Background Questions


What is it?

GDPR is the acronym for the new General Data Protection Regulation being introduced on 25th May 2018 that will cover any organisation that processes data relating to EU citizens. It will change how organisations treat data that they hold on individuals and despite some confusion and negative opinions, it can benefit businesses. This is because better and more personal relationships with customers will be formed and data will be cleaner and more valuable to your business. Initially, it might look a bit difficult to get off the ground, but don’t be put off. Take a look at our e-book for a more extensive look at the GDPR.

What legislation do we have today?

Currently, in the UK, businesses operate under the Data Protection Act 1998, which was established in a time before people had the online presence they do now.

Why is it changing?

There is now a shift in the amount of data being produced. The GDPR will focus heavily on protecting individuals and their data. In our constantly expanding digital world, the GDPR will strengthen consumer privacy rights and clear up any uncertainty over the consent needed for using your customer’s data.

What happens in light of Brexit?

UK businesses will still have to comply with the GDPR regulation because they interact with EU organisations and use the data of EU citizens. It applies worldwide.  

What happens if I don’t comply?

In short, you may be faced with increased financial penalties. At the moment, there is a £500K cap on monetary penalties with regards to data protection. However, if you don’t comply with these new rules, your business could be fined a much higher amount. The charges are different depending on how seriously you neglect the regulation’s points but can be up to 4% of your annual global turnover or €20 million (whichever is greater).

seo website

What is actually changing?


In brief, the changes relate to the following:


When you ask customers if you can send them emails from your business, you have to be clear, specific in terms of what they’re opting into, and use plain language. Opting into marketing communications from your restaurant must be voluntary, and you can no longer use a pre-ticked opt-in (or automatic opt-in) as consent for communications. You may have to refresh existing consent if you aren’t already GDPR compliant.


Terms and conditions and privacy notices on your website cannot have hidden opt-ins, must be easy to read, and not full of jargon and legalese.

Data subject rights

Diners (Data subjects) should be able to track any changes to data held and request all information that a restaurant has on them. Data subjects can also request a free electronic copy of their data, the £10 admin fee no longer applies. Data subjects can withdraw their consent at any time and have their data erased. Data protection should be an integral part of company policy.


This will affect all companies that process data of EU citizens regardless of whether or not they reside in the EU.

Wider definition of personal data

Information such as an online identifier – e.g. an IP address – can be classed as personal data. Changes in technology, and ways that organisations collect information mean that a wider definition of personal data is needed.

ResDiary FAQs



Where is the data physically stored?

Data is stored securely in data centres managed by Rackspace in the UK.

How do you store/process data to ensure GDPR compliancy?

To be compliant, an organisation must only store/process data:

  • That is needed for lawful processing  – to deliver a service 


  • To which if they have expressly been given consent

This is what ResDiary currently does. We will shortly be carrying out work to ensure that there are no automatic marketing opt ins via any ResDiary platforms.

Who is the data shared with externally?

ResDiary doesn’t share data externally, however, if a customer books through a third party (e.g Time Out), they may have opted in to the third party’s marketing list. This means the data will be stored on their systems too. ResDiary only shares data with external business partners or third party initiatives about a particular offering that diners have opted into.

How long is the data kept for?

We are currently reviewing ResDiary’s data retention period and will update restaurateurs on this as soon as we can.

How can data be amended/supplemented?

You can do this via updates to the diner record on your ResDiary system.  Please note that ResDiary offers a role based permission system through which you can control who in your team can update and track any changes.

When and how is the data deleted?

Data can be deleted upon request either by you or by us. A diner can contact us on to delete their record.

Can we remove old/obsolete data – delete an audit trail?

You can delete customer records via Reports and Customer List in ResDiary. We are currently agreeing an appropriate retention period for data, and are looking to provide tools to allow either deletion or anonymisation of old data.

What back ups and security is available for the data held in ResDiary?

We use one of the leading Managed Security Service Providers – Rackspace. Thousands of organisations, including global enterprises, use this company.

Who is the point of contact at ResDiary in the event of a data breach?

The point of contact from ResDiary is the Chief Operating Officer, Mike Breewood, who is also our Data Protection Officer. He will invoke the data control procedure with the Chief Technical Officer, Colin Winning, as required. Then we will report the breach to the relevant supervisory authority within 72 hours of the organisation becoming aware of it.

How would data be deleted in the event of us no longer working with your company?

Please see note on data retention policy review above. This will be communicated in the coming weeks.

We will need to have explicit consent for use of personal data held for marketing, will this be a feature enabled for new guests created?

Yes, you will need explicit consent to market to individuals. We have already removed automatic opt-ins from most of our widgets and are working to identify any remaining ones, which is one aspect of becoming compliant. Other aspects relate to delivering clear and separate opt-ins for ResDiary and restaurants, and providing the appropriate audit trail of consent. This is a work in progress that will be delivered over the coming months.

Share on: