GDPR (General Data Protection Regulation): What you need to know
On the 25th May 2018 the General Data Protection Regulation (GDPR) will be enforced. Whilst you may not have a business located in the EU, there may still be implications if you collect guest data or if any of your Employees are from the EU or UK.
So, GDPR: What do you need to know!
The General Data Protection Regulation applies not just to organisations and businesses in the EU. It also applies to businesses outside of the EU offering goods or services to individuals in the EU. So that means Hotels, Tour Agencies, Travel Agencies, Airlines etc. Basically anyone who collects personal guest data, where the guest may be an EU or UK citizen.
GDPR: who is responsible?
The General Data Protection Regulation (GDPR) covers automated personal data (collected by your website/booking/subscriptions platform/HR Department) and manual filing systems e.g. Check-in Forms.
A Hotel, Tour Operator, Travel Agent etc, and the staff responsible for collecting and managing Guest or Employee Data have the roles of Controller (determines the purposes and means of processing personal data) and a Processor (responsible for processing personal data on behalf of a controller). You are legally obliged to maintain any records of personal data, processing activities and the systems used to store the data.
Below are two checklists you can use to see if you are staff are GDPR ready:
GDPR: Establishing a Lawful Basis
You must have a valid Lawful Basis for processing or keeping Personal Data. It must be necessary. If you can achieve the same outcomes without processing Personal Data, your actions are not a Lawful Basis.
There are 6 distinct Lawful Bases and under the General Date Protection Regulation, you must determine which of the 6 your business falls under.
As an example: Hotels, Airlines and Travel Agencies require the data of a Guest for Booking Purposes, Room Assignments, Check In etc. It may seem logically to select Consent as your Legal Basis. But if your guest withdraws their consent for you to hold their Personal Data you will have a problem. You can’t then switch your Legal Basis to ‘Contract’, to get around this issue.
Therefore, it may be more appropriate for you to select Contract and/or Legitimate Interests as your Legal Bases. You can check a Lawful Basis Guidance Tool for each basis here
GDPR: Communicating Your Lawful Bases to Your Clients
Your Booking or Contact Us Page is the best place to display your Privacy Notice and communicate your Lawful Basis/Bases. The Privacy Notice must include which of the Lawful Bases you are working to, and explain why you need to collect the data and how it will be stored. If you select two or more Bases, then they should all be included in your Privacy Notice.
Guests have the “right to be informed” that their Personal Data is collected and what it is used for. Your Privacy Notice should include: your intended purposes for processing the personal data; and the lawful basis for the processing. It must include your retention periods for personal data, and who it will be shared with. This information must be provided to individuals at the time you collect their personal data from them e.g. Booking Page or Contact Us Page.
Guests also have a Right to Access the data you hold on them, the Right to Rectify the data you hold on them and the Right to Erase data you hold on them
GDPR: Subscription/Membership Lists
Have you noticed a trend in emails being sent to you with Subject Titles such as “We haven’t Heard From You in a While” or “Do you still wish us to stay in contact” or, “Read Now to keep hearing from us“?
If yes, these are coming from all the companies which currently hold your Personal Data, rushing to get your consent to stay on their database or mailout list.
Do you keep the details of your Guests to send them Special Offers or promotional material about your business?
Oh Heck!! Does this mean we have to email everyone in our Database/Mail List and get their consent again?
Actually, no you don’t, according to Spaghetti Agency in their article “GDPR: You’re Doing it All Wrong”. They advise that you don’t need to secure Consent, or re-consent, under the new General Data Protection Regulation for Email Marketing. You should instead include Legitimate Interests as one of your Legal Bases. The article states “Get some professional advice and set up your systems and processes to follow a Legitimate Interest route (internally and in the inbox) and you’ll be just fine”
Spaghetti Agency went on to point out that all those companies that did charge ahead with sending out re-consent or opt-in emails to those on their database, have achieved nothing more than reducing their own client database.
With low opening and click-on response rates, in general, for mailout emails, and because they emailed their guests/customers asking them to consent to continue to opt-in to contact, if they don’t get a response, the company will have to remove their names and details from their Database.
So; now you have a basic idea about GDPR, Your Hospitality Hub recommends you talk to your Legal Team, if you haven’t already, and expand your knowledge using the links below.
Further Reading Suggestions for GDPR:
Breakdown of the GDPR in easy to read sections – https://ico.org.uk/for-organisations/
GDPR Data Protection Self-Assessment Tools – https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/
Article relating to Subscription Databases/Mailout Databases – https://www.spaghettiagency.co.uk/blog/gdpr-youre-doing-it-all-wrong/
