On the 25th of May 2018 the new GDPR law will be in effect across the EU. There has been a lot of talk about this new law, but mostly hear-say and especially a lot of fear and uncertainty.
A lot of consultancy firms are writing big headlines about the enormous fines you might get if you do not follow the law and using fear mongering tactics they are making people worry themselves maximally in the hopes of selling more consultancy hours.
Having said that, we at HappyBooking of course take GDPR seriously. Most likely the country you operate in has some laws pertaining to processing of your guest’s personal information, but most likely the new GDPR laws will add some more requirements. We say most likely, since before GDPR every country had their own laws, so it depends case by case. Here are some examples of this:
- The person whose data is being collected and processed must explicitly consent to this. The person must be fully aware of exactly what he consented to, so no longer can a long user agreement text have these parts baked into it. The consent must be recorded in such a way that it can be proven at a later date that the person did actually consent to his or her data getting collected and processed. The consent may also be withdrawn at any point in time
- The requirements for the information given about what is collected and what for is probably going to be higher than it is currently. It is no longer sufficient to just say that information will be collected and processed, it needs to be clear what is collected, for what purpose and with what retention time. There also needs to be information of who to contact about your own data
- There needs to be a way for people to be able to request the information stored about themselves, without cost
- When there is no longer a direct need to keep the personal information, it must be deleted. If someone chooses to withdraw his consent, the data must be deleted without unnecessary delay
- The IT architecture needs to be of such kind that the security of this personal information is well protected by default. This means that transfer and storage need to be encrypted, and security needs to be of highest possible standard
- If a data breach is found to have occurred, the authorities need to be informed within 72 hours with details about the breach
- The data must be possible to export in such a way that it can be easily read by a system developed by a third party
From a hotels perspective
If you read this list above while thinking about how this impacts a hotel and their daily business, you end up with something like this list about how daily practices and processes will be affected:
- The guest must always be asked if they consent to their personal information being stored and processed. But just verbally asking is not enough, the consent must be given in such a way that it can be later proven that the guest said “yes”. This means that bookings that come in through phone and walk in customers will need to be dealt with in some other manner. Somehow you as the hotelier need to be able to show proof of the consent
- The terms and conditions need to be clear and actual of what you do with the guests personal data
- The booking engine and property manage system you use must:
- Have support for an explicit confirmation and consent of the terms and conditions
- Have support for withdrawal of consent in an automated manner
- Delete all personal data when they are no longer relevant or lacking consent
- Have good security through all its subsystems and components. The data must be stored in a highly secured manner
- Have support for data export in a format that is machine readable
The changes that we will implement before the 25th of May 2018, so that we are able to provide you with a GDPR-secure system are the following:
- Clear and mandatory terms and conditions that need to be confirmed before creating a booking through our booking engine. We will write a default one, that regulates our own processing of the customer data, but to which you can add your own terms and conditions if you so please
- Let the guest themselves decide if they allow that the hotel contacts them after the booking has passed. This information will be clearly shown inside the PMS
- When entering bookings through the administration interface, clearly remind the user that consent must have been received before inserting the booking, and give the option to select whether the guest agrees to possibly being contacted after the booking
- Add an online form where guests from all our connected facilities can request to be deleted from our databases, and thusly withdraw the consent of having their information stored
- Removal of personal data 2 years after the last booking has expired. In other words, if the guest does not return to the same facility within 2 years, he or she will be forgotten and all information about the guest will be removed
Something that already is in place and does not need any change or work is the security of our system. It has been of highest priority since day one. All of our databases are encrypted, all data transfer is through secure channels and firewalls are in place to make sure the risk of unauthorized access is kept at a minimum.
We have always had the possibility to export whatever information needed and offering this possibility to hotels or their guests we will keep on doing.
Regarding the personal information we have about our own users, the hoteliers and their staff, we will need to update our terms and conditions and get a verifiable consent from you for our own sake. We will display a popup at login in the upcoming weeks, where you need to give us your consent that we keep some information about the person who logged in and their actions in the system.
The General Data Protection Regulation is 88 pages long, it is very complex and has a lot of nuances in various places where it is not too clear exactly what is meant. Nobody really knows how to interpret certain things, so we will need to wait and see for some time yet before the finer points of the regulation are clear. GDPR compliance is a process that will need to be ongoing for all of us, seeing this as a one-time effort might be dangerous in the long run. The processes and routines of your organization will need constant supervision to make sure old habits do not return, and the safe keeping of personal information is up to this new, and high standard.
Here at HappyBooking we cannot argue that we are experts in everything the regulation contains, however we have tried our utmost to make sure that we know everything that will affect our clients and our own operations. If you have any thoughts or questions regarding all this, or just want to ask if we can give you any pointers or counsel, feel free to drop us an email and we will try to help.