From DPD to GDPR. The new EU General Data Protection Regulation.

Now the GDPR (General Data Protection Regulation) has direct implications in the management and use of data of the European Union people. And as is logical, almost all hotel brands will be affected, to not say each of them.

In our previous post, we already address what this new EU regulation consists of, what is its objective and how it affects the hotel sector, one of the most susceptible to this change, due to the considerable amount of personal data that it handles. On this occasion we want to talk more specifically about its principles and obligations. 

So, what are the principles of the GDPR?

In accordance with Article 5. of the GDPR, which summarizes the most important principles of this regulation, the personal data will be:

• Processed lawfully, fairly and in a transparent manner in relation to the data subject.
• Gathered with a limited purpose; that is, these data must be collected for specific, explicit and legitimate purposes, and must not be processed in a manner incompatible with this purpose.
• Appropriate, relevant and limited to those that are necessary in relation to the purposes for which they are collected. This means that data minimization is applied, so that organizations only have those that are essential for that purpose.
• Stored and managed accurately and, if necessary, reasonable measures should be taken to keep data updated or deleted it if necessary.
• Stored in a limited way. That is, the personal data will be stored for a time no longer than necessary for the purposes for which they were processed in the first place.
• Processed with complete confidentiality and integrity.   Personal data must be processed in a manner that guarantees its security adequately, including protection against unauthorized or illegal processing and against loss, destruction or accidental damage, using the appropriate technical or organizational measures.

Based on these principles, hotel companies should take into account a series of actions regarding processing. Although they are practices that were being done with the DPD, now it will be necessary more than ever:

1. Document and identify the legal basis on the processing of these data to demonstrate compliance with the GDPR.
2. Provide the complete information on the legal basis in reference to the data processing that your hotel will do, from the moment of its collection. This information, easily accessible, should be concise, transparent and with a clear and simple language for full understanding.
3. Specify and document what the legitimate collection of these data is based on.
4. Do not continue obtaining consent by omission, since the consent of the person must be explicit, unambiguous and free.

And, what are the main obligations?

The GDPR takes into account a series of rights of the EU people (also known as "data subjects") that go beyond the traditional ARCO rights (access, rectification, cancellation and opposition) which intended to guarantee people control over their personal data. This change causes that the companies have a series of obligations as far as the responsibility of their contacts personal information management -the data subjects.

• The EU people will have the right of access to their personal information, this means, among other things, that they will have the right to obtain a copy of the personal data that the hotel has collected about them. This right can also be addressed by providing remote and secure access to a system with personal data. According to the GDPR in most cases, it won’t be possible to charge for processing a request for access, unless it can be shown that the cost would be excessive.
• The limitation of the use of personal information that assumes that, at the request of the subject, their personal data won’t be applied for the treatment operations that would correspond.
• In addition, data subjects may request their right to the deletion of their data (right to be forgotten), which companies must respect and in the case of having made any of these personal data public, they should adopt the appropriate measures to delete them as well .
• The GDPR details some necessary organizational measures that must be met, such as the appointment of a Data Protection Officer, who must adopt measures such as the election of managers to demonstrate compliance with the GDPR; the risk analysis that involves the processing of data and the establishment of data protection policies, among others.
• It will also be necessary to take technological security measures to protect personal data. In the case of hotels, both hardware and software applications and printed files should be reviewed. And if it hadn’t already been done, it would be necessary to implement a series of encryption codes, passwords or access limitations to protect access and data integrity.
• This new regulation also describes the way in which companies should act in case of exposure and data breach, allowing data protection authorities to impose severe penalties in that case.

As you can see there are s whole series of tasks that must be taken into account with this new panorama, both at a legal level and at a strategic level for the hotel commercialization. Our recommendation is to go step by step, for which we advise you to complete this questions. And as is logical, don’t forget the consequences that the GDPR will have in the marketing of your hotel brand.