5 GDPR myths debunked for hoteliers
May 2018 will see the arrival of the General Data Protection Regulation (GDPR). And, if your business stores personal data (which, let’s be honest, most do these days), you’ll need to comply – or risk heavy fines.
NB: This is an article by Welcome Anywhere
If you’ve never heard of the GDPR before, this blog isn’t intended to give you the full rundown, because the internet is awash with descriptions of the new legislation (check out the link above for the official detail).
Instead, we’ve decided to gather five of the most common myths about GDPR compliance and debunk them, because there’s clearly a great deal of confusion over the replacement for the Data Protection Act 1998.
Myth 1: The GDPR is all about personally identifiable data only
The GDPR isn’t solely focused on protecting data that is obviously related to individuals (i.e. their name, address or date of birth).
The legislation will also apply to information such as IP addresses and cookie tracking, and this is because the advertising sector no longer treats data of that ilk as anonymous.
Myth 2: Erm … Brexit’s happening, innit?
The fact that the UK is leaving the EU has absolutely zero impact on your business’s requirements to be GDPR compliant.
Firstly, the enforcement of the GDPR will take place a good ten months before Brexit, and even when the UK does leave the EU, businesses within this country will still need to comply due to the fact that the GDPR applies to the personal data of all EU residents.
Therefore, any guests you have from EU member states, or data stored about EU nationals living within the UK, will be subject to the new rules and regulations.
Sorry – you can’t use the Brexit card here.
Myth 3: The GDPR will only apply to new data we collect
The GDPR applies to all personal data you store and process, no matter when it was collected.
Myth 4: My hotel booking system provider has sole responsibility to remain GDPR compliant – not us
You’re quite right in assuming that the hotel booking system provider will need to be fully GDPR compliant, but there’s a fair bit you’ll need to do, too.
Your hotel will collect and interact with data in a variety of ways, therefore every touchpoint will need to be accounted for, and they won’t all be linked to the booking system.
Equally, even if you’re not physically storing the data yourselves, you’ll still be considered a data controller, and therefore subject to the GDPR’s rules.
Myth 5: The fines are the biggest threat
There’s no escaping the fact that fines of 4% of revenue or £17 million are potentially business-killers, but they should be relatively rare in the UK.
The Information Commissioner’s Office (ICO) has stated that it prefers “the carrot to the stick”, and it’s likely they’ll focus more heavily on companies that flout the laws or fail to notify them when a data breach has taken place.
So, the fines are a threat, but they’re not necessarily the biggest. If you’re hit by a data breach and your lack of GDPR compliance results in serious problems for your customers, the PR consequences could be far worse.
There’s no escaping GDPR, but, equally, no reason to panic. Time is still on your side, which means you can start preparing for this signifiant change to data legislation – today.