The GDPR (general data protection regulation) is new legislation that aims to give citizens more control over their personal data. It will impact existing businesses across the EU and even worldwide, as any companies holding or processing EU data will still need to comply. The GDPR was adopted in May 2016 but the enforcement deadline is the 25th of May 2018 so there’s still time for everyone in the hospitality sector to get to work upgrading their data protection process.
The Main Areas Affecting Hotels
Any collection of personal data must be done transparently with the customers knowledge and hoteliers will be required to prove that consent was given for their data to be used. Information cannot be stored and then used at a later stage for another purpose, ie. details received at the time of booking cannot be stored and then used for email marketing later on. The regulation states that customers will have to ‘opt-in’ to an email marketing services, as opposed to the current ‘opt-out’ system. Read more on obtaining consent for processing personal data in our support article here.
Subject Access Requests
Currently under existing Data Protection Acts anyone can write to a hotel and request their personal information. This incurs a fee of €6.35 and the information must be provided within 40 days. When the GDPR comes into effect, this ‘right to seek’ personal data will become a free service and hotels will have a reduced time of 30 days to furnish information. Hotels should be prepared as these changes will likely mean an increased number of requests for data.
Partners and third parties
It’s important to keep in mind that many partners and third parties also have access to your data. With this change in legislation the responsibility for data processing and data controllers remains that of the hotel. The definitions of each are laid out in Article 4 of the General Data Protection Regulation. A controller is a ”person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data”, while the processor is ”person, public authority, agency or other body which processes personal data on behalf of the controller”. This means if a hotel outsources their data processing to a third party who is non compliant they can be held responsible together with the third party should a breach occur. Basically you need to ensure that if a customer requests removal of their personal information, you will need to wipe your own system and ensure any of your data partners do the same. The Sirvoy support article found here discusses data protection in more detail.
How do I comply?
All managers should familiarise themselves and their staff with how the changes will impact on their business as well as how it will affect their customers rights. Hubspot has produced a handy checklist to help businesses get GDPR ready – you can find it here. It is vital that appropriate resources are made available in order to effect the necessary changes. Staff should be trained in GDPR to maintain compliance and all businesses that accept credit card payments should already be compliant with the Payment Card Industry Data Security Standard (PCI DSS). In this regard our Sirvoy clients can check this vital box as Sirvoy is PCI compliant and uses SSL (Secure Sockets Layer) to ensure that all communication is secured.