OBTAINING CONSENT IN PREPARATION FOR GDPR

Transcription

1 A HOTELIER S GUIDE TO OBTAINING CONSENT IN PREPARATION FOR GDPR... WHAT IS GDPR? The General Data Protection Regulation (GDPR) is comprehensive legislation designed to harmonize data protection law across the European Union. It imposes new regulations for organizations who engage with individuals in the EU, expands individuals rights with respect to the processing of their personal data and mandates data security measures appropriate to the risk of processing personal data. It also includes tougher enforcement for violations of the rules. GDPR comes into effect on May, 018. GREATER ACCOUNTABILITY AND NEED FOR TRANSPARENCY ACROSS ALL ORGANIZATIONS GREATER RIGHTS AND CONTROLS FOR INDIVIDUALS IN THE EU ON HOW THEIR DATA IS USED

2 WHAT IS PERSONAL DATA?... Personal data is critical for all marketing purposes. Personal data means any information relating to an identified or identifiable natural person ( data subject ); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 90 % of the data that exists in the world today has been created in the last years 1.7 zettabytes of data exist in the digital universe today one zettabyte is 931,3,7,61.8 GB x Data production will be x greater in 00 than it was in zettabytes of data will exist in the world by 0

3 GDPR WHAT YOU NEED TO KNOW... 6 KEY PRINCIPLES OF GDPR These key principles guide how organizations should treat personal data moving forward. Personal data should be: PROCESSED LAWFULLY, FAIRLY AND IN A TRANSPARENT MANNER IN RELATION TO INDIVIDUALS COLLECTED FOR SPECIFIED, EXPLICIT AND LEGITIMATE PURPOSES AND NOT PROCESSED BEYOND THOSE PURPOSES ADEQUATE, RELEVANT AND LIMITED TO WHAT IS NECESSARY IN RELATION TO THE PURPOSES FOR WHICH THEY ARE PROCESSED ACCURATE AND WHERE NECESSARY, KEPT UP TO DATE KEPT IN A FORM WHICH PERMITS IDENTIFICATION OF DATA SUBJECTS FOR NO LONGER THAN IS NECESSARY WHILE THE PERSONAL DATA IS PROCESSED PROCESSED IN A MANNER THAT ENSURES APPROPRIATE SECURITY OF THE PERSONAL DATA DATA CONTROLLER VS DATA PROCESSOR? As a hotel, you are a data controller and any third-party vendors that process data on your behalf are data processors. The controller shall be responsible for and be able to demonstrate compliance with the principles. This means that a hotel processing personal data of individuals from the EU is fully liable for the activities of its vendor (data processor). The location of either the hotel or the vendor plays no role, it is solely based on the location of the individual whose data is being processed. There are 6 legal grounds through which you can process personal data. In this guide, we look in detail at number 1. All forms of legal grounds are as follows: THE INDIVIDUAL HAS GIVEN CONSENT PROCESSING IS NECESSARY FOR THE PERFORMANCE OF A CONTRACT IT IS NECESSARY FOR THE CONTROLLER TO COMPLY WITH A LEGAL OBLIGATION IT IS NECESSARY TO PROTECT SOMEONE S LIFE IT IS NECESSARY TO PERFORM A TASK IN THE PUBLIC INTEREST IT IS NECESSARY FOR THE PURPOSES OF THE LEGITIMATE INTEREST PURSUED BY THE CONTROLLER OR THIRD PARTY

4 OBTAINING CONSENT FROM YOUR DATABASE... Below are a few tips and best practices to help guide you through the process for obtaining consent in advance of May, 018. Remember, consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. WITHDRAWING CONSENT!... Consent must be as easy to withdraw as it is to provide. When direct marketing to individuals, provide a clear opt-out mechanism from receiving future marketing communications. BEST PRACTICES TO FOLLOW WHEN REQUESTING CONSENT... WHEN REQUESTING CONSENT FROM INDIVIDUALS WHO ARE NOT CURRENTLY CUSTOMERS, YOU MUST INDICATE THE FOLLOWING: The data controller s identity (i.e. your hotel name) The purposes and activity of the processing. For example, what do you want to do with their personal data and how will it be used? A privacy policy is the best place for this information The right to withdraw consent, and how an individual can do so WHEN PROVING CONSENT, IF NEEDED, HERE S WHAT YOU NEED TO PROVIDE FOR AUDITING PURPOSES: Who consented When they consented What they were told at the time How they consented If consent has been withdrawn

5 BEST PRACTICES TO GUIDE YOU IN THE LEAD UP TO MAY, CHECK YOUR PRIVACY POLICY MAKE YOUR PRIVACY POLICY ACCESSIBLE CHECK FOR CONSENT Make sure your privacy policy is up to date and reflects exactly how you intend to process data for your subscribers and guests. The more transparent you can be, the better. Entice CREATE AN EFFECTIVE, PERSONAL CAMPAIGN REACHING OUT TO YOUR DATABASE your current database with reasons why they should opt-in to receive marketing communications from you use your destination, content or social media as a means to do this: Create an preference page that allows your subscribers to determine what type of content they receive, if they choose to do so. You can determine these by the type of content you share, or the type of activities/interests your guests have at your property. On your subscription page, or preferences page in fact anywhere you provide the option for individuals to sign up - provide a link to your privacy policy. This will emphasize your commitment to transparency and accountability for how you process data. If you ve been following an opt-in consent model, you should have an auditable trail that will prove consent has been received from your subscriber base. If you have not introduced that yet, now is your chance. Step outlines how you can engage with those in your database who are not yet customers. Draft an campaign that will run for a few months in the lead up to May, 018 that links through to your preferences page: > Include why you re contacting them > What you ll be sending them in the future > How they can manage their consent Use website overlays/popups to encourage opt-ins Add opt-in fields to any forms or registration pages you have on your website. If doing so, ensure your privacy policy is clearly visible. OBTAINING CONSENT AT EVENTS OR FACE-TO-FACE MEETINGS Provide an alternative means for people to provide you with consent to market to them, a business card is not a means of giving consent to receive marketing communications anymore. > Provide an accessible online form (on a desktop, mobile or ipad) > Share a printed sheet of paper that include the details you d request via the preference center. This can be photographed and added as documentation for an audit trail CONTACT CENDYN TODAY... Contact us today for a demo of our hotel CRM + digital marketing services. We look forward to hearing from you! VISIT CENDYN.COM Please note this is not to be treated as legal advice, the information included here is to be treated as best practices only. REFERENCES: (1) IBM Marketing Cloud, 10 Key Marketing Trends For 017 () MarTech Big Data Brings Marketing Big Numbers (3) Wikibon The Rapid Growth in Unstructured Data () IDC, Data Age 0