Online Help


General Data Protection Regulation (GDPR)


The new GDPR regulations are a new set of privacy rules from the European Union designed to give European Citizens more control over how their personal details are used by businesses. The new regulations came into force 25-May-2018 and there are big penalties if you breach the new rules. Businesses outside of Europe are still affected if they hold personal data about EU citizens.

We recommend reading at least the Key Changes section below, and if you are keen learning about what GDPR is all about, the more details section below.

Key Changes

Customers must Opt-In for Email Marketing

Customers must now opt-in for email marketing.
You can send customers emails related to their bookings, However you must get their permission if you wish to send them ongoing marketing emails. Note this only applies to consumers. You can continue to send marketing emails to businesses.
Our booking sequence has been updated so that customers can specifically opt-in for email marketing. Note that you cannot send marketing emails to customers that have booked via websites such as Booking.com as they have not specifically opted-in to your email marketing.
We have also added new sections to OnlinePMS so that you can view/set customer's communication preferences. On the Quick Room Booking page you can now select if the customer has opted-in for email marketing, plus also how they opted-in. If you ask the customer face to face then select the 'In Person' option. If they have agreed in an email to you then select the 'Personal Email' option, if it is a result of a marketing email that you have sent then select the 'Marketing Email' option. On the Reservation page you can again view/set the customers communication preferences. This is also enabled when editing a customer.
Customers that have opted-in for email marketing may opt-out by simply clicking the Unsubscribe link that is automatically added to all marketing emails that you send.

Your existing customer database cannot be used for Email Marketing

As part of the GDPR regulations, you are required to keep a record of when and how a consumer opted-in for email marketing. Therefore your existing customer database cannot be used for email marketing as you dont have this essential information. We have added a new option to the Email Marketing section to help you get the correct permission from your customers. Just click on the new 'Invite All Customers To Opt-In' button. This will setup a new email marketing campaign that you can send out. This invites customers to opt-in simply by clicking on the link. Note that for obvious reasons, this option will only be available until the 25-May-2018. If you use email marketing then we recommend that you do this. Please only send invitations ONCE, otherwise customers may think it is spam. Expect a very low number of customers to opt-in for email marketing.

Customers can ask for you to delete their personal information

Customers have the right to have all of their personal information deleted. We have added a new 'Delete PII' button to the Customers section when viewing a reservation in Online PMS. We have also added a new 'Delete PII' option when viewing a reservation in the online booking website. When deleteing a customers personal information, any bookings will remain in the system so it will not affect your financial records. To avoid the possibility of fraud we suggest that you only allow customers to delete their personal information 12 months after they have checked-out and their account has been settled in full.

UK law requires you to hold guest details for a minimum of 12 months (Immigration (Hotel Records) Order 1972). You must keep a record of the guest full name, nationality, and if not British, Irish or from a commonwealth country, their passport number, place of issue and details of their next destination (including the address, if known) on or before departure. Note that diplomats, their family and staff do not have to register.

More Information About GDPR

Overview

Came into force 25th May 2018.
Protects PII (personally identifiable information)
Scope: Covers all EU companies and all companies that deal with EU citizens. Will still affect all UK companies regardless of Brexit.

Every company must have designated:

  • Data controller - defines how personal data is processed and the purposes for which it is processed.
  • Data processor - the internal groups that maintain and process personal data records or any outsourcing firm that performs all or part of those activities. Liable for any breaches.
  • Data protection officer (DPO) - oversees data security strategy and GDPR compliance.

Companies must report data breaches to supervisory authorities and individuals affected by a breach within 72 hours of when the breach was detected. Penalties: up to €20 million or 4 percent of global annual turnover, whichever is higher, for non-compliance. Half of US companies not expected to be compliant by the deadline.

GDPR Requirements

  • Store and process personal data only when the individual consents and for “no longer than is necessary for the purposes for which the personal data are processed.”
  • Personal data must also be portable from one company to another.
  • Companies must erase personal data upon request.
  • Right to be forgotten.

Companies must perform impact assessments, intended to help mitigate the risk of breaches by identifying vulnerabilities and how to address them. Companies must complete the Record of Processing Activities (RoPA)—article 30 of the GDPR regulation which is centered around taking inventory of risky applications.

Personal data: Name, address, email, IP address, location, online behaviour (cookies), analytical data/profiling. Special category: race, religion, political opinions, trade union membership, sexual orientation, health info, biometric and genetic data.

Data Protection Principles

  • Processed lawfully, fairly and transparently.
  • Collected only for specific legitimate purposes.
  • Adequate, relevant and limited to what is necessary.
  • Must be accurate and kept up to date.
  • Stored only as long as is necessary.
  • Ensure appropriate security, integrity and confidentiality.

Accountability & Governance

You must be able to demonstrate compliance with the GDPR:

  • The establishment of a governance structure with roles and responsibilities.
  • Keeping a detailed record of all data processing operations.
  • The documentation of data protection policies and procedures.
  • Data protection impact assessments (DPIAs) for high-risk processing operations.
  • Implementing appropriate measures to secure personal data.
  • Staff training and awareness.
  • Where necessary, appoint a data protection officer.

Data protection by design and by default

There is a requirement to build effective data protection practices and safeguards from the very beginning of all processing:

  • Data protection must be considered at the design stage of any new process, system or technology.
  • A DPIA is an integral part of privacy by design.
  • The default collection mode must be to gather only the personal data that is necessary for a specific purpose.

Lawful processing

You must identify and document the lawful basis for any processing of personal data. The lawful bases are:

  • Direct consent from the individual;
  • The necessity to perform a contract;
  • Protecting the vital interests of the individual;
  • The legal obligations of the organisation;
  • Necessity for the public interest; and
  • The legitimate interests of the organisation.

Valid consent

There are stricter rules for obtaining consent:

  • Consent must be freely given, specific, informed and unambiguous.
  • A request for consent must be intelligible and in clear, plain language.
  • Silence, pre-ticked boxes and inactivity will no longer suffice as consent.
  • Consent can be withdrawn at any time.
  • Consent for online services from a child under 13 is only valid with parental authorisation.
  • Organisations must be able to evidence consent.