Explore
What's On in Devon
Welcome to the Itinerary Planner. Use this tool to build your own journey or choose from an exciting range of specially selected tours.
To build your own Itinerary, click to add an item to your Itinerary basket.
18th May 2018
Categories: Member News
You're probably bored of hearing about GDPR, but all businesses need to be aware of the changes. Kurt Janson, Director of the Tourism Alliance, has given us the low down on regulatory changes affecting the hospitality industry, with this from Visit Britain.
The new General Data Protection Regulation (GDPR) comes into force on 25th May 2018 as part of new legislation designed to update and expand the Data Protection Act 1998. Compliance with the GDPR is relatively straight-forward if you are already complying with existing data protection regulations, which you're probably all already aware of. You need to remember three main things in looking at what changes you need to make to the way you handle and use the personal details of customers when the new regulations come into effect:
Keeping these points in mind, here’s what you need to look at to make sure that you comply with the GDPR.
1. The information you take from people, and the length of time you keep it, should be determined by the purpose for which it is required
This a pre-existing requirement of the Data Protection Act but it is a good starting point for discussing the additional requirements of the GDPR. The level of information you have on someone and the length of time that you keep it must be proportionate to the legitimate purpose for which it is kept. This means that there is no blanket right for you to keep a customer’s personal information indefinitely and that you should always be reassessing what information you are keeping. This should include the regular removal of personal information where there is no justifiable reason for keeping it.
For example, CCTV footage of the car park used to help protect customer’s cars should be regularly wiped when it is no longer needed.
2. Personal data can only be used for the purpose that was agreed when the customer gave it to you.
For example, If the customer gives you their email address so that you can email them confirmation of their booking, this does not allow you to send them marketing emails or pass their details to a third party to send them offers. Customers have to actively give you express consent as to how you can use their information. This means that customers have to “opt-in” rather than “opt-out”, so you can’t have a “pre-ticked” consent box on your website which says, “tick here if you don’t want to receive emails with offers”.
3. The customer has the right to withdraw consent on how their information is used at any time and the process for doing this must be simple
This means that if the customer has agreed to allow you to use their information for a particular purpose, they still have the right to demand that you stop using it for that purpose at any time.
For example, if a customer has agreed to receive marketing emails, they can, at any time, inform you that they no longer wish to receive these emails and you must stop ending them. As a rule of thumb, the process for them withdrawing consent should be as simple as the process by which they gave consent. So, if you had an opt-in button than gave consent for marketing emails, you should have an “unsubscribe” button for allowing consent to be withdrawn.
4. The customer has the right to know what information you keep on them and why you are keeping it
There are two parts to this. First the customer has the right to ask you what personal information you are keeping on them and why you are keeping it. You are required to explain what the information you hold and justify why you are holding it. Bear in mind Point 1 above – you must explain why the level of information you hold and the time that you have held it is proportionate to the purpose for which it was taken.
The second part of this is that the customer has the right to ask you to show them all the person information that you hold on them. As mentioned above, this would include any CCTV recordings on which they appear and any notes you have attached to their booking.
5. The customer has the right to be forgotten.
The principle here is that the customer retains “ownership” of their data. This means that not only can the customer demand that you stop using the data they provided, they can demand that you remove all their personal data from your records. For example, rather than just asking you not to send emails, the customer can ask you to remove their email address from your database.
6. The customer’s rights under the GDPR do not over-ride the requirements of other legislation
It is important to note that the customer’s rights under the GDPR don’t over-ride the data requirements of other legislation. For example, the Immigration (Hotel Records) Order 1972 requires you to record the full name and nationality of all guests and to keep this information for 12 months. As such, a guest cannot ask you to delete this information from your records until 12 months have elapsed. Similarly, a customer cannot ask you to delete any financial information you are required to keep for tax purposes.
For more information and help guides, go to the Information Commissioner's Office website or call their dedicated small business helpline on 0303 123 1113.
© Visit Devon Community Interest Company