General Data Protection Rules (GDPR)
What is GDPR?
From 25 May 2018 new EU privacy laws will coerce global businesses with links to the continent to comply with General Data Protection Rules (GDPR). It applies to anyone who sells goods or services to EU citizens or storing and using data of EU citizens – even if the business is not in the EU.
Why does this matter to New Zealand bed and breakfast owners? Because approximately 80% (on average) of our guests are international visitors and the majority of these are from Europe. And the GDPR clearly states that “A New Zealand organisation is subject to the GDPR if it processes personal data of EU Data Subjects because it is offering goods or services to those EU Data Subjects, or because it is monitoring the behaviour of those EU Data Subjects.”
What does GDPR do?
It aims to protect the privacy rights of European citizens in several ways including giving European citizens the ‘right to be forgotten’, also known as Data Erasure. They also have the right to ask what data a company holds on them, make changes, or transfer it to another company (referred to as ‘portability’). Any data that is collected in the first place will need to be deemed necessary and proportional to legitimate interests related to the services or products provided.
There are also strengthened regulations around consent on the use of the data. Under the GDPR “consent must be freely given, specific, informed and an unambiguous indication of the data subject’s wishes which by a statement or by a clear affirmative action, signifies agreement to processing”. In other words data subjects must “opt in” rather than “opt out”.
Principles of GDPR
There are six general principles of data privacy under the GDPR:
- Lawfulness, fairness, and transparency of data processing
- Purpose limitation: personal data should be collected for specific, explicit and legitimate purposes
- Data minimisation: only personal data relevant to the specific purpose should be saved and processed
- Accuracy of data: any inaccurate personal data should be corrected or deleted. Where necessary, data must be kept up to date.
- Retention of data: data must be kept in an identifiable format and no longer than necessary
- Integrity and confidentiality: data must be kept secure
When are you allowed to process personal data?
When one of the following conditions applies:
- Consent is given by the individual – note that the request for consent must be in an accessible form in clear and plain language. Important: companies do not necessarily need the consent of individuals, if one of the other processing conditions applies. In most cases it is actually not advised to ask for consent.
- Data processing is necessary for the performance of the contract, (ie. to make a booking at a property).
- Legal obligations
- Vital interests, for instance processing needed for medical emergencies
- Public function or interest
- Legitimate interest: processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party
Five key points of GDPR:
- Customers have the right to be informed: the right to ask you about their personal data, how it is used, and why it is being used at any time.
- Customers have the right of access: customers can request a copy of personal information at any time.
- Right of rectification: people can update (or request updates to) personal information at any time.
- Right of erasure: people may request that you erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
- Right to object: people can unsubscribe at any time from emails or communications.
All data used for marketing will need consent from the customer. This includes the information collected in your reservation system and any information you gather through your check-in process (eg. Guest Registration Form) if you wish to use it for marketing purposes.
Customers have to “opt-in” to a mailing list. Many marketers already have that button pre-selected and the customer has to un-tick the box. This has to be changed for the new law, ie. no boxes are able to have the box opting in automatically ticked. You will also need to know when the consent was given and understand that this consent will not last forever. This needs to be regularly updated, and can be done by sending an email out asking if they still want to be part of the mailing list.
Customers are able to use the ‘right to be forgotten’ rule. This allows the customers to demand that their data must be erased. This then means that the data held by your company and any third parties who you have passed it onto must have that contact’s data removed.
You will need to keep a record of your updated customers list, how they opted in and what date they did this. As at any given time you may be requested to show this information.
The Impact on Bed & Breakfasts in New Zealand
As mentioned above, as approximately 80% (on average) of our guests are international visitors and the majority of these are from Europe, New Zealand bed and breakfast properties are covered by GDPR. However, the main impact will only be to those B&Bs who actively market and email their guests.
Your reservation system should securely store your guest data and your reservation system providers should have already updated their systems to comply with the new GDPR rules. You are allowed to collect data to fulfill legal contracts, ie. bookings. However, under the GDPR, your guests must explicitly opt-in to having their details stored and understand what they are being used for if you wish to use them for marketing purposes.
If you do not use a reservation system you need to ensure you store your guest information in a safe and secure manner (similar to PCI DSS being the technology provider’s obligations for data security, the GDPR is the people side of managing data securely).
As your guests have entered into a legal contract to stay with you, you are able to contact them before their stay with information relevant to their stay, such as check in times, directions, etc.
The main impact is to those B&Bs who regularly communicate with past guests or those who collect email addresses for marketing campaigns. These people must consent willingly to being communicated with. Consent to be emailed must be given explicitly ie. you can’t have a tick box that already contains a tick. These B&Bs will have to regain consent from anyone they’re currently communicating with to continue doing so, and it will need to be clearly explained what content they will receive and how their data will be used.
To do this, B&Bs should run a campaign seeking permission to email guests – both existing and prospective – and ask them to opt-in to communications. Here’s what you should include in the initial email of these permission pass campaigns:
- Why you are emailing the contact
- A valuable reason for them to opt-in
- What they will continue to receive if they do opt-in
- A link to re-subscribe
- An option to unsubscribe and have their data removed
- A sign-off from a real person such as your general manager
Who needs to comply?
All businesses with customers in the European Union or businesses that merely monitor the behaviours of individuals who live in the EU must abide by the new EU data protection standards. These businesses must ensure that they comply with the GDPR; irrespective of their physical location, ie. the critical factor is the location of the individual (guest) not the location of the business (B&B) or data processor.
This includes New Zealand based reservation systems who capture and store data of European visitors.
It is not yet clear how these privacy standards will be enforced in practice against an entity outside of the EU, however there is potential for civil liability which would be enforceable in New Zealand.
European data protection authorities will have the power to impose fines of up to €20 million or 4% of annual worldwide turnover (whichever is higher) for any breach of the GDPR.
What is “personal data”?
Personal data is broadly defined in the GDPR as any information relating to a person who can be identified either directly or indirectly. Personal data includes:
- Personal details such as the person’s name, address, email;
- Financial details such as how much the person earns, credit ratings;
- Medical details about a person’s mental or physical health;
- Details about a person’s ethnicity, political opinions, religious beliefs, or sexual life;
- Images or voice recordings of a person;
- Employment details;
- IP address of a person that visits a website;
- Criminal records or alleged offence;
- Biometric data; or
- Location data.
A person may be indirectly identifiable if identification is made possible through combining different pieces of information that by themselves alone would not reveal the identity of the person.
The GDPR does not apply to personal data that has been anonymised so that an individual can no longer be identified from the information itself.
How is personal data collected?
Data may be collected from many sources including via tick boxes on documentation (including paper and electronic documentation), search engines, web analytics and sensors.
The GDPR approaches consent more restrictively. Consent must be “freely given, specific, informed and unambiguous”. In other words, people must “opt in” for their information to be collected, rather than “opt out”.
Silence, pre-ticked boxes or inactivity is not a form of valid consent. Consent must be specific to distinct purposes for handling personal data. Consent should cover all intended processing activities.
Why is personal data processed?
The GDPR prohibits the processing of personal data unless there are legal grounds to do so. In other words just because a business can process personal data does not mean it is also legally entitled to do so.
Legal grounds for processing of personal data include:
- To perform a contract;
- The individual concerned has given consent;
- The data controller has a legitimate interest;
- Statutory obligation to collect and retain information (eg, employers);
- To perform the lawful function of a public authority; or
- For the protection of vital interests of that person.
Personal data must be handled for specified and explicit purposes. During the life cycle of data, the personal data cannot be further processed in ways that are incompatible with the initial purposes for which the data was collected. For instance, personal data that has been collected to perform a sale of goods contract cannot later be used for marketing, unless the person has specifically agreed to receiving promotional offers.
What should I do right now?
The best thing to do is take practical steps to improve your privacy processes. A good place to start is an audit of what data you collect and what you do with it. You can then use that information to improve your data security and lead generation practices and begin thinking about how you can incorporate thinking about privacy into the development of new products or key decisions about disclosure or use of personal information.
The GDPR has introduced extended liability and increased penalties. With this in mind, companies should be particularly careful when handling personal data of Europeans. Businesses need to review their internal data policies and procedures that address privacy and data protection, including their IT policy, HR policy, outsourcing procedures, and any policy affecting data subjects in the European Union. GDPR compliance is not a one-off task. It is an ongoing process. Relevant policies should therefore continuously be monitored, reviewed, and most importantly communicated to staff.
10 Key steps to help NZ marketers comply with GDPR
- You must have consent to collect personal information. You will need to record how you obtained consent
- Individuals have the right to access their data. You should plan how to handle any access requests
- Individuals have the right to have inaccuracies corrected. Already required under NZ legislation
- People can have their details erased. The right to be forgotten.
- Consumers can opt out of Direct Marketing. This is not in NZ law, but is best practice
- People have the right to request data portability. Organisations must be prepared to securely transfer data
- You must have legal basis for processing personal data. Similar to NZ Privacy Principle 1
- It will be Mandatory to report a Data Breach. Also in the new NZ Privacy bill, you’ll need to report any personal data breach to the Privacy authority
- Children’s Data.You will require systems in place to verify individuals’ ages and to gather parental or guardian consent
For further information from Office of the Privacy Commissioner - click here
For further information from Lane Neave (lawyers) - click here
For further information from NZ Trade & Enterprise - click here