GDPR Readiness: A Hotelier's Guide
At Revinate, we are all about making the complicated less complicated. At the moment, one of the most complicated things out there is the European Union’s new privacy law, the General Data Protection Regulation (GDPR). To help you navigate this big change, we are taking the more complex nuances of this new legislation and presenting it in a way that is simple and useful. This Guide will help your hotel and employees better prepare for compliance with the GDPR.
What is Revinate doing about the GDPR?
Thoroughly research the areas of our product and our business impacted by the GDPR
Appoint a responsible person for privacy and data protection
Develop a strategy and requirements for how to address the areas of our product impacted by the GDPR
Rewrite our Data Protection Agreement
Perform the necessary changes/improvements to our product based on the requirements
Implement the required changes to our internal processes and procedures required to achieve and maintain compliance with the GDPR
Thoroughly test all of our changes to verify and validate compliance with the GDPR (being done incrementally as changes are completed)
Finalize and communicate our full compliance (this will be done when all work is completed which will occur prior to the effective date of the GDPR)
GDPR Customer FAQ
What are the main things I should do to ensure GDPR compliance?
First, be sure your data processing vendors offer easy-to-use, comprehensive solutions designed to help you reach GDPR compliance as it relates to the four main pillars: Proof of Consent, Right to Data Portability, Right to Erasure, and Right to Refuse Profiling.
Second, conduct a Privacy Impact Assessment so you understand the flow of your data, who has access to it, where it is stored, and what it is being used for.
Third, ensure that you have Proof of Consent from every European Union (EU) resident or citizen within your database. This may need to be done retroactively in order to communicate with them after May 25, 2018. You will need to be able to prove that they consented to receiving your email marketing communications.
Revinate offers customers the opportunity to easily send a double opt-in campaign to all known profiles in EU member states and beyond who currently have implicit consent.
We recommend including an opt-in call-to-action in your transactional emails (including confirmations, pre-arrivals and modifications) to encourage sign-ups at every stage of the booking process.
What do I have to do to remove EU contacts with whom I shouldn't communicate?
It’s important to get as much of your database to opt-in to your marketing campaigns as possible. Target known profiles in EU member states with a double opt-in campaign prior to March 25, 2018 to capture their proof of consent.
Once the GDPR comes into effect, Revinate will add a checkbox to help users avoid sending any promotional campaign to those known EU residents/citizens with whom you do not have explicit consent.
Does the GDPR mean I need Double Opt-In?
Double opt-in is not required, but proof of consent is. The best way to establish proof of consent is through double opt-in.
Even without the GDPR, a double opt-in approach is still highly encouraged. It will help you create a healthier list by preventing bad email addresses from being added to your database. In addition, double opt-in is better for your sender reputation and email deliverability.
Can I transfer personal data related to persons from the EU outside of the EU?
Organizations are only allowed to transfer personal data outside of the European Economic Area if they have in place appropriate safeguards to protect data abroad. Accepted transfer mechanisms include self-certifying to the Privacy Shield Framework (if a US organization), using the EU Commission’s Standard Contractual Clauses, transferring the data to a country that has been recognized by the European Commission as providing an “adequate” level of data protection, obtaining Binding Corporate Rules approval, as well as other less established mechanisms such as certifications and codes of conduct. Revinate is in process of certification with Privacy Shield.
There are three things that you might need to do depending on your situation and jurisdiction:
The legal requirement to inform the guests of the processing activities is an obligation for the Customer Accommodation Provider as the data controller.
Sign the Data Processing Agreement (DPA)
The data controller is obliged to sign a DPA with all of its processors. We have prepared a DPA together with our legal counsel to be in compliance with the GDPR.
We will send a version of our DPA to all Customer Accommodation Providers for you to review and digitally sign a copy of it. If you have any questions about its contents, please email firstname.lastname@example.org.
Ensure you have proof of consent for all European Union residents or citizens
We recommend that you obtain explicit consent with a double opt-in approach. With double opt-in, upon signing up for email promotions, an individual receives an email with a verification link. When they click this link, it confirms both their consent and the accuracy of their email address. It also keeps a record of that consent, which is required by the GDPR.