As you are probably aware, new data protection law (GDPR) goes into effect May 25th. At FrontDesk Master, we are following the developments and taking the necessary steps to be compliant and also provide you with tools which will help you comply with the regulations.
While it shouldn’t be considered a legal advice, please have a look at short information which may be relevant for you and your property.
What is GDPR?
The General Data Protection Regulation (GDPR) aims to protect the fundamental right to privacy and the protection of personal data of European Union (EU) citizens.
This regulation affects any entity that processes EU citizens’ personal data. Whether or not you or your business is located in the EU, if you have EU site visitors, or if your marketing campaigns target EU citizens, this affects you.
The full text of the GDPR can be found here and a glossary of all the legal terms you’ll need to know can be found here.
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier.
If you are unsure what it means, ask yourself a question:
– Based on the information I possess could I possibly identify the person? Can I find who is it (also using technology)?
If you could possibly find out who is the owner of the data you have you are collecting the personal data in scope of GDPR!
A Controller (Hostel or Hotel) is the entity that determines the purpose, conditions and means of the processing of personal data, while the Processor (FrontDesk Master) is an entity which processes personal data on behalf of the controller.
Note!
The GDPR treats the data Controller (Hotel or Hostel) as the principal party for responsibilities such as collecting consent, managing consent-revoking, enabling right to access, etc. A data subject who wishes to revoke consent for his or her personal data therefore will contact the data controller to initiate the request, even if such data lives on servers belonging to the data processor. The data controller, upon receiving this request, would then proceed to request the data processor remove the revoked data from their servers.
As a data Controller you must be GDPR compliant!
There are two words which best describe the requirements: transparency and communication.
GDPR requires that you must be very transparent with your guests why and what data are you going to collect, how long are you going to store them and how you are going to use them. There is a difference between storing data because of legal requirements or booking processing versus due to the marketing reasons. It is your responsibility to inform the guest about it and to obtain a relevant and explicit consent, if for instance you want to build up your marketing database and send guests birthday cards or a promo codes.
Sorry to say that but to our knowledge, it applies to everything you have already collected. And unless you have a lawful reason ie. you are legally obliged to store the data or you have an appropriate consent to store the data, you shall either erase the data or get it into compliance (collect explicit consent!).
If you want us to to remove your past reservation data in bulk, please contact us at support@frontdeskmaster.com.
We strongly recommend to avoid such notion given the GDPR allows fines up to 20 million Euro or 4% of your annual profit whichever is higher!
Stay calm and don’t panic. GDPR was not introduced to collect fines but we all need to act responsibly and consciously towards the full compliance.
What you need to do and how FrontDesk Master can help you?
Step 1
Obviously when accepting bookings you do have a lawful reason for collecting guests’ personal data. However, you should still make sure that your guest was informed about:
- What data are you collecting?
- How long are you are storing them?
- How are you going to use them and why?
For instance, you may need to inform the guest that you are legally obliged to store certain data for 3 years after the check-out or you may request a guest’s consent to store the data for marketing purposes.
Just to be clear, the consent must be explicit and unambiguous and distinguishable from other matters.
- Printouts made automatically per each guest may help you collect the necessary consent in a traditional way. See how here.
- Collect Consent during Booking Engine reservations. New functionality will allow you to not only make guest accept your Terms of Stay but also collect explicit marketing consent. (In Preparation).
Step 2
As we previously mentioned, GDPR refers to collecting and storing the personal data which allow identifying the person. Look at this 2 examples:
- John Smith, USA, born 2nd June 1999, Email: coolguest@gmail.com, Facebook: JSmith
- John, USA, Age: 20 -25
Undoubtedly, in the first case you do have data in scope of GDPR protection. In the second case, if that’s all you have you do not have the data which allows identifying the person and you can store such data for statistical purposes forever!
FrontDesk Master will let you anonymize guest details automatically some time after the check-out.
It means that personal details will be turned into dummy details allowing you to maintain the statistics and comply with GDPR.
The tool will start working next week!
Important!
At FrontDesk Master, we believe that anonymization may be one of the best ways for you to deal with your past reservation data but remember it is your responsibility as a Controller to take actions and determine what to do with the data you collect to comply with the new regulations.
Step 3
In accordance with GDPR your guests have Right of Access and Right to Rectify/Delete.
It means that anybody whose data is in your system has the right to obtain confirmation of what data you stored, modify it or request to delete the data. It means that if your guest wants to know what data you collected, you must offer him or her the right to view it and potentially modify it or deleted it (if there is no lawful reason for further storing the data ie. legal requirement, binding reservation, etc.)
Online Guest Account can be accessed by any guest whose data is in the system. From there guests will be able to see what data you store. He or she will be able to manage the consent they gave or even delete their profile (if you allow it).
You can already test the access to the account here but only on newly made bookings (for now). You can also find Online Check-in settings in Property Details.
What has FrontDesk Master done to comply with GDPR?
We have implemented and are implementing changes.
We have worked to prepare our services for GDPR. We reviewed our data processing activities, and are making any changes that are needed to comply with GDPR such as implementing appropriate technical and organizational measures
We have released updated Terms and Conditions and Privacy Policy updates
We have published updated versions of Terms and Conditions and Privacy Policy which consist of necessary information regarding FrontDesk Master’s data practices. In next days, Property Administrators will be prompt in the system to acknowledge and accept the changes.
See here Terms and Conditions and Privacy Policy.
Please note that while we want to make it easier for you to comply with the new regulations by releasing new tools, you may need to seek a legal advice to ensure you comply with the new regulations.
If you have any questions, please don’t hesitate to contact us at support@frontdeskmaster.com.
FrontDesk Master Team