I'm going to take this post to follow on from my previous blog about the three steps you need to take to be GDPR compliant before the 25th May 2018. Now seems like a good time to explain what GDPR for hospitality owners in a way that anyone can understand it.
What is GDPR?
Wikipedia tells me this: The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). ITpro went a little bit more in-depth here.
The EU's General Data Protection Regulation (GDPR) is the result of four years of work by the EU to bring data protection legislation into line with new, previously unforeseen ways that data is now used.
Currently, the UK relies on the Data Protection Act of 1998, which was enacted following the 1995 EU Data Protection Directive, but the new legislation will supersede this. It introduces stricter fines for non-compliance and breaches and gives people more say over what companies can do with their data. It also makes data protection rules more or less identical throughout the EU.
For an even better overview, check out “GDPR For Dummies” by Kate Bordwell on Nile HQ.
After reading Bordwell's article, I think she makes some excellent points about GDPR. Here are some highlights:
On 25 May 2018, the General Data Protection Regulation (GDPR) will be enforced across Europe, including the UK. The law aims to give citizens more control over their data and to create a uniformity of rules to implement across the continent.
Why should you care about GDPR?
These regulations should inform all of your vacation rental marketing strategies, as well as the overall design and content of your vacation rental website. If you ignore this law, they can be fined up to €20m or 4% of their global annual turnover. Customers care about their privacy and expect companies to respect that. It’s good business sense to demonstrate that you “get” this cultural and financial aspect.
What are the new rules?
Building the rules into your organisational culture rather than being tyrannised by them will help you manage data more effectively, internally and externally.
It falls on these six themes
✅Know what you have, and why you have it
✅Manage data in a structured way
✅Know who is responsible for it
✅Encrypt what you wouldn’t want to be disclosed
✅Design a security-aware culture
✅Be prepared. Expect the best but prepare for the worst
What is the impact on businesses?
Suppose businesses and organisations see this as an opportunity to represent themselves to their customers and target audiences as more responsible and empathetic on the topic of data. In that case, the GDPR can not be a bad thing. This will be particularly true if it enables stronger relationship building because it potentially offers the basis for more equality and trust between businesses and their customers.
What does it mean for the consumer?
While many consumers may not be aware of the change, many will begin to notice some differences in how businesses and organisations communicate with them. Privacy notices will be more transparent, consumer rights will be upheld and publicised, and news about data breaches will travel faster and be harder to cover up.
I also found “Hospitality: Unprepared for GDPR” from Hospitality Technology very helpful.
It further elaborates on GDPR. Here are some of the main highlights:
They point out how the hospitality industry is considered one of the most vulnerable to data threats.
Actual policy implementation requires the following:
Internal processing. A property must provide very detailed information on why it needs to process personal data and how long it plans to keep it. This procedure involves organised retention policies so that a hotel always knows the status of such information.
A hotel must keep technical and organisational records to prove it is protecting data. It will also need to show the supervisory authority that it has these mechanisms in place.
Hotels need a section on their website that permits “opting in,” thus allowing hotels to store PII data. Furthermore, they must explain the process, enabling guests to access, modify and delete information. This in itself poses significant issues when data is held in different locations.
Training
Hoteliers should ensure their staff training is both up to speed, especially when it comes to GDPR compliance. Hotel staff must be aware of how to collect, access, use and disclose personal information and restrict access to cardholder data. They must advise on how to create strong passwords and know how to dispose of documents containing payment card data properly.
It is vital that hotels begin preparing for GDPR now, so that come May 2018, they can be sure to avoid data breaches and hefty financial penalties.
My View
I have recently read a lot of blogs about this subject. My biggest takeaway is that most people don’t know what it all means! Those who are trying to explain it are writing in complicated and confusing terms.
As long as you follow these simple steps for the hospitality industry, you will be okay.
The main three ways (in my opinion) to ensure you are safe are:
- Get a privacy policy implemented on your website – for an example, check this out.
- Check on the ICO website to see if you have to register with them here.
- Make sure your email sign up form has GDPR compliant boxes. Now, you have to be very transparent about how you are going to use their information. For an example, check out my email sign up form.
