GDPR Compliance for Restaurant Customer Data

Yes, GDPR Applies to Your Curry House Too

We've lost count of the number of restaurant owners who've told us "GDPR doesn't apply to us — we're just a small curry house, not a tech company." Unfortunately, that's not how data protection law works. If you collect customer names for bookings, store phone numbers for delivery orders, maintain an email list for marketing, or even have CCTV cameras in your restaurant, you're processing personal data and the UK General Data Protection Regulation applies to you. Full stop.

The good news is that GDPR compliance for a restaurant is far simpler than the scare stories suggest. You don't need a data protection officer, you don't need expensive software, and you don't need a law degree. What you do need is a clear understanding of a few key principles and some straightforward practices that protect both your customers' privacy and your business from potential fines of up to £17.5 million or 4% of annual turnover — whichever is higher.

What Counts as Personal Data?

Personal data is any information that can identify a living individual, either on its own or in combination with other data. For restaurants, this typically includes:

• Customer names
• Email addresses
• Phone numbers
• Home addresses (for delivery)
• Booking records (name + date + time = personal data)
• CCTV footage
• Online ordering account details
• Loyalty programme data
• Employee records (separate but equally important)

Even a handwritten booking diary contains personal data. Even your phone's call history from customer orders is personal data. The scope is broader than most people realise.

Lawful Basis for Processing

Under GDPR, you need a valid legal reason — called a "lawful basis" — for every type of personal data you collect and use. For restaurants, two bases cover most situations:

Consent

This applies primarily to marketing. If you want to send customers emails, WhatsApp messages, or texts promoting your restaurant, you need their explicit, freely given consent. This means a clear opt-in — a tick box that says "Yes, I'd like to receive marketing messages from [Restaurant Name]." Pre-ticked boxes don't count. Buying an email list from a third party doesn't count. Adding someone to your mailing list because they placed an order doesn't count unless they specifically opted in.

Legitimate Interest

This covers the operational stuff. You have a legitimate interest in processing customer data to fulfil a booking, deliver an order, or manage a loyalty programme that the customer has actively joined. You don't need separate consent for these activities, but you do need to be transparent about what data you collect and why.

Your Privacy Notice

Every business that collects personal data must have a privacy notice — a clear, plain-English statement explaining what data you collect, why you collect it, how long you keep it, who you share it with, and what rights individuals have. For a restaurant, this should be available on your website and, ideally, referenced on booking confirmation emails and at the point of data collection.

Keep it simple and jargon-free. Something like: "We collect your name, email, and phone number to manage your booking and, if you've opted in, to send you occasional updates about special offers and events. We keep booking data for 12 months, then delete it. We never share your data with third parties for marketing purposes. You can ask us to delete your data at any time by emailing privacy@yourrestaurant.co.uk."

The Right to Be Forgotten

Under GDPR, individuals have the right to request that you delete all personal data you hold about them. If a customer emails you asking to be removed from your systems, you must comply within one month. This means removing them from your mailing list, deleting their online ordering account if they have one, and removing their details from your booking system. The only exception is data you're legally required to retain (such as transaction records for tax purposes).

Data Breaches

If personal data is lost, stolen, or accessed by someone who shouldn't have it, that's a data breach. Common scenarios for restaurants include: a laptop containing customer data being stolen, an email list being accidentally sent as CC instead of BCC (exposing all email addresses to each other), or an online ordering system being hacked.

If a breach occurs that poses a risk to individuals' rights, you must report it to the Information Commissioner's Office (ICO) within 72 hours. You must also notify affected individuals if the breach is likely to cause them harm. Having a simple breach response plan — who to contact, what steps to take, how to report — means you won't be scrambling in a crisis.

Practical Steps for Compliance

1. Audit your data — List every type of personal data you collect, where it's stored, and who has access to it.
2. Write a privacy notice — Publish it on your website and reference it at data collection points.
3. Implement proper consent — Add clear opt-in mechanisms for marketing communications.
4. Secure your data — Use passwords on all devices, encrypt sensitive files, and limit access to those who need it.
5. Set retention periods — Decide how long you'll keep different types of data and delete it when the period expires.
6. Train your staff — Ensure everyone who handles customer data understands the basics of data protection.

For email marketing done right, our guide to email marketing strategies for curry restaurants covers consent and compliance in detail. And for building a website that handles data properly, see our article on creating a restaurant website that converts.