By the Office of the Privacy Commissioner of Canada October 27, 2014
Between keeping up with the most recent culinary trends, new technologies and customer expectations, your plate is full. Small businesses often don’t have the money to hire privacy specialists – but good privacy compliance doesn’t have to be expensive or time consuming for restaurant owners.
As an entrepreneur, you know that the success of your business depends on gaining the trust of your customers with the quality of the products and services you provide. This is why respecting and protecting their personal information when they visit your establishment – in the flesh or electronically – should be a key element of how you achieve good customer relations.
If your business runs a website that collects personal information, for example, through a newsletter subscription, gathers its customers’ preferences, manages various loyalty programs, asks for customers’ ID or if there are video surveillance cameras in your establishment, you are collecting, using or disclosing personal information in the course of commercial activities. In Canada, private sector organizations who engage in such activities have to respect the ground rules of the Personal Information Protection and Electronic Documents Act (PIPEDA) or the applicable provincial legislation.
For starters, here is what you need to know about PIPEDA:
To collect, use or disclose your clients’ personal information, you generally need their consent.
Personal information could include clients’ preferences or order histories, contact information, and/or video or audio footage.
Generally speaking, you can use or disclose your client’s personal information only for the purpose for which it was collected, unless your client consents.
For example, if you collect their address for delivery purposes, you can’t use it to send them special offers unless you obtain their consent to do so.
You also can’t sell your customers’ habits to a third-party marketer unless they gave you consent to do so.
Even with consent, you may also be subject to other requirements, such as the requirement to only collect, use or disclose personal information for an appropriate purpose.
The law requires that any personal information you collect be protected with adequate security safeguards. This may include limiting employee access to customer information to a “need-to-know” basis and securing computer systems that hold personal information with passwords, encryption and firewalls.
Individuals have a right to see the personal information that your business holds about them, and to correct any inaccuracies.
Good privacy is good business
Gaining the trust of customers is important for all businesses – and losing it can take only one incident. According to a study by PR firm Edelman, Privacy & Security: The New Drivers of Brand, Reputation and Action Global Insights 2012, data security and privacy considerations have a huge impact on purchasing decisions. In fact, the study showed that nearly 50 per cent of participants would either leave or avoid businesses that suffered a security breach.
Making privacy and security a key part of your branding and corporate identity can be an important step to build consumer confidence and trust. And new evidence shows that protecting privacy is not only good business – it’s good for business.
Useful privacy tips for restaurant owners:
Let your customers know whom to contact when they have privacy related concerns. Clearly post contact information for your Privacy Officer on your premises and your website.
Train your staff about privacy. You are ultimately responsible for your team members’ actions – prepare them on how to answer privacy questions and comply with the law.
Collect as little personal information as possible; tell your clients why you ask for it, and obtain their consent to use it. If you are not able to explain to your clients why you need certain information, they might be suspicious of your business practices.
Examine drivers’ licenses without recording the number or making copies of them. Wanting to protect your business against inadvertently serving alcohol to minors is a legitimate concern – but you should not keep a copy or record the number of drivers’ licenses. This number is highly sensitive and much sought after in the course of identity theft.
Video surveillance is considered a collection of personal information. Tell your clients if they are being recorded on camera by posting clearly visible signs to let them know that video surveillance is being used. Even if you are not retaining the footage, you should only use it if you have a real need to do so.
Implement safeguards to protect personal information adequately. You should treat personal information as you would actual cash. After all, personal information can be a goldmine for identity thieves and organized criminals.