GDPR Essentials
Proof of consent
-
Explicit consent by all EU member states recipients required
-
Use double opt-in to help ensure compliance
Right to data portability
-
Guests from EU member states have the right to their data
-
Controllers must be able to provide guest with their information if requested
-
Data with Revinate includes profile information, survey responses and stay history
Right to erasure
-
Guests from EU member states have the right to be forgotten
-
The data processor must be able to delete the guest entirely from its records
-
The controller must work with all processors to ensure guest data is completely erased
Right to refuse profiling
-
Guests can request not to be profiled based on personal data
Terms to know
1. General Data Protection Regulation (GDPR): Effective May 25, 2018, the GDPR aims to protect and strengthen the privacy rights of European Union (EU) individuals through stricter, more defined requirements for handling and processing personal data. Non-compliant controllers will see fines up to 20 million euros or 4% of annual turnover (whichever is greater). However, smaller companies and companies able to demonstrate that they are working with data protection in mind are likely to see reduced fines.
All organizations who provide goods or services to the EU or possess the personal data of an EU citizen are subject to the GDPR. If your hotel has personal data on any EU resident or citizen, regardless of your hotel’s location, the GDPR applies.
2. Personal Data: Any data relating to an individual, true or not, that could lead to the identification of an individual. This information includes but is not limited to:
-
Name
-
Address
-
Phone number
-
IP address
-
Transaction history
-
Traveling habits
Another aspect of Personal Data is Sensitive Personal Data. For example:
-
Racial or ethnic origin of the individual
-
Political opinions
-
Religious or philosophical beliefs
-
Trade union membership
-
Physical or mental health
-
Genetic and biometric data (including photos)
Personally Identifiable Information (PII), which is similar to Personal Data, represents more specific information. Used in security and privacy laws, it includes some aspects of Personal Data such as name and phone number but also encompasses more explicit factors such as maiden name and social security number, for example.
3. Proof of Consent: In the GDPR, consent is the basis of processing personal data. Consent requires a positive opt-in. Silence, pre-checked boxes, or inactivity will not be accepted as consent. Individuals must be clear on why they will have to provide personal data and for what it will be used. It’s mandatory to keep evidence of how and when you request, obtain, and document consent.
Additionally, EU citizens have the right to withdraw consent at any time. Double opt-in, whereby an individual, upon signing up for email promotions, receives an email with a verification link, though not required, is another method of capturing Proof of Consent from individuals.
4. Right of Data Portability: EU citizens have the right to access and request a copy of their own personal data at any time. They can update, delete, restrict, or move their data to another organization without interference, under any circumstances.
5. Data Controller: The entity that determines the purpose and method of processing the personal data. In this case, the data controller is the hotel.
6. Data Processor: The entity that processes data on behalf of the data controller. Oftentimes, data processors are vendors and contractors for hotels. In this case, the data processor is Revinate.
7. Data Subprocessor: The entity that processes personal data on behalf of the processor in order for them to complete their work. An example is Return Path, helping hotel marketers with their email deliverability.
8. Right to Erasure: Also known as Right to Be Forgotten. Under the GDPR, individuals have the right to request a controller delete all of the information known about them and end further distribution of the data.
9. Right to Correction: Also known as Right to Rectification. Individuals have the right to demand correction of their personal data from a controller.
10. Right to Refuse Profiling: This gives EU citizens the right to avoid being targeted specifically based on their data. Profiling, as defined by the GDPR, requires an outcome or action of some sort as a result of personal data processing. Fortunately for hotels, they can exclude guests from marketing segments.
11. Data Protection by Design: Also known as Privacy by Design. Controllers must implement appropriate technical and organizational measures to ensure the continued integrity, confidentiality, and usability of their personal data processing systems and services. They must guarantee that only necessary personal data for each specific purpose is processed. Data protection measures must be implemented by design and by default.
12. Data Breaches: A breach of security that leads to the accidental or prohibited access to, destruction, misuse, or exposure of personal data. In the case of a personal data breach, the controller must notify the nominated EU authority within 72 hours of becoming aware.
Preparation Best Practices
1. Establish whether or not GDPR applies to you
GDPR applies to the handling of information of EU citizens, not just hotels operating in Europe. If you have the data of any EU citizen or resident, regardless of when that resident stayed with you, GDPR applies to you.
2. Educate and train your staff
GDPR applies to every hotel department, from Ownership to Front Desk Agents. Start by building awareness. Hotel staff must understand how to collect, access, use and disclose personal information, as well as how to restrict access to cardholder data.
Measures should include:
-
Limit access to personal data to only those who need to see it
-
Advise employees on how to properly dispose of documents containing payment card data
-
Read up on relevant GDPR terms you and your staff need to know.
-
Send email marketing communications to only those who have explicitly OPTED-IN to your hotel guest marketing program
3. Know where your data is stored
Hotels by nature manage a vast amount of personal data. Before you even begin protecting the data, you first need to know which information you are holding and where it’s stored. General Personally Identifiable Information (PII) includes:
-
Name
-
Birthdate
-
Email
-
Address
-
Phone Number
In addition to general data, hotels have to consider other sensitive information they may be collecting on guests. For example, even something like a guest’s dietary preference could be considered sensitive health information and therefore out of compliance if you don’t have their explicit consent to process such data.
Hotels receive all this information from many sources, including third-party booking systems, point-of-sale systems, their booking engine, email marketing messages, phone, even scribbled Post-It notes. First account for all data, then decide how it should be handled. Actions can include deletion, redaction, encryption, quarantine, or storage in an accredited, cloud-based storage solution, where it can be accessed by staff. Another consideration is IT -- ensure your systems are up-to-date for maximum data protection.
4. Understand who has access to your data
Don’t forget that many partners and third parties also have access to your data. It’s important to understand all existing contracts and who has logins to each of your systems storing sensitive data. Ensure these partners and data processors, like Revinate, are able to comply with GDPR’s “right to be forgotten” stipulation. Under it, anyone residing in the EU, not just EU citizens -- can request their personal information be removed from databases in a timely fashion or know the reason why it can't. This means that not only do you have to wipe your own systems, but your data partners will be expected to as well.
5. Seek assistance
As a final tip, consider consulting legal or other data privacy expertise for guidance specific to your hotel or organization. It may be recommended to appoint a Data Protection Officer (DPO). The DPO should always be aware of all data flows in the hotel. This leadership and alignment are especially important for hotels with multiple properties or in multiple EU countries.