GDPR is coming: is your hotel ready?

GDPR is coming: is your hotel ready?

What is GDPR?

The General Data Protection Regulation (GDPR, gdpr-info.eu) — is a new EU Regulation which enhances the personal data protection of citizens and increases the obligations of companies collecting or processing data.

The GDPR will apply to your company in case you use the personal data of EU citizens, even if it isn't based in Europe.

It will come into force on 25th May, 2018. So hotels (and other companies working with Europeans) have a few weeks to prepare.

In order to understand the seriousness of the new rules, we will start with fines. It is 20 million euros or 4% of the company's annual revenue!

Prepping for GDPR - Chart

So, it is better to start your preparation with creating a spreadsheet: what visitors' data you collect, for which purpose and what information can be easily discarded. Personal information is any type of information that relates to an individual (data subject), and with which you can directly or indirectly identify the data subject. For example: name, postal address, location, etc. The term is so broad that even an IP address can be considered a personal information.

What you need to know about GDPR

In order not to be fined, it is necessary to follow the six basic principles of the GDPR:

1 Personal data shall be processed legally, fairly and transparently. All information about goals, methods and processing volumes should be maximally available and clearly stated in the Privacy Policy, so that even the novice user can understand it. Moreover, users should confirm that they agree with the data use policy. If not, they cannot use the website.
2 The data should be collected and used only for the stated in the agreement purposes.
3 You cannot collect more data than necessary for processing purposes. We mentioned it above: you need to determine exactly what data you need and for which purposes in the first place.
4 Personal data that is inaccurate, must be deleted or corrected (at the request of the site user).
5 Data should be stored in a form that allows you to identify the data subject for a period not longer than necessary for your purposes.
6 When collecting or processing data, companies are required to protect personal data from illegal processing, damage or disposal.
GDPR: agree or disagree - Chart

If there are any violations related to personal data, companies are required to notify regulatory authorities (in Germany — Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit — www.bfdi.bund.de) and data subjects within 72 hours after the discovery. Even if they themselves are guilty.

Data protection law is expanded

Since May 25th, GDPR significantly expands the law on the rights of EU citizens and residents to control their personal data. Users from Europe have the right to request confirmation of the fact of processing, the place and purpose of processing, the category of personal data, to which third parties these data are transmitted and for which purposes, to specify the source of data receipt and to require their correction. Also, the user has the right to request termination of data processing. Also the GDPR provides the possibility for your data to be forgotten, which allows you to delete your data on demand and avoid spreading.

In the law there is also one important innovation: the right of data portability. A data subject may require all collected data to be transferred from one portal to another portal. For example, your potential customer can fill out completely a personal account, and after they you should provide a free copy of all these data to another online service upon the user's request.

Companies updates in advance of the GDPR - Chart

Requirements for consent forms

The GDPR requires that the form of obtaining consent on the user data processing be worked out seriously and in detail.

1 Consent can not be expressed in the form of silence or inaction of the user, we do not recommend using fields with an already ticked box or other methods.
2 Consent will be invalid if the person had no choice or no opportunity to cancel their consent without harming himself.
3 It must be expressed in the form of a statement or in the form of action.
4 Information on how to revoke a consent should be placed in such a way that the user can easily find it.
5 At the beginning of the session you can offer to agree to the data processing policy in the Privacy Policy section, and place there the instructions on how to remove consent.
6 Alternatively, hotels can only provide information about the registered users. Probably, this will negatively affect the conversion.

The case with the child data is more serious, because children are less aware of the risks. The consent to the child's data processing should be authorized by the parents or legal representatives. The age threshold for this is determined by the EU members separately in each country, from 13 to 16 years. If you do not need to process the data of children, you need to specify in large print that using the site and services is allowed all persons over the age of sixteen.

Each organization is required to assign a data protection officer to manage data processing processes and monitor compliance according to the requirements of the GDPR. Then you will need to publish the information about the assigned person, as well as send it to the national regulator of the right EU country.

How to prepare for the GDPR - Infographic

Public relations: Ralph Eichelberger

Latest News