As the new year approaches, so does new consumer protection legislation in California. On January 1st, 2020 California will bring into effect the California Consumer Privacy Act (CCPA). This is following increased data protection legislation that was introduced in the European Union in 2018, known as GDPR.
Whether or not these regulations apply to your business, keeping your customer’s data secure is paramount to your business’s reputation. We’ve put together a few best practices for your restaurant to follow:
1. Know what personal information your restaurant collects, and know where it is stored.
Do you know what information you are collecting from your customers, and where that information is stored? For instance, if you offer delivery, you may be collecting customer names and addresses in your point of sale system. If your point of sale system does not use a server in your restaurant, but operates in the cloud, that address is stored on a server offsite owned by your point of sale provider. Take the time to familiarize yourself with where each bit of customer data is stored, and where security issues could arise. If you do business in California, you will have to be prepared to provide a customer’s personal information upon request.
2. Only ask for data you need.
Your restaurant needs a name and phone number for pickup orders, but you don’t need to know your customer’s favourite movie from the 1990’s. Only collect customer data that will help your business. Many businesses collect information like birthdays without ever using it. While a customer’s birthday is useful information for customer segmentation, business intelligence, and birthday promotions, if you aren’t doing anything with it, it might be best to delete it. Many businesses get in the bad habit of hoarding data that they never use. This is a potential security risk, and it can actually become costly to store that information.
In a profile on Michelle Howey, the CTO with Chicago Franchise Systems, told us how important it is to follow data protection laws. "Customer privacy and data confidentiality is so important. The internet makes people more vulnerable. Following all applicable laws is important."
3. Change your passwords regularly.
Often when we talk about data security, we talk about hacks into the system from an outside source. The risk posed by your own staff is sometimes overlooked. Restrict customer data to only those who need it to perform their job. It’s very easy for someone with malicious intent to write down an address pulled from your customer database. Regularly change your system’s passwords and be mindful of who has access.
4. Get the technical stuff right.
Back to that hacking risk. Make sure your restaurant’s systems are on a secure network, and not accessible by customers. Your point of sale system should definitely not be on the same network used to provide public internet access.
If you, as a restaurant owner, are unsure of how to keep your point of sale locked down (and comply with PCI), talk with your point of sale provider, a lawyer, and a Qualified Security Assessor (QSA). They can explain exactly what you need to do for your restaurant.
Keep your customer’s information safe, and your restaurant’s reputation intact by taking customer data security seriously.
Posted on Wed, Nov 27, 2019 @ 08:11 AM.
Updated on November 10, 2020 @ 8:51 PM PST.