Do restaurants need to register with the ICO?

Almost always, yes. Unless you're exempt, any organisation that processes personal data must pay the ICO a data protection fee and be on its register. The fee is tiered by size and turnover, and most small restaurants fall into the lowest tier. Not paying when you should is itself an offence the ICO can fine you for.

Do I need a written data protection policy?

It's strongly expected. You hold staff, customer and sometimes CCTV data, and the ICO expects organisations to have a written policy setting out what data you hold, why, your lawful basis, how long you keep it, how you keep it secure, and how people can exercise their rights. For a small restaurant the policy can be short, but it should exist.

Does a restaurant need a Data Protection Officer (DPO)?

Usually not. A statutory DPO is only required in specific cases — mainly large-scale or sensitive processing. A typical independent restaurant doesn't meet that threshold, so you don't need a formal DPO. You should still name a single person (usually the owner or manager) who is responsible for data protection and is the point of contact for requests and breaches.

How quickly must I report a data breach?

If a personal data breach is likely to risk people's rights and freedoms, you must report it to the ICO without undue delay and within 72 hours of becoming aware of it. If the risk to individuals is high, you usually have to tell the affected people too. Keep an internal record of breaches even where you decide not to report.

8 min readUpdated 4 June 2026

Data protection for restaurants: your UK GDPR duties

The short answer

A restaurant holds personal data — staff records, customer bookings, often CCTV and a marketing list — so it must comply with the UK GDPR and the Data Protection Act 2018. In practice that means registering with the ICO and paying the annual data protection fee (most small businesses are on the lowest tier), having a written data protection policy, only using personal data for clear and lawful purposes, keeping it secure, honouring requests from individuals to see or delete their data, and reporting serious breaches to the ICO within 72 hours.

Data protection is the compliance area restaurants most often forget they fall under — but you almost certainly do. The moment you hold a staff rota, take a booking, run a CCTV camera or email a regular about an offer, you're processing personal data, and the UK GDPR applies. The good news: for a typical independent restaurant the duties are manageable. Here's what they are.

What law applies, and what counts as personal data?

Your obligations come from the UK GDPR and the Data Protection Act 2018, regulated by the Information Commissioner's Office (ICO). Personal data is anything that identifies a living person — and in a restaurant that's more than you'd think:

staff records — contracts, payroll, right-to-work, disciplinary files;
customer bookings and contact details;
CCTV footage of identifiable people;
a marketing list of regulars.

Registering and paying the ICO fee

Unless you're exempt, you must register with the ICO and pay an annual data protection fee. The fee is tiered by size and turnover, and most small restaurants sit in the lowest tier. It's an inexpensive, once-a-year administrative step — but skipping it when you should pay is itself something the ICO can fine you for, so it's worth doing early.

The core duties in plain terms

Have a written policy — what data you hold, why, your lawful basis, retention periods, security and how people exercise their rights.
Use data only for clear, lawful purposes — and not quietly repurpose it (e.g. using a booking email for marketing without consent).
Keep it secure — access controls, sensible retention, and not holding data longer than you need it.
Honour individuals' rights — including requests to see (a subject access request) or delete their data.
Report serious breaches to the ICO within 72 hours where there's a risk to people.

CCTV and marketing: the two that trip people up

CCTV capturing identifiable people is personal data — you need a clear purpose, signage, secure storage and a sensible retention period. Marketing emails and texts are governed by PECR as well as the UK GDPR: you generally need consent, and every message must offer an easy opt-out. A "dairy-free specials" mailout to people who only ever gave you a booking email is exactly the kind of slip that draws complaints.

Do you need a DPO? Almost certainly not

A statutory Data Protection Officer is only required for large-scale or sensitive processing — a typical independent restaurant doesn't meet that bar. You don't need a formal DPO, but you should name one person (usually the owner or manager) as responsible for data protection and the point of contact for requests and breaches.

Keeping the policy current and the team aware

Data protection isn't a training-heavy area, but two things still need keeping alive: the policy itself, kept current as your practices change, and staff awareness of the basics — how to handle a customer's data, what to do if there's a breach. frunt holds your data protection policy alongside your other compliance documents, versioned and dated, and can turn the staff-facing essentials into quick induction with a record that the team has seen them. Get started with frunt, or book a walkthrough.

Frequently asked questions

Do restaurants need to register with the ICO?: Almost always, yes. Unless you're exempt, any organisation that processes personal data must pay the ICO a data protection fee and be on its register. The fee is tiered by size and turnover, and most small restaurants fall into the lowest tier. Not paying when you should is itself an offence the ICO can fine you for.
Do I need a written data protection policy?: It's strongly expected. You hold staff, customer and sometimes CCTV data, and the ICO expects organisations to have a written policy setting out what data you hold, why, your lawful basis, how long you keep it, how you keep it secure, and how people can exercise their rights. For a small restaurant the policy can be short, but it should exist.
Does a restaurant need a Data Protection Officer (DPO)?: Usually not. A statutory DPO is only required in specific cases — mainly large-scale or sensitive processing. A typical independent restaurant doesn't meet that threshold, so you don't need a formal DPO. You should still name a single person (usually the owner or manager) who is responsible for data protection and is the point of contact for requests and breaches.
What are the rules on CCTV and marketing emails?: CCTV that captures identifiable people is personal data: you must have a clear purpose, signage telling people it's in use, secure storage and a sensible retention period. Marketing emails and texts are governed by PECR as well as the UK GDPR — generally you need consent to send them, and every message must offer an easy way to opt out.
How quickly must I report a data breach?: If a personal data breach is likely to risk people's rights and freedoms, you must report it to the ICO without undue delay and within 72 hours of becoming aware of it. If the risk to individuals is high, you usually have to tell the affected people too. Keep an internal record of breaches even where you decide not to report.

Keep reading