The General Data Protection Regulation (GDPR) will introduce a number of changes to data protection laws across Europe. Are you aware of how the laws will impact the way in which your hotel operates?
Read this article to learn:
✔ How to get clear consent to process data
✔ How to process personal data
✔ The role of a Data Protection Officer
What is GDPR?
The GDPR will replace the previous data protection directive of 1995 and be immediately enforceable in all member states, without the need to transpose it into national law.
GDPR is a regulation to strengthen and unify data protection for individuals within the European Union. It was adopted in May 2016 and following a two-year implementation period will come into force on May 25th, 2018. The legislation brings in a large number of changes, meaning that the level of effort involved in preparing for GDPR compliance is significant.
What do hotels need to do?
As a hotel, you are a data controller and Achiga is a data processor as we process data on your behalf.
It is the data controller that must exercise control over the processing and carry data protection responsible for it. You determine the purpose for which data are processed.
A new set of regulations have been imposed which hoteliers must follow.
Get clear consent to process data
Pre-GDPR consents will continue to be valid under the GDPR provided they conform to the GDPR requirements for consent.
Doing consent well should put post GDPR individuals in control, build customer trust and engagement, and enhance your reputation. Furthermore, consent means offering individuals genuine choice and control.
Request for consent must thus be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent.
Here is a check list you can follow:
- Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default.
- Explicit consent requires a very clear and specific statement of consent.
- Keep your consent requests separate from other terms and conditions.
- Use clear, plain language that is easy to understand.
- Name any third parties who will rely on the consent.
- Make it easy for people to withdraw consent and tell them how.
- Specify why you want the data and what you’re going to do with it.
- Keep evidence of consent – who, when, how, and what you told people.
- Keep consent under review and refresh it if anything changes.
- Avoid making consent a precondition of a service.
- Remember – you don’t always need consent. If consent is too difficult, look at whether another lawful basis is more appropriate.
Processing personal data
GDPR is all about the guest’s right to privacy for their data. You must thus provide customers with detailed information on why you need to process personal data and how long you plan to keep the data for. Remember, you can only process data for the purposes you have identified to the user – and to which the user has consented.
Here is a checklist you can follow:
- Document what personal data you hold, where it came from and who you share it with.
- Allow withdrawal and right to change consent.
- Allow individuals to have a copy of their data at any
- Ensure you are familiar with data deletion protocols.
- Do not keep data for longer than required.
- There’s an additional consideration for children under 16. Authorization to process a minor’s data should be obtained from their parents or responsible adult.
- Ensure you preserve technical and organizational records to prove you are protecting data.
- Check your procedures to ensure they cover all the rights individuals have, including how you delete personal data and what format you keep data in.
- Ensure you have the right procedures in place to detect, report and investigate a personal data breach.
Data Protection Officer (DPO)
You should designate a Data Protection Officer (DPO) to take responsibility for data protection compliance and assess where this role will sit within your organization’s structure and governance arrangements.
The DPO must be independent, an expert in data protection, adequately resourced and report to the highest management level.
The DPO should always understand and be aware of all data flows in the hotel, and he should ensure that he has an updated data register at all times, in case any queries arise.
The name of the DPO should be mentioned on all privacy statements on any media. When filing a complaint, the guest will reference the DPO by name.