Proof of Consent, Data Controller, Data Processor & sub-processors... do these terms make your head spin? We've prepared a GDPR glossary that will help get you up to speed.
Also make sure to check out our:
1. General Data Protection Regulation (GDPR):
Effective May 25, 2018, the GDPR aims to protect and strengthen the privacy rights of European Union (EU) individuals through stricter, more defined requirements for handling and processing personal data. Non-compliant controllers will see fines up to 20 million euros or 4% of annual turnover (whichever is greater). However, smaller companies and companies able to demonstrate that they are working with data protection in mind are likely to see reduced fines.
All organizations who provide goods or services to the EU or possess the personal data of an EU citizen are subject to the GDPR. If your hotel has personal data on any EU resident or citizen, regardless of your hotel’s location, the GDPR applies.
2. Personal Data:
Any data relating to an individual, true or not, that could lead to the identification of an individual. This information includes but is not limited to:
- Phone number
- IP address
- Transaction history
- Traveling habits
Another aspect of Personal Data is Sensitive Personal Data. For example:
- Racial or ethnic origin of the individual
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Physical or mental health
- Genetic and biometric data (including photos)
Moreover, Personally Identifiable Information (PII), which is similar to Personal Data, represents more specific information. Used in security and privacy laws, it includes some aspects of Personal Data such as name and phone number but also encompasses more explicit factors such as maiden name and social security number, for example.
3. Proof of Consent:
In the GDPR, consent is the basis of processing personal data. Consent requires a positive opt-in. Silence, pre-checked boxes, or inactivity will not be accepted as consent. Individuals must be clear on why they will have to provide personal data and for what it will be used. It’s mandatory to keep evidence of how and when you request, obtain, and document consent.
Additionally, EU citizens have the right to withdraw consent at any time. Double opt-in, whereby an individual, upon signing up for email promotions, receives an email with a verification link, though not required, is another method of capturing Proof of Consent from individuals.
4. Right of Data Portability:
EU citizens have the right to access and request a copy of their own personal data at any time. They can update, delete, restrict, or move their data to another organization without interference, under any circumstances.
5. Data Controller:
The entity that determines the purpose and method of processing the personal data. In this case, the data controller is the hotel.
6. Data Processor:
The entity that processes data on behalf of the data controller. Oftentimes, data processors are vendors and contractors for hotels. In this case, the data processor is WebHotelier.
7. Data Subprocessor:
The entity that processes personal data on behalf of the processor in order for them to complete their work. An example is Return Path, helping hotel marketers with their email deliverability.
8. Right to Erasure:
Also known as Right to Be Forgotten. Under the GDPR, individuals have the right to request a controller delete all of the information known about them and end further distribution of the data.
9. Right to Correction:
Also known as Right to Rectification. Individuals have the right to demand correction of their personal data from a controller.
10. Right to Refuse Profiling:
This gives EU citizens the right to avoid being targeted specifically based on their data. Profiling, as defined by the GDPR, requires an outcome or action of some sort as a result of personal data processing. Fortunately for hotels, they can exclude guests from marketing segments.
11. Data Protection by Design:
Also known as Privacy by Design. Controllers must implement appropriate technical and organizational measures to ensure the continued integrity, confidentiality, and usability of their personal data processing systems and services. They must guarantee that only necessary personal data for each specific purpose is processed. Data protection measures must be implemented by design and by default.
12. Data Breaches:
A breach in security that leads to the accidental or prohibited access to, destruction, misuse, or exposure of personal data. In the case of a personal data breach, the controller must notify the nominated EU authority within 72 hours of becoming aware.