The enforcement date of the EU General Data Protection Regulation (GDPR) will start on 25 May 2018 for all companies processing personal data. Hoteliers.com is fully committed to be GDPR compliant, as we develop our products with Privacy by Design and Security First as a must.
What is the GDPR?
The EU General Data Protection Regulation (GDPR) replaces the 20 year old Data Protection Directive and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
What is the benifit of GDPR?
A good example of the benefit of GDPR, are Facebook and Spotify. When you created an account on Spotify with your Facebook account, they could share your personal information without you knowing. Spotify would receive your account information, location and friend list from Facebook, while Facebook would receive your music preferences from Spotify. The GDPR prohibits companies from sharing information without clear proven consent of the user.
What are the main effects of GDPR?
The GDPR has a large impact on all types of organizations working with EU citizens. The five most important changes are:
- More rights for individuals The new GDPR includes the right for individuals to request access, correction or removal of their personal data. Each company should have a procedure in place to remove all personal data of an individual when requested to do so.
- Assessment of personal data Every company should fully asses the processing of personal data, the reasons why this personal data is needed and adjust their products and procedures to comply to GDPR.
- Overview of security measures A clear overview of storage of personal data and security of this data should be in place. Access to this data should also be regulated.
- Data breaches An internal log of (potential) data breaches and procedure to report data breaches to partners and authorities should be in place.
- Processing agreement Each company should have a processing agreement with their partners in case personal data is shared.
If a company doesn't comply to the GDPR, authorities can fine the organization up to €20 million or 4% of a company’s annual global revenue.
When does GDPR come into effect?
The GDPR will be enforced starting on May 25th, 2018.
My hotel is outside the EU
If your hotel is located outside of the EU, you still need to comply to GDPR if you process data of individuals in the EU.
What do hotels need to do?
Hotels process a large number of personal data, such as guest names, addresses, date of birth, passport copies, credit card information, personal preferences, etc. Technology providers process even more guest information, such as IP-addresses and guest profiles.
The most important actions for hotels to take are:
- Processing Agreement with Hoteliers.com A data processing agreement with all your partners that process personal data is required. We recommend signing this agreement with Hoteliers.com as soon as you receive it from us in the first two weeks of May 2018. We will countersign it and provide you with a fully legal copy. If you have questions about the agreement, please contact Support.
- Other partners Ask your other suppliers and partners to sign a GDPR Processing Agreement. Best is to ask your supplier for their agreement. Otherwise you can use the Hoteliers.com agreement as an example. We however recommend consulting your legal advisor or to sign the agreement made by your supplier.
- Data leak procedure and security assessment Each hotel should have a procedure in place on how to report data leaks. A data leak can be a computer hack, but also someone who physically breaks in to your office. An assessment of the security of printed and digital personal data should also be in place (eg. where do we keep guest data, do we need to print guest information, when do we delete guest data). One of the most important measures is to improve password security as well.
Read more about:
- Tips: Protect personal data
- Reasons why secure passwords are important
- Reporting a data leak
- Securing personal details of guests
- FAQ: Data Processing Agreement (DPA) for GDPR
We recommend checking the website of the European Union of your local government to get a full list of actions.
Note This article is an indication of the actions taken by Hoteliers.com to comply to GDPR. You should contact your own legal advisor to ensure GDPR compliance.
What is Hoteliers.com doing?
We have a GDPR project team that is committed to fully comply with GDPR. All products and processes are assessed and changes to fit Privacy by Design are made even after May 25th when products are further developed.
A summary of the actions taken by Hoteliers.com are:
|Setting up a GDPR project team||COMPLETE|
|Assigning a Data Protection Officer (DPO)||COMPLETE|
|Training all staff on data protection||COMPLETE|
|Implementing password manager for all staff, improving password security||COMPLETE|
|Destroying or securing printed personal data, such as contracts and CV's||COMPLETE|
|Assessment of all personal data collected through our products||COMPLETE|
|Develop a strategy to adjust our products||COMPLETE|
|- Booking Engine, updating personal data fields for Privacy by Design||IN PROGRESS|
|- Booking Engine, allowing guests to modify or delete personal information||IN PROGRESS|
|- Websites, adjusting the newsletter signup asking guests specific consent||IN PROGRESS|
|Signing a Processing Agreement with all technology partners and suppliers||IN PROGRESS|
|Signing a Processing Agreement with all hotel partners||IN PROGRESS|
|Asking users consent for the newsletter signup||IN PROGRESS|
What if I have questions about GDPR?
If you have any questions about GDPR related to Hoteliers.com, please contact Support. We are happy to help. Please note that we will be unable to answer any questions specific to your organization, we recommend consulting a legal advisor for these type of questions.