If you run guest WiFi in a pub, hotel, restaurant, café, or event venue, compliance can sound more complicated than it really needs to be. Most hospitality businesses do not want a legal lecture. They want a clear checklist.
With that in mind, below are five practical steps to make sure your guest WiFi setup runs properly, supports compliance, and avoids the common weak spots that catch venues out. and UK GDPR requires personal data to be handled lawfully, securely, and for no longer than necessary.
1. Log guest activity automatically for 12 months
In practice, this means your system should automatically keep the relevant connection records in the background without your team having to do anything manually. That can include session times, authentication events, device or session identifiers, and related connection details.
The important point is not that your staff understand the technical side. It is that the records exist, are stored securely, and can be retrieved if required. The UK Investigatory Powers Act allows a data retention notice to require relevant communications data to be retained for up to 12 months.
Why it matters: if your venue is ever asked to account for activity on its guest network, you do not want to discover that nothing meaningful has been logged. You could be held criminally liable in this case.
Non-compliant version: a basic router with a shared password, no session history, and no structured retention.
Compliant version: a managed guest WiFi platform that records connection activity automatically and keeps those records available in a controlled way.
2. Require authenticated sign-in, not open or unsecured networks
In practice, this means guests should go through a proper sign-in process before using the service. That does not have to be complicated. It could be a branded splash page, a room-based login, or another controlled access method. What matters is that the network is not simply open to anyone nearby with no record of who accessed it or how. A proper sign-in flow creates an authentication trail and helps separate your managed guest service from an unsecured public access point.
Why it matters: an open network gives you very little control, very little visibility, and very little evidence if there is ever a problem. It also creates a poor foundation for both security and compliance.
Non-compliant version: an open guest network or a password stuck on the wall that every visitor uses with no login trail.
Compliant version: a guest network with a controlled sign-in page and recorded access events tied to each session.
3. Capture GDPR-compliant consent at the point of connection
In practice, this means your splash page should explain what data is being collected, why it is being collected, and what the guest is agreeing to. If you want to use guest details for marketing, that choice should be clear, optional, and separate from general access. The ICO says consent must be freely given, specific, informed, and shown by a clear affirmative action. Consent requests should also be prominent, concise, and separate from general terms.
Why it matters: many venues collect names, email addresses, or device-related data through their WiFi portal without clearly explaining what happens next. That is where GDPR problems begin.
Non-compliant version: a splash page with vague wording, hidden privacy terms, or a pre-ticked marketing box.
Compliant version: a clear sign-in page with transparent wording, a privacy notice, and separate opt-in consent where needed.
4. Keep data accessible for authority requests
In practice, this means the information your system records should not only be stored, but also be searchable and retrievable if a lawful request is made. A venue does not need to become an investigations team, but it does need a platform that can produce the relevant records when required. The Home Office code explains that notices can require retained communications data to be disclosed in line with the regime, and it places strong emphasis on secure handling and controlled access.
Why it matters: data that technically exists but cannot be located, exported, or interpreted when needed is not much use.
Non-compliant version: logs stored in a device interface that nobody can access properly, or records scattered across separate systems with no clear retrieval process.
Compliant version: a managed platform with centralised records, controlled access, and a straightforward process for retrieving what is needed.
5. Audit your compliance setup at least annually
In practice, this means reviewing your guest WiFi setup at least once a year to check that logging, retention, privacy wording, consent capture, and access controls are all still working as intended. Hospitality businesses change over time. Venues expand, internet hardware gets replaced, portals get edited, and marketing goals shift. A system that was fine two years ago may no longer be doing what you think it is.
Why it matters: GDPR is not only about collecting data lawfully. It is also about making sure you only keep what you need, for as long as necessary, and that your processor arrangements and internal controls remain appropriate. The ICO says controllers are responsible for choosing processors that provide sufficient guarantees, and that personal data must not be kept longer than necessary.
Non-compliant version: installing guest WiFi once and assuming it stays compliant forever without any review.
Compliant version: a yearly check of your portal wording, retention settings, processor arrangements, and record access, with any issues corrected before they become a problem.
Provide all 5 without the admin burden…
The easiest way to handle all of this is through a managed guest WiFi solution. Logging, authenticated access, GDPR-conscious sign-in flows, record availability, and regular compliance reviews can all be built into the service rather than left to guesswork. If you want to know whether your current setup is covering all five properly, book a free compliance check with Carden Hotspots and we will talk you through it clearly.