With 25th May looming, compliance with GDPR has to be on the minds of most hoteliers and venue owners!
At WeddingDates, we have been reviewing our obligations under the new regulation. This Blog is my take out of how it relates to this industry having gone through training and an internal audit with a GDPR Consultant for our business. I am not an authority on the matter so please do ensure you seek guidance form a Compliance professional as we have done within WeddingDates.
The hospitality industry is particularly vulnerable given the level of personal data held about their guests. GDPR is all about giving individuals more control over how businesses & organisations use their personal data and if companies don’t comply, there will be consequences. In fact, a breach could cost up to €20m or 4% of worldwide annual turnover (whichever greater). They are scary numbers! But all this can be avoided if Venues ensure their data protection processes are complaint!
So what is GDPR?
In a nutshell, the General Data Protection regulation (GDOR) is a regulation in EU law on data protection and privacy for all individuals within the European Union. It was adopted in May 2016 and will come into force on May 25th 2018. As there are many changes to the legislation, preparation to ensure compliance is significant.
What is personal data?
It is defined as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. So, if you think about all the data you gather for couples who are thinking of holding their wedding with you, you could be highly exposed here if you don’t handle their data properly!
And what do Venues need to know?
There are a couple of key things that Wedding Venues need to consider:
Capturing & using personal data
Collecting personal data from individuals must only be for specified explicit and legitimate purposes. This means that data cannot be further used so as to conflict with the original purpose. So, what might this mean for you? Taking an email address at a time of booking and then using it at a later stage without consent for email marketing would be contravening the legislation. Hotels & Venues need to have a plan in place to deal with gaining consent prior to the regulation comes into effect. Given that most venues accept credit card payments, they also need to be compliant with the Payment Card Industry Data Security Standard (PCI DSS). This outlines that if a company intends to accept card payment, and store, process and transmit cardholder data, they need to host their data securely with a PCI compliant hosting provider.
This has become a huge part of how business is done in this industry. However, individuals now need to ‘Opt-in’ as opposed to ‘Opt-out’. This means that Hotels must have proof that their customers gave consent for their data to be used for marketing purposes and must also be able to specify which data they wish to be used. If customer lists are purchased, they must have supporting evidence that proves consent from those customers was given for the data to be used.
Third Party Partners
You will hear terms used that are important to understand. Firstly, there are both ‘controllers’ and ‘processors’ of data and both need to abide by GDPR. A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data. So, the controller could be a Hotel and a processor could be an IT firm doing the actual data processing.
It doesn’t matter if either the controller or processor are located outside of the EU, the rules apply so lings as they are dealing with data belonging to EU residents. It’s the controller’s responsibility to ensure their processor abides by data protection law and processors must themselves abide by rules to maintain records of their processing activities. If processors are involved in a data breach, they are far more liable under GDPR than they were under the Data Protection Act.
If you are utilising the WeddingDates website plugin and/or dashboard to input all your wedding enquiries & store the data on your behalf, you need to be aware that you are making this decision to do so and, in this instance, you are the Data Controller and WeddingDates are the Data Processor (as we are hosting the data and acting on your instruction).
To comply with the first principle of data protection “Lawfulness, Fairness and Transparency” you should be upfront about the fact that you are utilising WeddingDates software. We recommend you mention the fact that you store the data on the WeddingDates Dashboard on your own Privacy Statement on your website – something like the following should be sufficient, (however as as with everything related to GDPR it is recommended to seek external expert advice): “As a business, we rely on a few third parties services to make sure we are efficient and effective we use WeddingDates (SaaS) for example. Data protection compliance is a prerequisite in our vendor selection process”.
So what next?
Hotels should most likely do a data-mapping exercise as there are so many points within the hotel at which they gather data e.g. email, fax, phone, internet etc. They will need to look at how they store their data, what they do with historical data and who has responsibility for ensuring compliance with GDPR within the company from here on. There will be a requirement for ongoing training and to reach out to customers about the data they hold. It is multi-faceted and GDPR will have to become part of business as usual for Hoteliers/Venues.
Good luck everyone!
Founder & CEO WeddingDates