Xune Business Growth Insights

How to be GDPR Compliant with Track and Trace

track and trace marketing

The UK’s Track and Trace system has become a key element to a wide variety of businesses and facilities within the UK. Hospitality, tourism, close contact facilities, facilities run by local authorities and places of worship… That’s a lot of places The sheer scale of these places means that thousands upon thousands of people are having their personal details stored. As this is the case, being GDPR compliant is important. Being GDPR compliant is an issue that is important but can also be confusing at times.

Once you get past the confusion and create a good, compliant track and trace system, depending on your business, this can create potential opportunities for your business in regards to marketing. Here we will discuss what the track and trace system actually is, how you can go about being GDPR compliant and what it could mean for businesses marketing.

What is Track and Trace?

The term Track and Trace is a term that has been commonly used. However, it’s official title is the NHS Test and Trace. The Test and Trace is a policy in response to the COVID-19 pandemic, it has been designed in order to create a rapid response to people who have come into contact with someone who has tested positive for COVID-19. The details of the system require the businesses we have already mentioned to take personal details of customers and staff who have entered their business and retain that information for up to 21 days. It is compulsory for every business to ask at least one visitor in a party for their details, the visitor however is not forced to give their details if they don’t want to. 

The details that these businesses or facilities are asked to retain are:

  1. The names of staff or customers on the premises
  2. The number of visitors or customers
  3. A contact number for the staff, customers or visitors. If they are in a group, one number can be taken down as an acting ‘lead’ member of the group.
  4. And finally, the time and date they arrived and left (if possible).

How Can the Data be Collected?

There are numerous ways you can collect your data. The most traditional method is via pen and paper, this is fine of course, but bare in mind to remain GDPR compliant the information of customers should not be able to be viewed by other customers that are not in the same party. This means that ideally you will have a member of staff available at all times to take this information. This may be more effort than it’s worth, as a result, it is recommended that this data is best collected online. From here, there are a number of ways to collect your data while remaining compliant. 

track and trace GDPR

If you are a business that has an online booking system for your customers, you can easily collect the data via this system and store it within. As the customers will be aware of the online booking you can retain the information with their consent already given, all while being compliant and not taking any extra steps.

You can also link a QR code to your online data collection system. This has become a popular method for many businesses, particularly within hospitality. It allows any visitor to register their details in confidence at their own leisure, going straight into the business system once they submit their data. This is arguably the second best method to use to collect data while remaining GDPR compliant.

What Does This Mean for Marketing?

Well… unfortunately, if your business is collecting any data that it didn’t usually, then it cannot be used for any other purpose than Track and Trace, none whatsoever! Any breach of this breaks compliance laws. So, for example, if a community centre has taken details such as names, emails and numbers for the Track and Trace but has never collected this type of information before, they cannot start messaging or emailing their visitors using this information. One: it is not GDPR compliant, two: you may receive complaints from your visitors.

However, businesses that regularly retained this type of data, and used this data for marketing purposes with their consent, you can continue to use this data. While this may not seem like a big opportunity, here is why it may be beneficial for you. Visitors may feel more obligated to give their information in order to support the Track and Trace, this means you may find a slight rise in potential marketing leads that you can get in touch with. 

track and trace GDPR

You must be careful though. While consent for Track and Trace is not always necessary, you should still let your visitors know that their data may still be used for marketing purposes. If you flip the switch on this, and you have a visitor that is submitting their details for your services, which can be used for marketing or otherwise, you should let them know that their information may be used for Track and Trace.

In short, ensure you follow the necessary steps to be GDPR compliant with the NHS Test and Trace system. It may seem confusing, but just ensure that you and your visitors work together, do not use their details in a way that may seem exploitative and never, ever share their data with others without their permission.