What You Need to Know About the GDPR as an Escape Room Owner

What You Need to Know About the GDPR as an Escape Room Owner

The General Data Protection Regulation (GDPR) is coming.

Everybody knows it …

… or do they?

If you run escape rooms in Europe, you may be feeling a twinge of discomfort … as if you’re sure there’s a bit more you should be doing, but you’re not sure what.

Of course, that’s to be expected with any new legislation.

And, indeed, the creators and enactors of the GDPR are feeling the same way. They’re not sure how it’s really going to turn out.

In this guest post by Bill Parslow, Head of Content at Buzzshot, you’ll get a primer on what the GDPR is, how it impacts you as an escape room owner, and what you need to do to make sure you’re in compliance by 25 May.

The GDPR:  A Brief Summary

What is the GDPR? Here's a brief summary.

What is the GDPR?

It is a new set of regulations that considerably beefs up data protection laws, giving citizens of the European Union greater control over – and protection from misuse of – their personal data.

The GDPR actually became law in Europe two years ago, but some countries, like the UK for example, had two years to implement it. That two years comes to an end on 25th May, 2018.

While there are many articles online covering the basics of the GDPR for large, international corporations, what you really want to know if how the law affects escape room operators.

Here, I’ll do my best to provide you a practical, real-world, common sense approach to the subject. I will attempt to be more comforting than alarming, and I’ll focus on making sure you know what you need to do to comply without getting hung up on all the stuff you don’t need to worry about.

The GDPR Is Pretty Sensible Stuff

The first thing you should know is that the GDPR does make sense.

In the internet age, our personal data is valuable stuff.

And simultaneously, it’s rather portable, stealable stuff.

The GDPR is designed to make sure you know who has your personal data, how they got it, and what they are going to do with it.

Also, the GDPR isn’t really changing as much as everyone thinks it is. Although a few conditions have been made more strict, most of the requirements in the GDPR can be found in the existing 1998 Data Protection Act.

The most impactful change is that automatic opt ins are no longer allowed. If a customer does not specifically give you permission to store his or her information in your database, you cannot do so.

There are also more beefed up data-protection obligations, like being able to produce someone’s personal data should they ask, to correct it if it is wrong, and to erase it if they want you to.

By and large, this isn’t going to be of great import to escape room owners. But people might occasionally want to be taken off your mailing list or update a phone number; obviously you should have the ability to quickly and efficiently comply with their wishes.

Above all, the GDPR is about ensuring your personal data is “looked after properly.” It’s as simple as that.

The GDPR is designed to make sure you know who has your personal data, how they got it, and what they are going to do with it.

Principles, principles, principles!

Like the Data Protection Act of 1998, there are principles involved. In fact, they are largely the same principles. They concern the fair use and good care of personal data, with extra care and attention due if it is “sensitive” data.

But you operate a room escape business!

Sensitive data, like information about sexual orientation, medical conditions, and religious beliefs, is not information you collect when people book your escape rooms … or it certainly shouldn’t be!

(If you have, by any chance, captured such data about your customers, the only thing I can say is STOP – don’t do it  – you don’t need that kind of data to run an escape room!)

The GDPR is about strengthening certain privacy principles, and those principles are pretty much common sense.

Principle 1: Be lawful, fair, and transparent

First, the data you collect, which will comprise players’ names, email addresses, and maybe phone numbers, must be “processed lawfully, fairly and in a transparent manner in relation to individuals.”

In other words, you can’t collect data for illegal purposes (such as identity theft), you should only collect data if given express permission to do so, and you should tell people what data you are collecting and why.

For an escape room, it is intrinsically lawful to collect customers’ names and contact information in order to reserve a game slot, send them photos or follow-up surveys, and potentially market new games when they’re available.

So as long as you tell people that’s what you’re going to do, you ask their permission to do it, and you do that (and only that) with the data once you have it, you’re being lawful, fair, and transparent.

You also need to disclose who you are (i.e., what your company is called), so they know who has their data.

Simple stuff really.

Principle 2: Be Specific

The data you request must be “collected for specified, explicit and legitimate purposes.”

The next principle says that the data you request must be “collected for specified, explicit and legitimate purposes.”

This is kind of a given, if you’re following Principle 1 already.

In your case, the purpose of collecting customer data is to verify customers have booked a game when they arrive, email them post-game success photos or surveys, and tell them about new games or promotions in the future.

These reasons are specific, explicit (clear and unambiguous), and legitimate (there is a reason for you to need the information that’s directly related to your ability to provide the service they’ve signed up for).

Specific also means exclusively specific. And “granular,” in the words of the Information Commissioner.

For example, if you say you’re collecting an email address “to send post-game pictures,” then that’s all you can do.

You can’t email three weeks later to tell them about your new escape room or a discount you’re offering for repeat visitors. Because you didn’t tell them that’s what you were going to use their information for.

To make sure you’re covered, you need to include in your disclosure any use you might have for the personal information:

We are requesting your email so that we can send you your pictures after completion of the room and share updates on the new room we’re building.”

Assuming they opt in, this allows you to send marketing messages regarding your new room.

You can’t suddenly email them about your best friend’s new room in the next city or a voucher deal you’ve set up with a local restaurant, though. Those messages fall outside of the use they opted into.

There is one additional, implied permission here, as well. You may also use the data for statistical research to improve your games and your marketing strategies.

Principle 3: Collect What You Need and No More

The third principle says that the data you collect must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”

As long as you are collecting only names, emails, and maybe mobile numbers, you’re fine.

If you were to start collecting more information than you need, like the sensitive information mentioned earlier, that would not be fine!

But how likely is it you’re going to have trouble with this one? By definition, unnecessary data is of no use to you. Why would you collect useless data?

Principle 4: Your Data Should Be Accurate

The fourth principle says the data you store in your database must be accurate.

This is simple enough to understand and in everybody’s interests.

Plus, given the minimal information you need to collect, the only reason it would be inaccurate is if someone typed it in wrong when booking a game. If that happens, you’ll find out and correct it as soon as you try to email a booking confirmation or a photo, and the email bounces back.

Principle 5: Don’t Keep Data Longer Than You Need To

The fifth principle is rather long-winded in its expression, but it basically says “don’t keep data for longer than you need to.”

This one might take a little consideration.

How long do you think you need to retain a customer’s name and contact info? Do you really want to keep all those email addresses and telephone numbers for years and years? If so, why?

If you keep them too long, inevitably they will become out of date and irrelevant, and then they’ll just be cluttering up your database.

So make a plan to organize your procedures so that you regularly get rid of data that you no longer need.

Principle 6: Keep the Data Safe

The GDPR is about ensuring your personal data is “looked after properly.” It’s as simple as that.
The sixth principle covers security and good housekeeping.

The data you have should be kept safely and securely.

You should already have systems in place for this. Make sure nobody unauthorized can see, copy, or steal the data in your database. Period.

So What’s the Fuss About?

So far, we’ve been galloping through the principles without even a nod to all the notices and permissions and data protection policies that everybody is so anxious about.

The reason for this is that if you comply with those six principles we just went over, you’re probably going to be just fine.

There’s no reason to devise complicated strategies constructed of twisty legalistic verbiage to “keep you covered.”

That’s not what the GDPR is about, at least not for small businesses. You’re covered if you simply do the right thing!

Be up front and honest with your customers. Don’t store their data in your database if they don’t want you to. Keep their information safe, just as you would want them to do with yours.

What You Actually Need to Do

Here's a list of action steps to help you get ready for GDPR.
So, now you know what the principles are, but what should you actually be doing to ensure compliance?

Well, there is quite a lot, and the tricky thing is that it applies to all the email lists you already have, so let’s start there.

You may have noticed recently that you’ve been getting emails from companies you do business with asking you to reconfirm your subscription or renew your email permissions.

Now you know why!

The people you already have in your database probably weren’t told specifically what you were going to do with their information and given an opportunity to opt in. So you’ll need to give them that opportunity now or delete their data.

Yes, I know you may have had details about what you use people’s data for hidden away in your terms and conditions. And maybe you included a paragraph that said something like, “By submitting this form, you agree to receive emails from us, and so on and so forth.”

Similarly, I’m sure at some point you’ve filled out some kind of form or application online and realised that to avoid being spammed by the entire internet by post, phone, and email, you had to either check a tiny, out-of-the-way opt-out box or deselect a pre-checked opt-in box to stop it from happening by default.

Marketers abused this practice because they knew most people didn’t pay that much attention. It was never good practice and was always frowned upon by the Information Commissioner.

That’s what the GDPR sets out to correct with the fair and transparent principle.

From now on, the way you are going to use someone’s personal data has to be disclosed separately from any other conditions, it must be written in clear, everyday language – not legalese – and there’s no ‘automatic’ opt-in.

Action Steps

1. Contact everyone in your database before 25 May and ask for permission to keep their personal information.

You must specify what you will use the information for, and you must give them an explicit opt in option.

You also need to let them know that they can unsubscribe in the future (and make it easy to do so), and include a link to your privacy policy, where you specify how you keep their data safe.

Since you’re probably getting a lot of these emails yourself, the easiest thing to do is find one you’ve received that you like, copy it, and revise it to suit your purposes.

If anyone fails to opt in by the deadline, you must delete the record from your database.

2. In any forms, waivers, or other data collection methods you have on your website or at your business, add an explanation of what you’ll do with the information you’re collecting, and ask for permission to do it.

You can’t pre-select the “yes” box.

There’s no magic legal formula. Just tell it like it is. “Can we save your name, email address, and mobile number in our database so that we can send you a picture of your smiling faces after you finish playing our room?

What you CANNOT do is collect email signatures on your waivers and hide away the fact that you will use the data you collect to send emails for marketing purposes.

You also can’t pre-select the “yes” box.

Here’s a tip.

Since you may have several things you’d like to email customers about, you may want to divide up your consents. Clunky though it might seem, this strategy gives your customers the greatest amount of control, which makes them more likely to give consent.


I take full responsibility for my personal safety in the ‘Difficult but Enjoyable Escape Room.’

❏   Please text me a link to download my picture when I’ve escaped!

I would love to hear about your new escape rooms in the future.

❏   By email

❏   By text

❏   By post

I understand that my data will be kept in your database for one year or until I unsubscribe.

Another option would be to send the second question when you text or email the photo. This is a sensible way to do things and allows you to go for the double opt-in mentioned below.

This gives you clear evidence that you have sought consent.

You’ll also note that the marketing consent question unbundles the email, text, and post delivery methods. This is seen as best practice.

3. Since the law requires you to have a means to find and either correct or delete someone’s personal details, make sure that whatever software you use includes this functionality.

It is also advisable to put in your terms and conditions or privacy policy how and whom to contact if someone wants you to correct or delete their data; a simple email address will do.

4. Establish a procedure for decluttering your database on a regular basis.

How long should you keep your customers’ data? If we take the question to extremes, it might help you develop a sensible policy.

Do you want to keep these email addresses for ten years or more?

Probably not!

In any case, how would you ensure that the data remained accurate for that long? People change their email addresses, move to different countries, get married or divorced, and all kinds of other things over the course of ten years.

Do you want to keep these email addresses for two weeks?

Again, this seems a little ridiculous. Why save the information at all if you’re just going to get rid of it before you even have a chance to use it?

Consider how often your customers currently open the emails you send, and if you have been in operation long enough, see if there are any trends regarding how long they continue to engage.

Then decide on a reasonable period and set up a process to delete old and out-of-date data.

5. Make sure you have a solid cybersecurity plan in place.

The GDPR isn’t just about you having permission to store personal information in your database. It also requires you to keep that data secure.

The GDPR isn’t just about you having permission to store personal information in your database. It also requires you to keep that data secure.

This has always been the case, of course. But now you need to be able to demonstrate that you are taking it seriously.

As a matter of good housekeeping, you should be able to say where your data is kept and be able to show that suitable security measures, such as passworded access to your email lists, are in place.

Additionally, I am sure most people are aware that to cc your entire mailing list (revealing everyone’s email address to every other recipient) rather than to bcc them is a breach of the Data Protection Act.

The slight difference with the GDPR is that now you will have to tell people if you make a breach like this, which would be doubly embarrassing, as all the people who didn’t notice would have to be alerted.

It’s unlikely that this would happen, though, if you have robust systems in place and are using a good mailing program.

A Note About Double Opt-Ins

There is a little more to say about explicit consent with email.

One surefire way to prove that you have a customer’s consent is to institute a double opt-in process. A double opt-in includes a second confirmation after the first has been submitted.

For example, if someone fills out a form on your site and marks the opt-in checkbox, then receives an email that says “click this button to confirm your subscription,” that’s a double opt-in.

With a double opt-in, you make it very clear that anyone you engage with online is giving permission for you to email them.

The double opt-in isn’t required under the GDPR, but it’s a great way to supply proof that your recipient has agreed to be contacted by you.

A Note About Photos: Are They Sensitive Personal Data?

Are photographs sensitive personal data?

This is a pertinent question for all escape room owners.

The view seems to be that group photos are not “personal data” as such, and therefore don’t fall under the purview of the GDPR.

However, it would be good practice to be very clear with your customers about where their group photographs are going to be displayed (on your website, your Facebook page, Instagram, etc.).

Even if it’s not required by law, it’s good form.


Although you may have heard rumors to the contrary, the GDPR is not poised to disrupt your entire business or marketing strategy.

The important thing to remember is that the law is designed to help keep your personal data safe from misuse or from falling into the wrong hands. You want others to protect your information, and you owe it to your customers to safeguard theirs.

If you move forward with the intention of respecting those who trust you with their data, complying with the regulation should be pretty easy. You just need to pay close attention to the personal data you collect and the way you use it … which you should have been doing anyway.

The most significant impact is in the area of consent and contact lists for marketing. The law also demands a high quality of what you might call “housekeeping” regarding the personal data you collect; it needs to be stored accurately, safely, and in a retrievable fashion.

If you follow the action steps outlined in this article, you’re well on your way to a friendly relationship with the GDPR, as well as an easy way to show your customers that you respect their privacy and their preferences.

About the Author

Bill Parslow is Head of Content at Buzzshot, an escape room GM, a writer, and a storyteller.Bill Parslow is Head of Content at Buzzshot, the escape room software that takes care of your waivers and sends out those happy group pictures to your players. Mention Nowescape when you sign up to get 20% off your first month at Buzzshot.co.

Bill is also an escape room GM, a writer, and a storyteller. Some years ago, and for some time, he was responsible for, among other things, data protection for a large organization, which was actually more interesting than it sounds.

The content of this article is offered solely for informational purposes and does not constitute provision of legal advice. This article should not be used as a substitute for obtaining legal advice from an attorney licensed or authorized to practice in your jurisdiction. Nowescape OÜ, Nowescape UK Ltd, and the author make no representations or warranties, express or implied, as to the completeness and accuracy of the content herein and assume no responsibility or liability for any loss or damage suffered by any person as a result of the use or misuse of any of the information in this article.

Leave a Reply