General Data Protection Regulation (GDPR) (EU) 2016/679 comes into effect on 25th May 2018. It ushers in a new era, unifying data protection rules across Europe, strengthening the rights of EU citizens and placing new obligations on all organisations that offer goods and services online.
WebHotelier is committed to complying with the GDPR across all of services that we provide.
This post takes a look at these regulations and what they mean to you.
Also make sure to check out our:
- Live blog about changes and new WebHotelier features
- GDPR Glossary of Terms
- GDPR FAQ & Best Practises
GDPR is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Superseding the Data Protection Directive, the regulation contains provisions and requirements pertaining to the processing of personally identifiable information of data subjects inside the European Union. Business processes that handle personal data must be built with privacy by design and by default, meaning that the system must be designed to adhere to principles of data protection with the highest level of safeguards from the start, so that the data is not available publicly without explicit consent, and cannot be used to identify a subject without additional information stored separately. Personal data may not be processed unless it is done under a lawful basis specified by the regulation, or the data controller or processor has received explicit, opt-in consent from the data's owner—which may be withdrawn at any time.
A processor of personal data must disclose what data is being collected and how, why it is being processed, how long it is being retained, and if it is being shared with any other parties. Users have the right to request a portable copy of the data collected by a processor in a common format, and the right to have their data erased under certain circumstances. Public authorities, and businesses whose core activities centre around regular or systematic processing of personal data, are required to have a Data Protection Officer (DPO), who is responsible for managing compliance with the GDPR. Businesses must report any data breaches within 72 hours if they have an adverse effect on user privacy.
Five Ways To Ensure Your Hotel Is Prepared
1. Establish whether or not GDPR applies to you
It’s important to understand that GDPR applies to the handling of information of EU citizens, not just hotels operating in Europe. If you have the data of any EU citizen or resident, regardless of when that resident stayed with you, then yes, GDPR applies to you.
2. Educate and train your staff
GDPR applies to every hotel department, from Ownership to Front Desk Agents. Start by building awareness. Hotel staff must understand how to collect, access, use and disclose personal information, as well as how to restrict access to cardholder data. Measures should include:
- Limit access to personal data to only those who need to see it
- Advise employees on how to properly dispose of documents containing payment card data
- Read up on relevant GDPR terms you and your staff need to know. Check out our GDPR Glossary of Terms for help
- Send email marketing communications to only those who have explicitly OPTED IN to your hotel guest marketing program
3. Know where your data is stored
Hotels by nature manage a vast amount of personal data. Before you even begin protecting the data, you first need to know which information you are holding and where it’s stored. General Personally Identifiable Information (PII) includes:
- Phone Number
In addition to general data, hotels have to consider other sensitive information they may be collecting on guests. For example, even something like a guest’s dietary preference could be considered sensitive health information and therefore out of compliance if you don’t have their explicit consent to process such data.
Hotels receive all this information from many sources, including third-party booking systems, point-of-sale systems, their booking engine, email marketing messages, phone, even scribbled Post-It notes. First account for all data, then decide how it should be handled. Actions can include deletion, redaction, encryption, quarantine, or storage in an accredited, cloud-based storage solution, where it can be accessed by staff. Another consideration is IT -- ensure your systems are up-to-date for maximum data protection.
4. Understand who has access to your data
Don’t forget that many partners and third parties also have access to your data. It’s important to understand all existing contracts and who has logins to each of your systems storing sensitive data. Ensure these partners and data processors, like WebHotelier, are able to comply with GDPR’s “right to be forgotten” stipulation. Under it, anyone residing in the EU, not just EU citizens -- can request their personal information be removed from databases in a timely fashion or know the reason why it can't. This means that not only do you have to wipe your own systems, but your data partners will be expected to as well.
5. Seek assistance
As a final tip, consider consulting legal or other data privacy expertise for guidance specific to your hotel or organization. It may be recommended to appoint a Data Protection Officer (DPO). The DPO should always be aware of all data flows in the hotel. This leadership and alignment are especially important for hotels with multiple properties or in multiple EU countries.
Official EU Commission Rules
- Data protection in the EU
Check out the following resources for more tips & guidelines: