Following the recent Facebook scandal and the upcoming implementation of GDPR, one angry restaurant owner shows what not to do in a world obsessed with data privacy
Given the climate of distrust felt by consumers over privacy protection following the Cambridge Analytica scandal and with General Data Protection Regulation (GDPR) preparations in full force across the country, it’s perhaps not the greatest idea to spread a customer’s personal details online. But this didn’t stop restaurant owner Russell Bullimore, who publicly named and shamed a no-show on Twitter. And what could happen next doesn’t look pretty.
While Bullimore may have had reason to feel vengeful, sharing the name, number and email of the customer may have landed him in hot water. "The publishing of personal data on a public forum such as Twitter for the above purposes constitutes a breach of the Data Protection Act 1998 (DPA),” says Emma Stevens, associate solicitor at Coffin Mew, the law firm. She adds that publishing data like this is only warranted if it's a “necessity to perform a contract, comply with a legal obligation or administer justice.”
Bullimore may have realised how his actions may have cost him both clients and given him legal troubles after there was a public outcry online and the woman who had her data shared said she’d report him to the Information Commissioners Office, the independent body set up to protect people’s information rights. If he’s found to have breached data protection regulations, Bullimore could face fines under DPA of up to £500,000 or 1% of annual turnover. Maybe that’s why the restaurant owner quickly issued an apology on Twitter, saying his actions were “fuelled by emotion”.
Ironically, when asked by the MailOnline, the restaurant refused to provide Bullimore’s details on grounds of not wanting to breach “data protection.”
However, despite the apology, Bullimore could still be facing legal action. “The risks are huge,” says Patrick O’Kane, author of the book GDPR: fix it fast. “This is a clear breach of the customer's privacy and a breach of GDPR. Litigation, fines and public disgrace could follow for the unfortunate restauranteur.”
But the owner has some degree of luck left considering his actions just narrowly missed the implementation date for GDPR on Friday May 25. If the regulations were already in force, Bullimore’s actions could’ve served a whole mess of problems on his plate. “The restaurant owner could be investigated, with the potential of a fine of up to €10m or 2% of the company’s global annual turnover of the previous financial year, whichever is higher for the first violation,” says Steve Woods, marketing and partnerships of EMEA at Deputy, the employee management software company.
While Bullimore’s decision was unwise, even legal experts admit the stressful nature of the food industry may have provided fuel to him instigating a flame war on social media. “Running a restaurant and dealing with staff being ill, supplies not turning up, changes to minimum wage and increases in food prices is tough,” says Woods. “[But that’s] no excuse for leaking customer data, but it's possible that the manager is trying to juggle too much at once.”
Bullimore may or may not have learned a lesson but his situation certainly gives business owners reasons to face the dawn of GDPR with some care. Moving forward, as a general rule of thumb, simply remaining calm, considerate and responsible for the private information of consumers is the secret recipe to avoid eating humble pie.