From 25 May 2018 new EU privacy laws will coerce global businesses with links to the continent to comply with General Data Protection Rules (GDPR). It applies to anyone who sells goods or services to EU citizens or storing and using data of EU citizens – even if the business is not in the EU.
Why does this matter to New Zealand bed and breakfast owners? Because approximately 80% (on average) of our guests are international visitors and the majority of these are from Europe. And the GDPR clearly states that “A New Zealand organisation is subject to the GDPR if it processes personal data of EU Data Subjects because it is offering goods or services to those EU Data Subjects, or because it is monitoring the behaviour of those EU Data Subjects.”
It aims to protect the privacy rights of European citizens in several ways including giving European citizens the ‘right to be forgotten’, also known as Data Erasure. They also have the right to ask what data a company holds on them, make changes, or transfer it to another company (referred to as ‘portability’). Any data that is collected in the first place will need to be deemed necessary and proportional to legitimate interests related to the services or products provided.
There are also strengthened regulations around consent on the use of the data. Under the GDPR “consent must be freely given, specific, informed and an unambiguous indication of the data subject’s wishes which by a statement or by a clear affirmative action, signifies agreement to processing”. In other words data subjects must “opt in” rather than “opt out”.
There are six general principles of data privacy under the GDPR:
When one of the following conditions applies:
All data used for marketing will need consent from the customer. This includes the information collected in your reservation system and any information you gather through your check-in process (eg. Guest Registration Form) if you wish to use it for marketing purposes.
Customers have to “opt-in” to a mailing list. Many marketers already have that button pre-selected and the customer has to un-tick the box. This has to be changed for the new law, ie. no boxes are able to have the box opting in automatically ticked. You will also need to know when the consent was given and understand that this consent will not last forever. This needs to be regularly updated, and can be done by sending an email out asking if they still want to be part of the mailing list.
Customers are able to use the ‘right to be forgotten’ rule. This allows the customers to demand that their data must be erased. This then means that the data held by your company and any third parties who you have passed it onto must have that contact’s data removed.
You will need to keep a record of your updated customers list, how they opted in and what date they did this. As at any given time you may be requested to show this information.
As mentioned above, as approximately 80% (on average) of our guests are international visitors and the majority of these are from Europe, New Zealand bed and breakfast properties are covered by GDPR. However, the main impact will only be to those B&Bs who actively market and email their guests.
Your reservation system should securely store your guest data and your reservation system providers should have already updated their systems to comply with the new GDPR rules. You are allowed to collect data to fulfill legal contracts, ie. bookings. However, under the GDPR, your guests must explicitly opt-in to having their details stored and understand what they are being used for if you wish to use them for marketing purposes.
If you do not use a reservation system you need to ensure you store your guest information in a safe and secure manner (similar to PCI DSS being the technology provider’s obligations for data security, the GDPR is the people side of managing data securely).
As your guests have entered into a legal contract to stay with you, you are able to contact them before their stay with information relevant to their stay, such as check in times, directions, etc.
The main impact is to those B&Bs who regularly communicate with past guests or those who collect email addresses for marketing campaigns. These people must consent willingly to being communicated with. Consent to be emailed must be given explicitly ie. you can’t have a tick box that already contains a tick. These B&Bs will have to regain consent from anyone they’re currently communicating with to continue doing so, and it will need to be clearly explained what content they will receive and how their data will be used.
To do this, B&Bs should run a campaign seeking permission to email guests – both existing and prospective – and ask them to opt-in to communications. Here’s what you should include in the initial email of these permission pass campaigns:
All businesses with customers in the European Union or businesses that merely monitor the behaviours of individuals who live in the EU must abide by the new EU data protection standards. These businesses must ensure that they comply with the GDPR; irrespective of their physical location, ie. the critical factor is the location of the individual (guest) not the location of the business (B&B) or data processor.
This includes New Zealand based reservation systems who capture and store data of European visitors.
It is not yet clear how these privacy standards will be enforced in practice against an entity outside of the EU, however there is potential for civil liability which would be enforceable in New Zealand.
European data protection authorities will have the power to impose fines of up to €20 million or 4% of annual worldwide turnover (whichever is higher) for any breach of the GDPR.
Personal data is broadly defined in the GDPR as any information relating to a person who can be identified either directly or indirectly. Personal data includes:
A person may be indirectly identifiable if identification is made possible through combining different pieces of information that by themselves alone would not reveal the identity of the person.
The GDPR does not apply to personal data that has been anonymised so that an individual can no longer be identified from the information itself.
Data may be collected from many sources including via tick boxes on documentation (including paper and electronic documentation), search engines, web analytics and sensors.
The GDPR approaches consent more restrictively. Consent must be “freely given, specific, informed and unambiguous”. In other words, people must “opt in” for their information to be collected, rather than “opt out”.
Silence, pre-ticked boxes or inactivity is not a form of valid consent. Consent must be specific to distinct purposes for handling personal data. Consent should cover all intended processing activities.
The GDPR prohibits the processing of personal data unless there are legal grounds to do so. In other words just because a business can process personal data does not mean it is also legally entitled to do so.
Legal grounds for processing of personal data include:
Personal data must be handled for specified and explicit purposes. During the life cycle of data, the personal data cannot be further processed in ways that are incompatible with the initial purposes for which the data was collected. For instance, personal data that has been collected to perform a sale of goods contract cannot later be used for marketing, unless the person has specifically agreed to receiving promotional offers.
The best thing to do is take practical steps to improve your privacy processes. A good place to start is an audit of what data you collect and what you do with it. You can then use that information to improve your data security and lead generation practices and begin thinking about how you can incorporate thinking about privacy into the development of new products or key decisions about disclosure or use of personal information.
The GDPR has introduced extended liability and increased penalties. With this in mind, companies should be particularly careful when handling personal data of Europeans. Businesses need to review their internal data policies and procedures that address privacy and data protection, including their IT policy, HR policy, outsourcing procedures, and any policy affecting data subjects in the European Union. GDPR compliance is not a one-off task. It is an ongoing process. Relevant policies should therefore continuously be monitored, reviewed, and most importantly communicated to staff.
For further information from Office of the Privacy Commissioner - click hereFor further information from Lane Neave (lawyers) - click hereFor further information from NZ Trade & Enterprise - click here