Your Roadmap for GDPR Compliance

There is a guiding principle that it helps to keep in mind whenever you consider the GDPR; it’s fairly simple. We call it ‘Know What You Have & Why You Have It’. The first step for any owner or manager to take towards compliance of the EU GDPR is to be mindful about the data you collect, the reasons why you collect it, how long is reasonable to keep it, how it is used, who is responsible, where and how it is stored.

Steve Ford, Director of Marketing & Experience for Online at ITV expresses this principle perfectly: "If we can’t easily explain to viewers what we’re doing with their data then we shouldn’t be doing it". We couldn’t agree more.

Is it really necessary that we retain information about a couple that visited seven years ago for their anniversary, from whom we have heard nothing since? The room they stayed in (noted on our records as their ‘favourite’) has been decorated twice since they stayed, and who knows what’s changed in their personal circumstances? They may not even still be married! As we prepare for the GDPR, we need to ask ourselves questions about necessity, to keep in mind our guests’ best interests, and ask ourselves ‘what do our guests expect?’. We need to be able to demonstrate our thinking process, to be able to justify our approach, and to be consistent. This guide leads you through ten steps to GDPR compliance:

  • 1 Appoint a Data Protection Officer
  • 2 Make your team aware of GDPR
  • 3 Document what personal data you hold
  • 4 Cleanse your current data
  • 5 Clearly communicate your approach to privacy
  • 6 Acknowledge your Guests’ Rights and be prepared to respond to them
  • 7 Consider and document the lawful basis you have for processing personal data
  • 8 Consent – review how you seek, record and manage consent
  • 9 Data Breaches – procedures to detect, report and investigate a data breach
  • 10 Assistance - How we can help Get Expert Assistance Now

Appoint a Data Protection Officer

A Data Protection Officer (DPO) is an individual who will take responsibility for your property’s data protection compliance. Guidance from the Information Commission Office (ICO) states that, technically, you are only required to formally designate a Data Protection Officer (DPO) if you are:

  • A public authority (except for courts acting in their judicial capacity);
  • An organisation that carries out the regular and systematic monitoring of individuals on a large scale; or
  • An organisation that carries out the large scale processing of special categories of data, such as health records, or information about criminal convictions.

Your property is unlikely to fall into a category that legally requires a DPO. However, appointing a senior individual to ensure that the GDPR is followed appropriately will help you to promote the proper processing of personal data. This might be someone in your property, or an external data protection advisor, who takes proper responsibility for your data protection compliance. Either way, this individual, or working group, must have the knowledge, support and authority to carry out their role effectively.

Make your team aware of the GDPR

It goes without saying that the first step in preparing your team for this transition is to ensure that all team members are aware of what is coming in May 2018. There may already be excellent guidelines and procedures in place, for example your credit card information handling should already be PCI compliant, but now the scope will be larger. An awareness session for the entire staff is a good starting point, and you must ensure staff are adequately trained.

It is crucial for your DPO, decision makers and key departments such as Reservations, Front of House, Marketing and HR to work together to consider:

  • Areas that could cause compliance problems under the GDPR
  • The changes which may need to take place
  • How the changes will impact their team and their responsibilities

The larger your hospitality business, the more implications there may be when it comes down to ensuring a smooth transition. The insight generated from these initial awareness discussions will help pave the way for Step 3: Document the personal data you hold.

Document the personal data you hold

Now that you have appointed a DPO or a working group.....

Want to know more?

Purchase our guide today for more comprehensive advice on GDPR.

Purchase our Guide