A restaurant's most valuable asset is not the kitchen equipment or the interior. It's the database of loyal guests. Yet most UK restaurants collect almost no customer data — and when they do, they barely use it.
Guests who feel an emotional bond with a restaurant spend 30% more per visit (Deloitte research). Personalised emails are opened 14% more often (Mailchimp data). A restaurant with 1,000 loyal guests = 1,000 email addresses, each representing £20-50 in annual recurring revenue.
The challenge is to collect data in a GDPR-compliant way — and that's a lot simpler than most restaurateurs think. In this article we unpack the legal basis and show how you turn customer data into returning guests.
Why customer data is the most undervalued asset in hospitality
Imagine: you sell your restaurant. What does the buyer take on? Your kitchen, your location, your supplier contracts — but also your customer base. Restaurant buyers pay extra for a large, active guest database.
So why don't most restaurateurs invest in this asset? Three reasons:
- GDPR fear: "surely we're not allowed to keep data?" — a mistaken assumption
- No system: without a reservation system with CRM functionality, keeping data is difficult
- No time: using data seems complex and time-consuming
The reality: with the right system (like HappyChef) and the right legal basis, collecting and using customer data is both legal and relatively easy for fine dining restaurateurs. The result? A steadily growing goldmine of returning guests. What's rarely priced in is the flip side: a poorly handled guest database is also a direct liability if it's ever breached, which is exactly what a cyber-liability policy is designed to cushion.
Step 1: Which data is genuinely valuable (and which isn't)
Not all customer data is equal. What's genuinely valuable for restaurants:
Tier 1 — Essential:
- First and last name
- Email address
- Visit frequency (how often, when)
- Average party size
Tier 2 — Valuable:
- Birthday (not age)
- Dietary restrictions and allergies
- Preferred tables
- Special occasions (anniversaries, children's birthdays)
Tier 3 — Gold:
- Wine preferences
- Order history and average spend
- Visit notes (special requests, compliments, complaints)
- Social occasions (a regular "business dinner group", a regular "birthday group")
The data-minimisation principle: collect only what you actually use. A huge database with poor data quality is worthless — a small, rich database is gold. Use HappyChef guest profiles to keep this structured.
Step 2: GDPR in hospitality: what's allowed and what's required?
The UK GDPR (together with the Data Protection Act 2018) is less restrictive for restaurants than most think. The key lies in the lawful basis you use for processing data:
Operational use (performance of a contract): entirely legal without consent
- Storing a name for the reservation ✓
- Sending an email to confirm ✓
- Recording allergies for food safety ✓
- Sending a reminder for the reservation ✓
Marketing use: requires explicit consent OR legitimate interest
- Sending a newsletter → consent needed ✗ (without agreement)
- Follow-up email after a visit → legitimate interest ✓ (with opt-out)
- Birthday email → legitimate interest ✓ (with opt-out)
- Selling data to third parties → NEVER allowed ✗
Step 3: The legitimate interest principle (the key for restaurants)
Article 6(1)(f) of the UK GDPR — "legitimate interest" — is the lawful basis that lets restaurants use their customer data for marketing without explicit opt-in consent. Note that under the Privacy and Electronic Communications Regulations (PECR), marketing emails to existing customers can rely on the "soft opt-in" provided you offer an opt-out each time.
The three criteria for legitimate interest:
- Your interest is genuine: you want to inform guests about your restaurant because they were previously customers
- Necessary for that purpose: emailing is a reasonable way to achieve this
- Does not override the rights of the individual: the guest can easily unsubscribe, and the email isn't intrusive
A practical example that's legal:
"We're emailing you about our summer menu because you've visited our restaurant before and may be interested." — This is a valid application of legitimate interest.
What must always be present:
- A clear opt-out link in every email
- Your identity as the sender
- The purpose of the email
- No excessive or surprising profiling
Step 4: Building customer profiles
With the right approach you build rich customer profiles automatically. HappyChef's system links every reservation to a guest profile — so your database grows with every visit without extra admin.
How to collect tier 2 and tier 3 data:
- Ask about dietary restrictions and allergies during the booking process (legally required for food allergens, and GDPR-compliant)
- After the third visit, send a short email: "To make your next visit even more personal, may we ask..." — with a maximum of 3 questions
- Train staff to notice special occasions and record them in the system: "They were celebrating their anniversary" — one note that enriches every future reservation
- Use WhatsApp confirmations with a short preference question (e.g. "Do you prefer indoors or the terrace?")
Step 5: Personalisation that generates revenue
Customer data only has value when you use it. Concrete personalisation tactics that work:
Birthday campaign:
- Send a personal email with a special offer 2 weeks before the birthday
- Redemption rate: 40-60% with well-targeted birthday emails
- Example: "Happy birthday [name]! As a gift: a free dessert on your next visit in [month]"
Win-back campaign (churners):
- Guests who haven't visited in 3 months → "We miss you!" email
- Average re-activation rate: 15-25% with the right tone
- Use legitimate interest (they were previously a customer) — always offer an opt-out
Segmentation:
- Meat lovers get an announcement of your new rack of lamb
- Vegetarians receive news about your seasonal vegetable menu
- Business guests (large tables, short visits) receive information about private dining options
Read more about effective email marketing for restaurants and how to build customer loyalty.
Step 6: Tools and systems
Your reservation system is the heart of your CRM infrastructure. A good system automatically links reservation data to customer profiles, so your database grows without extra work:
- HappyChef guest profiles: automatic building of customer profiles with every reservation
- Email platform integration (Mailchimp, Klaviyo): export segments for targeted campaigns
- HappyChef Analytics: insight into visit frequency, average spend and churn risk
- Privacy policy: keep an up-to-date privacy policy on your website that describes your data processing
Step 7: GDPR compliance checklist for restaurants
Use this checklist to check whether your restaurant is GDPR-compliant:
- Privacy policy on your website describing your data processing ✓/✗
- Consent or legitimate interest documented per communication type ✓/✗
- Opt-out mechanism in all marketing emails ✓/✗
- Procedure for data requests from guests (access, deletion) ✓/✗
- Data retention policy: how long do you keep customer data? (recommendation: 3 years for inactive guests) ✓/✗
- No reselling of data to third parties ✓/✗
Compliance on paper is only half the job — the data you're protecting also needs to be genuinely secure against theft, since a breach involving guest or staff data brings its own strict reporting duty; see our guide to restaurant cybersecurity for how to lock down your POS system, Wi-Fi and vendors.
Customer data is a long-term investment. Every reservation is a chance to strengthen the bond with a guest. Start systematically building your guest database today and combine it with restaurant analytics for maximum insight.