On May 25th, 2018, a new set of laws called the General Data Protection
Regulations (GDPR) came into effect. GDPR concerns the protection of personal data and the rights individuals have to their information.
As it affects the hotel industry, we´ve gathered a few tips and tricks to guide hoteliers through the Do´s and Don’ts of GDPR.
Every hotel in the EU has to:
Identify and Report
Identify and report a data breach to their supervisory authority within 72 hours of discovery of the breach
Subject Access Requests
Provide every customer with a copy of their data within 30 days (and provide a mechanism for them to ask for it) – these are called Subject Access Requests (SARs)
Local Data Processors
Cease to use processors outside of the EU, or set up model contracts or other protections for data export
Demonstrate GDPR Compliance
Be able to demonstrate their compliance with the GDPR to their supervisory authority
Update Service Provider Contracts
Rewrite all their service provider contracts that involve data for GDPR compliance (nearly always)
Rewrite their consents from data subjects to be clear and track actual use of data
Know The Legal Basis
Know their legal basis for processing what they process
Ability to Act Instantly
Have the ability to act instantly on revoked consents and deletion requests
What rights do my guests have under GDPR?
The right to be informed
You must be honest and clear with your guests about how you are using their data.
The right to erasure
Also known as ‘the right to be forgotten’, your guests have the right to request that their personal data is deleted or removed by the hotel, without having to give a reason why.
The right to data portability
This allows your guests to obtain and reuse their personal data for their own purposes, enabling your guests to take advantages of services which can use the data to find your guests a better deal.
The right to access
Your guests have the right to know exactly what information is held about them and how it is used.
The right to rectify
Your guests can ask to have their personal data corrected if it is inaccurate or incomplete.
The right to restrict processing
Your guests have the right to block or suppress processing of their personal data – meaning that the hotel may store the data, but may not use it without the guest’s permission.
Rights of automated decision making and profiling
The GDPR has put in place safeguards to protect your guests against the risk of a potentially damaging decision being made without human intervention.
The right to object
In certain circumstances, your guests are entitled to object to their personal data being used. This includes if a company uses personal data for the purpose of direct marketing, scientific and historical research, or for the performance of a task in the public interest.
So, my guests…
can trust that their personal data is safe?
Yes. As the data controller, you (the hotel) manage your guest’s data. Your Property Management System (PMS) stores personal data, and that system must be protected – both physically and technically – from data theft (using passwords, firewalls, locked doors). Your High-Speed Internet Service (HSIA) also collects personal data which must be protected and managed. Hoist Group is proud to offer GDPR compliant HSIA services where Hoist Group is the data controller and takes on the responsibilities of the GDPR, including technical barriers and requests for information.
can request a copy of the information a hotel holds about them?
Yes. If requested, as the data controller you must provide a copy of the personal data, free of charge, in an electronic format. You must take care that the identity of the person requesting the information matches personal information requested.
have the right to be “forgotten”?
Yes. They have the right to ask the hotel to erase their personal data. On your PMS you must comply within 30 days. Once your guest goes online however, you have competing obligations such as data retention laws which vary country to country. When you are obligated to retain data, you can’t honour a guest’s deletion request until the retention period is over. Hoist Group HSIA determines these competing obligations to manage deletion requests legally and fairly.
Hoist Group and GDPR
Since October 2016, Hoist Group has been intensively working to analyze, verify and improve its products on a path of discovery and compliancy with the new regulation. This was made possible thanks to a team of legal experts in data privacy, different teams of developers and Hoist Group’s IT department. These teams have been working constantly to ensure the best results, and will continue even after the regulation is in force as we strive to keep our customers a priority.
This represents Hoist Group’s considered and best thinking on GDPR as it relates to our products. In the spirit of transparency and communication between processors and controllers that underscores the GDPR, Hoist Group is sharing this information with you, our customers. However, Hoist Group cannot give your hotel legal advice and ultimately your compliance is your responsibility.