The previous part of this blog series gave an overview about GDPR, its objectives, how it originated and the key changes that it will bring in effect. In this blog, we’ll be discussing the data subjects and the new enhanced rights afforded to them, the obligations that you will have while complying with the GDPR and how to apply GDPR in the hospitality industry.
DATA SUBJECTS AND THEIR NEW RIGHTS
GDPR provides greater rights for data subjects/guests, including:
- Right to be informed – Greater transparency on reasons for processing data i.e. what data do you hold, what do you need it for, what are you going to be doing with it and how long will you be keeping it for.
- Rights of access–Data subject will have the ability to access their data and can also avail a copy of their data file free of charge.
- Data portability – Data subjects will have the right to request a transfer of their data to another service provider.
- Right to be forgotten – Data subject will have the right to obtain the erasure of personal data concerning him or her without undue delay.
- Right of rectification – Data subject will have the right to obtain the rectification of inaccurate personal data concerning him or her.
- Rights in relation to automated decision making and profiling – Data subject will have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
- Consent – You must be clear about the data you are requesting and having consent for the specific purpose you intend to use it for. In some cases, you may be looking at a menu of consents if you provide a variety of services e.g. marketing, facilitation of booking, transferring data to other providers etc.
CONSIDERATIONS
Now let’s discuss the obligations you will have from both an internal and external perspective when seeking to comply with the GDPR within your hotel.
Internal Considerations – It’s important to remember that there are internal obligations in terms of employment rights and responsibilities. Your GDPR obligations are also owed to your employees (as EU citizens). Given the international nature of your business, you may well have EU establishments or employees that are EU citizens, perhaps based in various locations.
External Considerations -This demonstrates the data collected and gathered from a consumer point of view and the relevant data flow. The data comes to you for the required purpose and you will then filter it out to relevant suppliers, perhaps for catering purposes, or other additional services via the concierge. Once the data is transferred to other parties the obligations continue to grow.
PRACTICALITIES AND PREPARATION –
Now that we have considered the obligations under the GDPR, let’s try and apply it to your business. In doing so, we have thought about the various ‘touch’ points at which the hospitality/hotel industry gathers and collects data.
- Booking request/enquiry
- Reservation stage
- Suppliers and information
- During travel
- Emergency
- Sensitive data issues
- Retention of data
We have highlighted a list of issues that are relevant, e.g. from the moment the booking request is made or an enquiry is received, at the point of reservation and payment, when you transfer information to suppliers for the provision of various services, during the guests stay/travel in the event of further additional requirements, in the event of an emergency during their stay and in respect of any sensitive data issues (including under 16’s).
In addition, once the services have been provided, you have to be clear about how long you will keep the data for. It is only necessary to keep data for as long as it is required to fulfil the purpose for which it was collected. There are, of course, exceptions to this, perhaps in relation to tax and employment issues. Although, you may have to sensitise the data you hold in this regard. The added benefit of regularly purging data is of course that the less data you hold, the less chance of a significant breach taking place.
SUGGESTED GDPR PLAN –
If you haven’t yet implemented a data protection, it still isn’t too late! Here’s a brief outline of what you should do next.
- Phase 1 – Perform an audit and privacy impact assessment (PIA). Raise awareness of the obligations under the GDPR internally. Remember that the focus is on accountability and is intended to be a top-down approach.
- Phase 2 – Make some decisions about the way in which you intend to take some action, like who will be responsible for implementation of your plans and ongoing approach? Perhaps, your DPO.
- Phase 3 – Develop policies, procedures and documents. Remember that they should be in line with your business – if you try to implement policies and procedures that don’t actually fit with the way in which you work, it is going to be harder to make them successful.
- Phase 4 – Review your security measures – both IT and physical. Data breaches can occur due to documents lying around, not just due to data hacking and IT issues. Think about any further systems that should be implemented, PCI compliance is a good measure. There are also cyber essentials qualifications that can help you evaluate the risk areas in terms of security.
- Phase 5 – Implementation, training and ongoing governance/compliance will be crucial. Once you have the right systems in place you must implement them. There is no point having these ready on paper but not properly rolled out and integrated into the business. This could be considered as a breach under the GDPR and makes you susceptible to the risk of a data breach.
- BEWARE! Finally – please beware of the IT solutions alone. While many of them are great and certainly, IT will play a big role in GDPR compliance, an off the shelf IT solution is not the answer. IT systems should be used as a tool but not the driver behind the entire process and procedure you intend to implement. This would undoubtedly defeat the objective of privacy by design and by default.
Implementation is one thing, but on-going GDPR compliance is another. The GDPR will be a ‘live’ and ongoing issue – it will require constant monitoring and will evolve over time.
If you have any questions regarding GDPR, let us know in the comments section below and we’ll reply to you there.
For more information about GDPR and the full recording of this webinar visit www.cvent.com/GDPR
