GDPR changes to WebHotelier

WebHotelier made changes and launched new features to help hoteliers with their GDPR compliance. Here you will find a log of everything announced:

Contents

• Compliance Dashboard (FEATURE)
• PII anonymization in confirmation emails (UPDATE)
• Privacy Policy for Booking Engines (LEGAL)
• Privacy Policy for WebHotelier Platform (LEGAL)
• Data Retention Policy (FEATURE)
• PII access privilege (FEATURE)
• DPO role for hotelier & operator users (FEATURE)
• Changes to WebHotelier driven by data flow mapping (UPDATE)
• Intelligent Threat Detection (FEATURE)
• WebHotelier's PCI-DSS Level 2 Service Provider certification (REMINDER)
• Encryption at rest (FEATURE)
• WebHotelier appoints Data Protection Officer (UPDATE)
• WebHotelier publishes GDPR guides (UPDATE)

Also make sure you check out our:

• Introduction to GDPR
• GDPR Glossary of Terms
• GDPR FAQ & Best Practices

Happy GDPR everyone

May 26th 2018, 04:00 UTC

That's a wrap! GDPR-day is behind us and we are done updating this blog post. We do have some additional legal matters but they will be announced privately in WebHotelier's Backoffice. Thank you very much for your time and patience following these updates.

WebHotelier introduces the Compliance Dashboard

May 25th 2018, 23:30 UTC

In WebHotelier we don't believe in compliance for compliance’s sake. What at first seemed as a cost of doing business, we now see as an opportunity to implement operational excellence.

When the right internal controls are implemented, compliance is no longer a costly burden. What a business does to comply adds tremendous value, offsetting the cost of compliance. It has been true for us since the day we received our first signed PCI certificate.

Today, we are proud to launch a new WebHotelier initiative called Compliance Dashboard. It is a tool that will hopefully help you achieve your own compliance goals. Accessible from WebHotelier's Backoffice, it reflects our experience in security & compliance for both PCI-DSS and GDPR.

This first version just covers the basics. It provides a birds-eye view of all security & privacy settings and consolidates the many new GDPR features we launched all in one screen. We have plans to enrich the dashboard with more reports, audits and logs, tips and best practices, and more, so check back often.

Data security and privacy have become critical trust and reputation issues for all businesses. We want to provide you tools that enhance trust and advance your brand, reputation, and competitiveness.

BREAKING CHANGE - PII anonymization in confirmation emails

May 25th 2018, 20:00 UTC

Happy #GDPRday everyone!

Since we launched WebHotelier, almost ten years ago, we've been sending a copy of confirmation emails to hoteliers. Confirmation emails serve as both a notification and a quick preview of the booking summary.

Unfortunately, they also contain personally identifiable information (PII). E-mail servers & clients are not a secure place for such data (in the same way they're not for cardholder information).

Therefore, effective immediately, we anonymize all PII in confirmation emails sent to hoteliers. Confirmations emails sent to guests are not affected by this change.

We know this hurts, but it is the new reality post-GDPR. Hopefully, this will also break the bad habit of printing confirmation emails.

Confirmation emails are designed for screens and to be viewed comfortably even on smartphones (despite the limitations of the medium). Booking summary printouts from WebHotelier's Backoffice, however, are designed for print. We try hard to fit as much information possible to minimize paper & ink usage.

There is also one more piece of bad news. We've had to drop the XML/CSV attachment feature since it contained PII as well. As a replacement, we recommend using our API which is much more feature rich and supports real-time PUSH.

WebHotelier publishes customizable common Privacy Policy for all booking engines.

May 24th 2018, 03:40 UTC

Today, we're launching a common Privacy Policy for all booking engines under the WebHotelier platform. This policy describes how we collect, use, process, and disclose guest information on your behalf, including personal information about them, in conjunction with their access to and use of our booking engine.

The policy has been written clearly and simply for the user to facilitate its understanding, and to freely and voluntarily determine whether they wish to provide their personal data, or those of third parties, to you.

The policy has the following sections:

• Information and Consent
• Identity
• Obligatory nature of providing the data
• Personal data we collect and process
• Purpose of processing personal data
• Data Retention
• Legitimate interest for processing user data
• Data Disclosure
• International transfers of personal data
• User's Responsibility
• Exercise of Rights
• Security Measures

You can read the entire Privacy Policy here. (NOT A REAL HOTEL)

We believe this policy is comprehensive and should cover the needs of most of our customers. However, we do understand that each one of you might want to add their own sections to the privacy policy. In fact, if you process personal data for other purposes than those stated in the common policy, you have to disclose them.

For that reason, we've added an additional tab in your "Policies" management page in WebHotelier's Backoffice where you can add additional sections to the Privacy Policy. Those sections will be appended at the end of the common policy.

Always remember:

• to keep your property profile information up-to-date;
• to make sure your billing information is up-to-date and your legal entity name is correct;
• to provide "Preference" checkboxes for every PII collection purpose that requires explicit consent;
• to assign the role of DPO even if you are not obligated by law;
• to keep the contact information of the DPO up-to-date;

WebHotelier publishes a Privacy Policy for their platform users.

May 23rd 2018, 22:50 UTC

Today, we’re adding a Privacy Policy for our WebHotelier users to make it easier for you to understand what information we collect and why we collect it. We’re doing this as new data protection regulations (GDPR) come into effect in the European Union, and we’re taking the opportunity to make improvements for WebHotelier users around the world.

Nothing is changing about your current settings or how your information is processed. Rather, we’ve improved the way we describe our practices and how we explain the options you have to update, manage, and delete your data.

In order to continue working with WebHotelier products, you must confirm that you accept our privacy policy as soon as you login to our extranet.

You can read our new Privacy Policy at any time, here.

Announcing PII Data Retention Policy setting.

May 23rd 2018, 01:40 UTC

To help hoteliers with GDPR compliance, Personally Identifiable Information (PII) stored in WebHotelier can now be scheduled for anonymization after a certain period has passed. You can select your policy from the main menu, under Settings -> General.

The Data Retention Policy may help you comply with legal requirements, but remember, GDPR does not set out any specific minimum or maximum periods for retaining personal data. Instead, it says that:

Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

Please consult with your company/organization’s legal counsel to determine if this setting applies to you.

WebHotelier allows to select one of the following retention periods:

• Do not automatically expire (default)
• 14 months after check-out
• 26 months after check-out
• 38 months after check-out
• 50 months after check-out

We do not allow periods less than 14 months because we have the PCI-DSS requirement to preserve all data for at least 12 months. We then add another 2 months as a grace period.

NOTICE: We will *not* be enforcing this setting on May 25th.
Instead, we will give you a few weeks/months to change your mind.

WARNING: Data anonymization is permanent.
No copy of your original data will be preserved.

You should also be aware of the following:

• Data retention applies only to data stored in WebHotelier systems. If you've shared PII with other systems (e.g. your PMS) you'll have to manage that data separately.
• Selecting a policy does not affect most standard reporting, which is based on aggregated data. (UPDATE: For example, that means deleting IP data will not affect country-based statistics & reports)
• If you stop using WebHotelier, you can request data removal at any time.
• Changes to this setting takes effect after 24 hours.

Announcing per-user PII access privilege.

May 23rd 2018, 00:45 UTC

Hoteliers can now opt-in to remove access to Personally Identifiable Information (PII) from certain users. Users with no PII privileges will see anonymized data in booking summaries, printouts, reports, and exports.

We recommend enabling this setting for all users that are not involved with bookings or customer service.

NOTICE: This setting will come into effect on the May 25th deadline.

Announcing DPO role for hotelier & operator users.

May 23rd 2018, 00:30 UTC

Hoteliers can now assign the role of Data Protection Officer (DPO) to one of their users. You can assign the role by editing any of the users in WebHotelier's Backoffice and checking the DPO checkbox. The user must have all their profile information provided and please make sure the contact information is up-to-date.

The DPO's role is to assist the processor (WebHotelier) in all issues relating to the protection of personal data. In particular, the DPO must:

• inform and advise the processor, as well as their employees, of their obligations under data protection law;
• monitor compliance of the organization with all legislation in relation to data protection, including in audits, awareness-raising activities as well as training of staff involved in processing operations;
• provide advice where a DPIA has been carried out and monitor its performance;
• act as a contact point for requests from individuals regarding the processing of their personal data and the exercise of their rights;
• cooperate with DPAs and act as a contact point for DPAs on issues relating to processing;

Does my company/organization need to have a Data Protection Officer (DPO)?

Your company/organization needs to appoint a DPO, whether it's a controller or a processor, if its core activities involve processing of sensitive data on a large scale or involve large scale, regular and systematic monitoring of individuals. In that respect, monitoring the behavior of data subjects includes all forms of tracking and profiling on the internet, including for the purposes of behavioral advertising.

The above is not clear enough. How can I decide if I need a DPO?

Initial GDPR drafts specified companies/organizations with less than 250 employees did not have to appoint a DPO. This is no longer true, a DPO may be required for a company/organization of any size. You should contact your legal counsel or your local Data Protection Authority for instructions.

WebHotelier recommends assigning a DPO role even if you are not obligated by law.

Can anyone be my DPO?

The DPO may be a staff member of your organization or may be contracted externally on the basis of a service contact. A DPO can be an individual or an organization.

Your organization, if required, must involve the DPO in a timely manner. The DPO must not receive any instructions from the controller or processor for the exercise of their tasks. The DPO reports directly to the highest level of management of the organization.

Announcing required changes driven by our Data flow mapping.

May 22nd 2018, 20:00 UTC

Our data flow mapping has identified a few behaviors that are prohibited by GDPR.

Therefore, in the spirit of transparency and effective immediately, we announce the following:

• Custom conversion tracking codes can no longer contain PII tokens. The following variables are no longer populated:
  • email
  • email:url
  • fullname
  • fullname:url
  • firstname
  • firstname:url
  • lastname
  • lastname:url
  • postal
  • tel
  • region
  • location
  • remarks
• Google Tag Manager's Data Layer is no longer populated with PII. The following variables have been removed from the dataLayer object:
  • email
  • fullname
  • firstname
  • lastname
• We have stopped reporting pageviews to Google Analytics that may contain sensitive data (e.g. booking retrieval URLs that are included in confirmation emails).
• We have enabled the strictest possible data retention policy in Google Analytics for the profile that measures data from all bookings engines. We use this data for functionality monitoring and to make informed decisions for our browser/OS support matrix. Customers are advised to also set a data retention policy for their own Google Analytics profiles.
• We have identified an issue where conversion tracking was not reported as "/book-confirm" in Google Analytics but with its real URL that contains sensitive data. We now force the report to be "/book-confirm".
• Google Analytics e-commerce and event tracking calls were not associated with the virtual pageviews. We now also force this to report "/book-confirm".
• We have removed Google Analytics tracking from our WebHotelier's Backoffice application for the sole reason that we don't require client-side tracking.
• We have removed social plugins from WebHotelier's Backoffice application. We've replaced them with direct links to our social pages/profiles.
• We applied a strict 3-month data retention policy on our server-side log analytics tools. Raw logs are preserved for 1 year as required by PCI-DSS.
• We have identified an issue where our developer team would receive bug reports that contained PII or other sensitive data. These and other similar cases have been corrected and now data are properly anonymized.
• We have set procedures in place that anonymize backup data used by our developers for development & testing. These procedures have been already in place for cardholder information (per PCI requirements) but have been extended to PII as well.
• None of our personnel has access to cardholder information, besides a dedicated person the can grant privileges to hotelier users. This is now extended to PII data as well, with only essential support personnel retaining access.
• After a booking has checked-out our personnel will no longer have access to PII.
• We no longer allow PII access to SmartGuest users that have not completed a booking. Since we do not collect any other PII for SmartGuests who have converted, their profile is covered by our soon-to-launch privacy policy and no other explicit consent is required.

In addition, we have identified the following issues regarding further processing that occurs by hoteliers (data controllers and their partners, processors or sub-processors). These issues must be handled by hoteliers:

• Explicit consent is required for sharing PII with 3rd parties. Some examples are review management companies (e.g. Revinate), transfer services (e.g. Welcome), etc. To get consent you'll need to create "Preferences" in your booking engine for each use, clearly describing how guest data is going to be used. 3rd party companies should then check those settings before offering their services. If no consent is given, API users should discard PII data immediately and not save them in any form of permanent storage.
• Explicit consent is required if a hotelier uses guest data to send marketing newsletters, marketing SMS, or performing any form of communication with the customer that is not based on the legitimate interest of servicing the booking. These cases also require booking engine "Preferences" (as described above) that hoteliers should check before using PII for other purposes.
• Automated review prompts (e.g. via email) like TripAdvisor ReviewExpress are not GDPR compliant because explicit consent is never given. Therefore, hoteliers are strictly advised to disable ReviewExpress immediately.
• To properly identify your business as the Data Controller, make sure you have updated your Legal Entity information in WebHotelier. You can access the form from the main menu -> Property -> Billing Information.

WebHotelier now uses intelligent threat detection and continuous monitoring to protect your data

May 22nd 2018, 20:00 UTC

WebHotelier continuously monitors for malicious or unauthorized behavior to help you protect your data. It monitors for activity such as unusual API calls or potentially unauthorized network calls that indicate a possible compromise. It also detects potentially compromised servers or reconnaissance by attackers.

We analyze billions of events across our entire network for signs of risk. Our system identifies suspected attackers through integrated threat intelligence feeds and uses machine learning to detect anomalies in workload activity. When a potential threat is detected, the system delivers a detailed security alert to our developer team.

The system goes even further and may recognize compromised hotel website servers. We have already detected a few of those instances and informed the affected customers.

REMINDER: WebHotelier is a certified PCI-DSS Level 2 Service Provider

May 22nd 2018, 19:30 UTC

We are always working to stay compliant, which helps make compliance easier for your business. We encourage regular audits, maintain certifications, provide industry-standard contractual protections, and share tools and information you can use to strengthen your business’s compliance.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of technical and operational requirements for entities that store, process, or transmit payment card data. WebHotelier services have been reviewed by an independent Qualified Security Assessor (Trustwave) and determined to be compliant with the current version of PCI DSS.

View our certification here.

We designed the security of our infrastructure in layers that build upon one another, from the physical security of data centers to the security protections of our hardware and software to the processes we use to support operational security. This layered protection creates a strong security foundation for everything we do.

We distribute data across multiple data centers, so that in the event of a fire or disaster, it can be automatically shifted to stable and protected locations. Each of those data centers is monitored and protected 24/7, and access is tightly controlled with measures like biometric identification and CCTV surveillance.

A quick reference to the security features and procedures we implement can be found here: https://www.pcisecuritystandards.org/documents/PCI SSC Quick Reference Guide.pdf

Most but not all the referenced features and procedures are now also applied to PII data.

WebHotelier now uses encryption at rest for all PII and other sensitive data.

May 22nd 2018, 19:00 UTC

WebHotelier, as PCI-DSS Level 2 Service Provider, has used storage-level encryption for all sensitive data (e.g. cardholder information). Over the past months we've extended the use of hardware encryption to cover all data at rest (data stored in physical disks). This effectively encrypts sensitive data twice.

Our systems use FIPS 140-2 validated hardware security modules where our unencrypted keys are only used in memory. Keys are never transmitted outside of the hardware environment in which they were created. No physical person has access to the actual keys themselves.

Today we announce that we now apply the same rigorous security features to Personally Identifiable Information (PII) as well.

WebHotelier appoints a Data Protection Officer (DPO) ahead of GDPR.

May 22nd 2018, 17:20 UTC

At WebHotelier, Trust is our #1 value. Nothing is more important than earning the trust of each of our 4,000+ customers and protecting their data — privacy has always been core to our business. And our privacy model is simple: our customers' data belongs to them.

Although not required by the GDPR (since WebHotelier does not track, profile or monitor data subjects at any scale), we've appointed a Data Protection Officer who will be responsible for compliance and serves as a point of contact between the company and supervisory authorities. Our DPO is Apostolos Tsakpinis, WebHotelier's Technical Director and long-time privacy advocate.

Data Protection Officer
dpo@webhotelier.net
WebHotelier Technologies Ltd
Mnasiadou 9, Demokritos Building, Office 16
1065, Nicosia
Cyprus

WebHotelier publishes Introduction to GDPR, F.A.Q., and Glossary to help hoteliers get started with GDPR.

May 22nd, 2018 16:00 UTC

WebHotelier has published an Introduction to GDPR, a set of Frequently Asked Questions along with a list best practices. We have also published a Glossary to get you up-to-date with GDPR terms. You can find these on the links below:

• GDPR Introduction
• GDPR Glossary of Terms
• GDPR FAQ & Best Practices