Blogs

GDPR compliance for restaurants – what you need to know!

by Manav Mathur | Jun 12, 2025

Before diving into our latest podcast we want to share with you that Favouritetable users can now benefit from a FREE e-book/quick-start guide, covering everything restaurant owners need to know about data protection, which also aligns with our special software marketing module AND includes WhatsApp integration – all as part of our forthcoming partnership with hospitality marketing specialists Really Social! Click HERE to receive your free e-book NOW.

 

Interview by Mark Ferguson of Favouritetable, with Jon Belcher – Partner at Excello Law

 

Mark Ferguson:

Welcome to the Favouritetable podcast. I'm Mark Ferguson, and today I’m joined by Jon Belcher, data protection specialist and Partner at Excello Law. We’re diving into the ever-relevant topic of GDPR—specifically what it means for restaurants in 2025. Jon, thanks for joining us.

 

Jon Belcher:

Thanks for having me, Mark. Great to be here.

 

Understanding the basics

Q: Let's start at the beginning - what is GDPR, and how does it apply to restaurants?

 

Jon: GDPR—now UK GDPR post-Brexit—is a legal framework regulating how businesses collect, use, store, and protect personal data. For restaurants, that includes customer contact details, booking information, employee data, and any marketing lists. Even if GDPR isn’t making headlines like it did in 2018, the responsibilities for businesses haven’t gone away.

 

Marketing and consent

Q: One major area is marketing. What do restaurants need to know about using customer data for promotional purposes?

 

Jon: Marketing is where things get nuanced. If you're sending emails or texts with promotional offers, you generally need the recipient’s consent. Alternatively, under what's called the “soft opt-in,” if someone makes a reservation and you offer a clear chance to opt out of future marketing—and they don’t—you can send them marketing related to your restaurant. But every message must include an option to unsubscribe.

 

The role of technology

Q: So how does restaurant software like Favouritetable help with compliance?

 

Jon: Platforms like Favouritetable can simplify GDPR compliance by providing a structured way to gather and store consent, manage opt-outs, and document customer preferences. However, the tech is only as good as the data and processes behind it. The legal responsibility still rests with the restaurant to ensure data is being used lawfully.

 

Analog vs Digital: Is low-tech still viable?

Q: Can smaller restaurants still manage data protection without software systems?

 

Jon: Technically, yes. The law is tech-neutral. But realistically, as compliance grows more complex, using only pen and paper or spreadsheets becomes risky. A digital system can help automate reminders, document consents, and make audits easier. It’s about balancing practicality and legal compliance.

 

Don’t delegate GDPR to the intern

Q: Is GDPR something a junior employee can handle?

 

Jon Belcher: Definitely not. Handling personal data touches on legal, reputational, and operational risks. Restaurant owners need internal policies and staff training. It's vital that whoever manages customer data understands the regulations, ensures transparency, and documents every step, especially for marketing.

 

Security: Prevention and response

Q: Let’s talk about security. What happens if a restaurant experiences a data breach?

 

Jon: Security is a big deal. The law requires “appropriate technical and organisational measures” to protect data. That might mean firewalls and antivirus software, or staff training and secure filing. If a breach happens—even if you’ve tried your best—the Information Commissioner’s Office (ICO) considers your preparedness. You must also notify them within 72 hours if the breach poses a risk to individuals. For severe negligence, you could face reputational damage, customer churn, and even fines.

 

Real consequences

Q: What’s the worst that could happen to a restaurant that ignores GDPR?

 

Jon: There are three levels of risk:

  1. Regulatory fines – The ICO can fine up to £17.5 million or 4% of global turnover. But for most restaurants, fines are rare unless there's been gross negligence.
  2. Legal action – Individuals can sue for distress or damage caused by data mishandling, though this is still relatively uncommon.
  3. Reputational fallout – This is the most immediate and damaging. If a breach becomes public, you risk losing customer trust, staff confidence, and even supplier relationships.

 

Targeted ads and data ethics

Q: What about those Facebook or Google ads that seem to know exactly what we’re thinking—are those GDPR compliant?

 

Jon: They operate under complex systems of consent and legitimate interest, often managed through cookies and privacy policies users agree to—sometimes without realizing. For small businesses, trying to replicate that model without legal and tech infrastructure is risky. Direct marketing by email or SMS should follow the simpler rules: get consent or offer an easy opt-out from the start.

 

The marketing trap

Q: Can you clarify the “soft opt-in” for marketing?

 

Jon: Sure. If someone books a table and gives you their email, you can send them marketing messages about similar services—but only if:

  • You collected their details during a transaction,
  • Gave them the chance to opt out at that time,
  • And include an unsubscribe option in every message thereafter.

Failing to do any one of those steps makes your marketing non-compliant.

 

The restaurant owner’s GDPR checklist

Q: So, if I’m a restaurant owner, what’s my GDPR to-do list?

 

Jon:

Here’s a practical checklist:

  1. Know your data – What are you collecting (names, emails, allergies, payment info), and why?
  2. Have a legal basis – Whether it’s consent, a contract, or legal obligation, know why you’re allowed to use that data.
  3. Be transparent – Tell customers what data you collect and what you’ll do with it, ideally via a clear privacy notice.
  4. Manage marketing properly – Get proper consent or follow the soft opt-in rules and always include an opt-out.
  5. Secure your systems – Use appropriate software and train your staff to prevent breaches.
  6. Be prepared for breaches – Know your response plan: notify the ICO if needed, inform affected individuals, and assess what went wrong.
  7. Review and document – Keep records of how and when you collected consent, how data is stored, and how long you retain it.

 

Final thoughts

Q: Jon, any last words of advice for restaurant owners?

 

Jon: Take data protection seriously, even if you're a small operation. Think of it as part of good customer service and brand trust. Customers are giving you their data in good faith—it’s your job to treat it with care. With some upfront planning and the right tools, GDPR doesn’t have to be a burden. It can actually become a competitive advantage.

 

For more insights on restaurant compliance and technology, visit https://restaurant.favouritetable.com/

Next