EPOS with GDPR compliance in UK pubs

Last updated: 11 April 2026

Most UK pub landlords don’t realise their EPOS system is a data processor under UK GDPR law — and that changes everything about how you choose one. Your till isn’t just ringing up pints and kebabs; it’s collecting, storing, and potentially mishandling customer data every single day. If you’re running loyalty schemes, taking card details, or keeping customer contact information, you’re already handling personal data that the UK Information Commissioner’s Office (ICO) cares about. This isn’t a compliance checkbox you can ignore or leave to your software provider. You need to understand what GDPR actually means for your pub, which EPOS features matter, and what happens if you get it wrong. In this guide, I’ll walk you through the real data protection obligations, the features your EPOS system must have, and how to check whether your current provider is compliant — not in theory, but in practice.

What GDPR actually means for pub EPOS

The most important thing to understand is that GDPR makes you, the licensee, responsible for data protection — not your EPOS provider. Even if your software vendor stores all the data in the cloud, encrypts it, and follows best practices, the UK Information Commissioner’s Office (ICO) can still hold you liable if things go wrong. This is why choosing an EPOS system with GDPR compliance features isn’t optional. It’s a legal requirement under the UK GDPR framework as enforced by the Information Commissioner’s Office.

GDPR applies to any business collecting, storing, or processing personal data about identifiable individuals. For a pub, this includes:

• Customer email addresses and phone numbers (loyalty schemes, newsletters, reservations)
• Payment card information (if your EPOS stores it directly, which most shouldn’t)
• Staff data (shift records, personal phone numbers, bank details)
• Delivery driver details (if you run food delivery services)
• CCTV footage linked to staff or customer records

The key principle under UK GDPR is that personal data must be processed lawfully, fairly, and transparently. Your EPOS system is the tool doing a lot of that processing. When you swipe a loyalty card, capture an email address for a reservation, or store a staff member’s contact details, your EPOS is processing personal data on your behalf. That makes you a data controller, and your EPOS provider a data processor.

What data your EPOS system actually collects

Most pub landlords think their EPOS only stores transaction information — what was sold, who paid, when. But modern systems collect far more than that, and understanding exactly what data you’re collecting is the first step to compliance.

Transaction and payment data

Every till transaction creates a record. This includes the items sold, the time, the payment method, and often the customer’s name or card holder name if it’s a card payment. If your EPOS stores the last four digits of payment cards (which most do for refund purposes), that’s personal data. If it stores the full card number, expiry date, or CVV — that’s PCI DSS data (Payment Card Industry standards), not just GDPR, and it requires additional protection.

Loyalty and customer records

This is where most pubs create compliance risk without realising it. If you run a loyalty scheme — points card, app-based rewards, member punch cards — your EPOS is storing customer names, phone numbers, email addresses, purchase history, and sometimes date of birth. All of this is personal data requiring GDPR protection. Many pub operators collect this data for marketing purposes without a clear legal basis or customer consent.

Staff data

Your EPOS tracks staff clock-in times, shift schedules, and — if you use the system for payroll — bank details, tax codes, and hours worked. This is particularly sensitive personal data. Staff have strong data protection rights, and you need a clear Data Processing Agreement with any vendor storing their information.

Customer behaviour and analytics

Modern EPOS systems often include analytics features that track which customers buy what, how often they visit, average spend, and drink preferences. This can be powerful business intelligence, but it’s also personal data if it’s linked to identifiable individuals. Aggregated, anonymised data (e.g., “customers aged 25-35 buy gin 40% more often”) is not personal data. But linked records of individual customer preferences are.

Before you choose an EPOS system, ask the vendor directly: “What personal data does your system collect, where is it stored, how long is it kept, and who has access to it?” If they can’t give you a clear answer, that’s a red flag.

EPOS features you need for GDPR compliance

Not all EPOS systems have the same data protection features. When evaluating options, look for these non-negotiable elements:

Encryption in transit and at rest

Data encryption is the foundational layer of data protection. When customer data travels from your till to the cloud (in transit), it must be encrypted using TLS 1.2 or higher. When it’s stored in the vendor’s database (at rest), it must be encrypted so that if someone gains unauthorised access to the physical servers, they can’t read the data without the encryption key. Ask your vendor: “Do you encrypt personal data in transit and at rest?”

Access controls and user permissions

Your staff shouldn’t all have the same level of access to customer data. A bar staff member might need to view a loyalty account to apply a discount, but they shouldn’t have access to financial reports or staff personal data. A good EPOS system lets you set granular permissions — different staff can see different data based on their role. This is a core GDPR principle called “data minimisation”: staff should only access the personal data they need to do their job.

Audit trails and activity logs

Every access to personal data must be logged and traceable under GDPR. Your EPOS system should record who accessed customer data, when, and what they did. This isn’t for punishment; it’s for accountability. If a customer asks “Who has viewed my personal data?”, you need to be able to answer honestly. If a data breach occurs, audit trails help you investigate how it happened. Basic EPOS systems don’t have audit trails. Compliant ones do.

Data retention and deletion features

GDPR requires you to keep personal data only as long as necessary. For loyalty schemes, this might be 2–3 years of inactivity before deletion. For staff records, retention periods depend on employment law (often 6 years for payroll). Your EPOS system should allow you to set automatic deletion policies so you don’t keep data indefinitely. Many pubs keep every customer email address they’ve ever collected because their EPOS doesn’t have a deletion feature — that’s a compliance risk.

Data portability and export

Under GDPR, customers have the right to request their data in a portable, machine-readable format (usually CSV or JSON). Your EPOS must be able to export customer data on request without manual work. This is called the “right to data portability”. If exporting customer data takes your staff 2 hours of manual spreadsheet work, that’s not compliant.

Regular backups and disaster recovery

Personal data must be protected against loss. This means your EPOS vendor should have automated backups, geographically distributed storage, and a tested disaster recovery plan. They should be able to tell you how quickly they can restore data if something fails. For a pub running on EPOS, 24-hour downtime during a recovery is a business problem; 24-hour data loss is a legal problem.

What your EPOS vendor must do

Your relationship with your EPOS provider should be documented in a Data Processing Agreement (DPA). This is a legal contract that outlines exactly how your vendor will protect personal data on your behalf. It’s not optional under UK GDPR — it’s mandatory.

Data Processing Agreement (DPA)

A DPA is different from standard terms of service. It specifically addresses data protection obligations, including:

• What personal data the vendor collects and processes
• Where data is stored (UK, EU, or other countries)
• How long data is retained
• What security measures are in place
• Who has access to data and under what circumstances
• Breach notification procedures
• Your right to audit the vendor’s systems

If your EPOS provider doesn’t offer a DPA in writing, that’s a compliance failure. Some small vendors argue they’re “too small” for a DPA, but UK GDPR doesn’t have a small business exception. A pub landlord manually managing customer data in Excel spreadsheets is subject to the same GDPR rules as a multinational corporation.

Sub-processor disclosure

Your EPOS vendor might use third-party services — cloud storage providers, backup services, analytics companies. Under GDPR, you must know who these sub-processors are, and your vendor must have contracts with them that include the same data protection obligations. When choosing an EPOS system, ask: “What third-party services do you use to process our data, and can you provide a list of sub-processors?”

International data transfers

If your EPOS vendor stores data outside the UK or EU, that adds complexity. The UK government has recognised certain countries as having adequate data protection laws (including EU member states and a few others). If your vendor stores data in the USA, Australia, or other non-adequate countries, they need a legal mechanism to do so — typically Standard Contractual Clauses (SCCs). Don’t assume cloud-based EPOS systems are UK-based just because they serve UK pubs.

Practical steps to stay compliant

GDPR compliance isn’t a one-time setup. It requires ongoing processes and documentation. Here’s what you actually need to do:

Step 1: Data audit

List all the personal data your EPOS system collects and where it goes. For Teal Farm Pub in Washington, Tyne & Wear, this includes customer loyalty accounts, staff shift records, and delivery driver contact information. Create a simple spreadsheet: data type, how it’s collected, where it’s stored, how long it’s kept, who has access. This is the foundation of your compliance.

Step 2: Get a Data Processing Agreement in writing

Contact your EPOS vendor and request a signed DPA. If they don’t have a template, you can use a standard UK GDPR DPA template (the ICO provides guidance). Once signed, store it safely — you’ll need to show it to the ICO if there’s ever an investigation. Using pub management templates can help you document this process.

Step 3: Set data retention policies

Decide how long you actually need to keep customer loyalty data. For most pubs, 2–3 years of inactivity is reasonable (if a customer hasn’t visited in 3 years, delete their record). Document this policy and ensure your EPOS can implement it. If it can’t, you’ll need to manually delete records regularly.

Step 4: Privacy notice and consent

When customers sign up for your loyalty scheme or give you their email address, they need to know what you’ll do with it. Provide a clear privacy notice explaining: what data you collect, why you collect it, how long you keep it, and their rights. For marketing emails, you need explicit opt-in consent. “We’ll add you to our mailing list unless you ask us not to” is not GDPR compliant.

Step 5: Staff training

Your staff need to understand data protection basics. They should know not to share customer data via email, not to leave customer information visible on screens, and not to discuss customer details in public areas. A 30-minute training session annually is reasonable. Keep a record of who was trained and when.

Step 6: Document your processes

Create a simple document outlining how your pub handles personal data: how it’s collected, who can access it, how long you keep it, what you do if someone requests their data, and what happens in a data breach. The ICO expects you to have a documented approach — you don’t need a 200-page data protection policy, but you do need evidence that you’ve thought about it.

When selecting pub management software, verify that the vendor can support all of these practical steps, not just in theory but operationally.

Common GDPR mistakes pub operators make

After evaluating EPOS systems for real-world pub operations and managing data at Teal Farm Pub, I’ve seen the same compliance failures repeatedly. Here are the ones that create actual legal risk:

Keeping customer data forever

The most common mistake. A pub collects loyalty card email addresses and keeps them indefinitely because the EPOS system doesn’t have a deletion feature, or the landlord doesn’t have a retention policy. Under GDPR, this is non-compliant. You must delete personal data when you no longer have a legitimate reason to keep it. If a loyalty member hasn’t visited in 5 years, delete their record.

No consent for marketing

Many pubs collect email addresses for loyalty schemes, then automatically add customers to newsletter mailing lists without permission. GDPR requires explicit opt-in consent for marketing communications. “I signed up for a loyalty card” is not the same as “I want your weekly email newsletter”. Separate these explicitly — loyalty scheme and marketing opt-in are different consents.

Storing full payment card details

Never store full credit card numbers, expiry dates, or CVV codes in your EPOS system. This falls under PCI DSS (Payment Card Industry Data Security Standard), which is stricter than GDPR and will get you fined. Your EPOS should tokenise payment data — storing only a reference to the transaction, not the card itself. If you need to refund a customer, use the transaction ID, not the card number.

No Data Processing Agreement with your vendor

A verbal agreement with your EPOS provider that “they’ll look after the data” is not a DPA. GDPR requires written, signed agreements. If your vendor refuses to provide one, find a different vendor. The ICO takes this seriously.

Ignoring breach notification

If your EPOS system is compromised and customer data is exposed, you must notify the ICO within 72 hours if there’s a high risk to individuals. You must also notify affected customers. Many small operators either don’t know this is a requirement or ignore it, hoping no one finds out. Unreported breaches are treated as separate violations of GDPR.

Not understanding where data lives

Some EPOS vendors offer “cloud-based” systems but store data in the USA or Asia. If your vendor processes UK personal data outside adequate jurisdictions without proper contractual safeguards (Standard Contractual Clauses), that’s non-compliant. Ask your EPOS provider directly: “Where is my customer data physically stored?” If they can’t answer, don’t use them.

The cost of non-compliance isn’t theoretical. The ICO has fined UK businesses up to £20 million for GDPR violations, and fines for SMEs typically range from £5,000 to £100,000 depending on severity. More importantly, a data breach affecting your customers will damage your pub’s reputation — loyalty members won’t trust you with their personal information again.

Evaluating your current EPOS system

If you’re already running an EPOS system, here’s how to quickly assess whether it’s GDPR-compliant:

• Do you have a signed Data Processing Agreement with your vendor? If not, request one immediately. If they refuse, plan to migrate.
• Can you access a list of sub-processors? Your vendor should be transparent about third-party services processing your data.
• Does the system have audit logs? Can you see who accessed customer data and when?
• Can you delete customer records? If deletion isn’t possible, data is being retained indefinitely, which is non-compliant.
• Where is data stored? Confirm the geographical location and whether it’s in a jurisdiction with adequate data protection.
• Can you export customer data in a portable format? If customers request their data, can you provide it as CSV or JSON?

When deciding whether to rent or buy your EPOS system, GDPR compliance should be a primary evaluation criterion regardless of the financial model.

GDPR compliance and pub business decisions

I’ve managed 17 staff and complex customer data at Teal Farm Pub across multiple peak trading scenarios. During a Saturday night with a full house, card payments, kitchen tickets, and bar tabs running simultaneously, the EPOS system is under real stress. It’s in those moments you need to trust that personal data is being handled securely and compliantly in the background. You can’t afford an EPOS crash, but you also can’t afford a data breach.

GDPR compliance affects your business decisions beyond just data security. If you’re thinking about implementing a customer analytics feature (tracking which customers buy premium spirits, for example), that’s personal data requiring compliance. If you want to run a referral programme asking customers to provide friends’ contact details, that’s data you must protect. If you’re considering selling customer data to marketing agencies or research companies, that’s only legal if customers have given explicit consent and your contract with the EPOS vendor permits it.

Using pub staffing cost calculator to plan your team means more staff will have access to customer data. More access points means more compliance risk. Your EPOS’s access control features become critical.

For more information, visit pub profit margin calculator.

For more information, visit pub drink pricing calculator.

For more information, visit pub IT solutions guide.