Written by: Galina Kulakova
With only one month left until the GDPR – General Data Protection Regulation – comes into force, you should make sure you know what this new legislation is about and how it will affect your business. In this post, we will go through the 7 principles of the GDPR and will comment what they mean for your hotel.
You probably already know why the GDPR is so important for marketers all over the world. It is the biggest change in the data protection law since 1995 and it applies to every company that collects, processes or stores any personal data of EU citizens. Earlier we discussed that the GDPR is very challenging for the hotel sector due to the large volume of sensitive personal data and credit card information that the hoteliers collect and process. The use of booking engines and multiple online points of payments make the hotels vulnerable to cyber attacks and data breaches.
As you can see, the new legislation is highly important for the hotel sector and you should know exactly what the GDPR consists of to be able to prepare and comply. Let’s see the 7 principles of the GDPR listed and explained below.
The concept of lawfulness states that all processes you have that in any way relate personal data of EU citizens must meet the requirements described in the GDPR. That includes data collection, data storing and data processing. The legislation has directions and norms for every step of your data management policy.
Fairness means that your actions – whether you are a data controller or a data processor – must match up with how it was described to data subject. Simply put, keep the promise you gave your client in the notice before collecting the data. Use personal data only for the purposes and during the time period you indicated.
A clear notice is what the concept of transparency is about. The data subject must stay informed regarding the purposes, the mean and the time period of data processing. You should let your clients know what exactly you are going to do with their data and who will have access to it.
As we said before in the concept of fairness, you need to stay true to your promise. In the notice, besides other things, you must inform your clients about the purpose of the data collection. As stated in the legislation, this purpose must be “specified, explicit and legitimate”. Data can be collected and used only for those purposes that have been transmitted to the data subject and about which the consent was received.
The GDPR is designed to bring data collection to the necessary minimum. Personal data to be collected should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. Note that under the GDPR you will actually have to justify the amount of data collected, so make sure to design an adequate policy and document it.
Personal data must be “accurate and where necessary kept up to date”. You must make sure that you do not retain old and outdated contacts and ensure the erasure of inaccurate personal data without delay.
This principle relates to Data minimization and states that personal data must be “kept in a form which permits identification of data subjects for no longer than necessary”. You would have to set the retention period for personal data you collect and justify that this period is necessary for your specific objectives. Do not forget to document it.
The principle of integrity and confidentiality requires you to handle personal data “in a manner [ensuring] appropriate security”, which include “protection against unlawful processing or accidental loss, destruction or damage”. You must implement efficient anonymisation or pseudonymisation systems to protect the identity of your clients. You might also consider working towards gaining official certification, such as ISO 27001 to prove your commitment to cyber security.
You are responsible for compliance with the principles of the GDPR. The new legislation requires a thorough documentation of all policies that govern the collection and procession of data. Every step of your hotel’s data management needs to be carefully formulated and justified in the official document form. Under the new law, you must be able to demonstrate the documents that prove the compliance with the GDPR when requested by the authorities.
These are the 7 principles of the Data Protection Regulation and now you should have a pretty good idea and understanding of each of them. However, the GDPR is much more than these principles so do not stop here and make sure to explore more about the upcoming law. We wish you best of luck!