This article does not constitute legal advice; seek legal counsel as appropriate.

You’ve probably seen the headlines: Tech giants Facebook and Google could each face over $4 billion in fines for alleged violations of a data-protection regulation. So what do restaurants need to know about this new law, the General Data Protection Regulation? We’ve partnered with Fishbowl, a data, marketing and analytics solutions provider to restaurants to look at some FAQs about the GDPR:

What is GDPR?

GDPR is a regulation enacted by the European Union, effective May 25, 2018. It is designed to protect the personal data of EU citizens, giving them more control over their personal information.

My restaurant is in the United States, not the EU. Does GDPR apply?

If your restaurant proactively markets into any of the 28 EU member states and collects personal data from EU citizens, the GDPR’s requirements apply to you. Proactive marketing may include such activities as translating your website or emails into another country’s language or explicitly referring to EU users and customers.

But “if an EU citizen just happens to come upon a restaurant in the United States via the internet, for example, and provides personally identifiable information to the restaurant, the restaurant operator is not bound by GDPR regulations in these instances,” explains Deb Billow, vice president of data governance for the Association.

The rules also do not apply to EU citizens who are outside the EU when their personal data is collected.

What if my restaurant takes online reservations from EU citizens, or offers loyalty programs to EU citizens?

If EU citizens, while in the EU, ever book an online reservation at your restaurant or engage with your loyalty program app, you are required to comply with GDPR. You (or your third-party vendor) will need to follow GDPR rules to let these customers know how you plan to use, store and share their personal information.

To minimize their risk, some U.S. businesses that have few European customers are blocking EU IP addresses from accessing their website, notes Christopher Woods, director of audit and compliance for Nuix, a global software company that helps organizations with security, risk and compliance threats.

What’s the penalty for not complying with GDPR?

If you’re bound by the requirements of the GDPR and fail to comply, your company could face fines of up to 4 percent of your company’s annual global revenues or 20 million euros (equivalent to about $23 million), whichever is greater. Fines are tiered based on the infraction. Don’t count on being exempt because you’re on U.S. soil. “The EU has signaled that they are willing to use existing international treaties to fine data controllers outside of the EU,” explains GDPR security analyst Jonas De Oliveira of SecurityMetrics, a company specializing in data security and protection, including solutions for GDPR compliance.

Are small, independent restaurants exempt?

Businesses are required to comply regardless of size if they handle personal data of EU citizens. However, “Chances are slim to none that mom-and-pop shops will face fines,” predicts Woods. “It takes too much time and money to audit all these businesses. Are they going to go after $8.8 billion from Facebook and Google or $50,000 from a small restaurant?”

How can I comply?

Here are six steps to get started:

  1. Follow the data. GDPR applies to all personal identifiable information (PII).  This could be as simple as an individual’s name, address, email address or birthdate—all information restaurants gather through table reservations, loyalty programs and more. Start by identifying your current PII holdings. Conduct a comprehensive data audit, recommends Jo Fontaine, managing director of the UK office for Fishbowl. “Trace the journey of how the data came in,” she advises. Check what type of consent you’ve received, including what terms you gave individuals, and confirm whether it meets GDPR standards. Delete data as necessary.
     
  2. Get valid consent. GDPR mandates that organizations have a “lawful basis” for collecting and using personal data. One acceptable option is to get individuals to freely consent. Under GDPR, they must opt in, not simply opt out, of data collection and usage. “Don’t use pre-ticked boxes or any other method of default consent,” advises “The Guide to the General Data Protection Regulation,” by the UK’s Information Commissioner’s Office. “Be specific and ‘granular’ so that you get separate consent for separate things. Vague or blanket consent is not enough,” the guide continues.
     
  3. Give customers more control over their data. Under GDPR, organizations must provide individuals with easy access to their data and allow them to have their data deleted upon request. Update your systems and procedures to allow for a quick response to these requests.
     
  4. Update your privacy and cookies policies. Review and revise your policies as necessary to ensure that you are being transparent about data collection and usage. Your privacy notice should clearly note your lawful basis for processing the data and how the data will be used. Cookies—small files of identifying information generated by a website—are considered PII, so be sure to update your cookies policy and post it clearly on your website.
     
  5. Verify that third-party suppliers are in compliance. Confirm that your online reservation company, website development company, email marketing firm, loyalty app and any other third-party supplier that processes data are following proper procedures. “Ask your vendors for a data processing agreement that specifies that they’re in compliance with GDPR,” recommends David Fowler, vice president of strategic services at Fishbowl.
     
  6. Document all your work. Documentation will help demonstrate your due diligence should your restaurant ever be audited.