enforcement fines for small businesses are lower. But they’re still serious.

Fines are issued for violations like:

• Data breaches (customer data was lost, stolen, or exposed)
• Refusing or delaying a DSAR beyond 30 days
• Processing data without lawful basis (e.g., marketing to customers who never consented)
• Not having a privacy notice or security measures

Reputational Damage

The ICO publishes enforcement action on its website. If your pub is fined or investigated, it’s public record. This damages customer trust far more than the fine itself. Customers read headlines like “Local Pub Fined for Data Breach” and stop coming. That’s the real cost.

If a Breach Happens

If customer data is actually compromised (leaked, stolen, or accessed without permission), you must:

• Notify affected customers without undue delay (typically within 72 hours)
• Report it to the ICO (also 72 hours)
• Explain what happened, what data was affected, and what steps you’re taking to fix it

A small data breach (e.g., a few customer emails accidentally visible in a forwarded email) might not require notification. A significant breach (e.g., your payment terminal was hacked and 500 card numbers were stolen) requires immediate action. When in doubt, notify.

For more information, visit pub drink pricing calculator.

For more information, visit pub staffing cost calculator.