By Margaret Mastrogiacomo, Vice President Strategy

By now you’ve probably heard of the General Data Protection Regulation (GDPR) and should have started considering the effects of this regulation on your hotel website, data strategy, and hotel digital marketing. With the GDPR just around the corner, we’ve put together an overview that includes an explanation of the GDPR, the top misconceptions, and the most important considerations that will need to be implemented on your hotel website and included in your digital strategy.

What is the GDPR?

The GDPR is a regulation in EU law on data protection and privacy for all individuals within the European Union and regulates how companies manage, use, and share personal data. The GDPR will take effect on May 25, 2018. The GDPR applies to natural persons, whatever their nationality or place of residence, whose personal data is processed and whose behavior is monitored while within the EU. This change in legislation means that nearly every online service is affected, and the regulation has already resulted in significant changes for US users as companies begin to adapt.

The foundation of the GDPR builds on rules set by earlier EU privacy measures like the Privacy Shield and Data Protection Directive, and expands on these privacy measures in two critical ways.

1. The definition of and requirements around personal data have been expanded. First, the GDPR defines personal data as any information that can be used to identify directly or indirectly a data subject, such as an online identifier like an IP address. The GDPR sets a higher standard for collecting personal data than ever before. By default, any time a company obtains personal data on an EU resident, it will need a legal basis for collecting that data, such as explicit and informed consent from that person. Even more importantly, users also need a way to revoke that consent, and they can request all the data a company has collected on them as a way to verify that consent. These strong regulations explicitly extends to companies based outside the EU.

2. The penalties are more severe. The GDPR’s penalties are severe and have two tiers of fines. The maximum fines per violation are set at up to four percent of a company’s annual global revenue or 20 million Euros, whichever is larger. The lower level fines are up to two percent of a company’s annual global revenue or 10 million Euros, whichever is larger. These penalties far exceed fines allowed by the Data Protection Directive, and it signals how serious the EU is taking data privacy.

Get to know the facts. Avoid misconceptions regarding the GDPR:

1. The GDPR affects hotels across the globe: The GDPR applies to all properties that target EU residents as customers no matter where they are located. This means that the GDPR affects all hotels in the US and locations around the world, not just Europe.

2. Hotels are liable for the GDPR: Regardless of your partners or solutions provider, the hotel (who according to the GDPR would be considered the data controller) is ultimately responsible for using tools that are in compliance with the GDPR.

3. One price point for all of the EU: Commonly overlooked regarding the GDPR, it’s important to note that hotels cannot use profiling to set prices based on an EU visitor’s location.

How does the GDPR apply to your hotel’s online data policy?

The GDPR affects your hotel’s data policy regarding EU website visitors in six main ways:

1. Getting consent: Visitors to your website must understand exactly how you are planning on using their data, and the legal basis for why you are collecting the data. Unambiguous and affirmative consent is a key part of GDPR legislation and it is important for any hotel website that collects personal data to obtain specific permission to use it in the course of their business. If you are requesting consent from the customer, the user must agree to each specific purpose. That means if you have someone's email address who booked with your hotel, you are only allowed to market to them if they have explicitly agreed to this. Similarly, privacy notices may require rewriting to be in line with the GDPR rules. Privacy Policies and Terms of Service must be simple to understand and free of jargon (a good rule of thumb here is that a 16-year-old should be able to understand the Terms of Service).

2. Accessing data: A main component of the GDPR is being fully aware of who has access to personal data that is logged and stored on your hotel website’s content management system or database. The first step is to understand exactly who has access to this data and compile a list. Next, examine the list and ask whether all of these people require access to this data. If the answer is no, permission should be revoked and measures must be implemented to control future access.

There must also be a robust process in place for deleting data that is no longer relevant or required, as companies are not allowed to hold on to this for any longer than is absolutely necessary.

3. Data accountability: Regardless of your solutions provider, hotels are ultimately responsible for using tools in compliance with the GDPR. In light of this, hotels should audit any external agencies they use that might have access to their data to ensure that their procedures are compliant. As the data owner (controller) you are ultimately responsible for this, even if you have outsourced elements of the process, so keep a record of measures you have taken to ensure all partners are acting in line with the GDPR regulations. All of your partners should be able to clearly explain what measures they have taken to maintain maximum security of the data you provide.

4. Data accuracy: All personal data must be accurate and kept up-to-date. Every reasonable step must be taken to ensure that personal data is correct in regard to the purposes for which data is processed, and that personal data is erased or rectified without delay if inaccurate.

5. Data minimization: Websites should collect only the minimum amount of customer data to do the job, as well as adhere to the “storage limitation principle” which mandates that personal data must be stored for no longer than is required and that individuals must be informed about the planned use of personal data.

6. Data portability and the “Right to be Forgotten”: All website users have the right to receive their personal data that was previously collected in a readable format, as well as own the “Right to be Forgotten” which grants consumers the ability to easily have all of their data deleted from the hotel database.

How can your hotel prepare for the GDPR?

The GDPR affects your hotel website, data strategy, digital marketing, and online merchandising. Below are the top ways you can prepare for GDPR:

Preparing Your Hotel Website

It’s important to ensure that all web forms and website cookie usage are in line with the GDPR. Your website’s Privacy Policy and Terms and Conditions should also reflect the GDPR to ensure that everything is in compliance.

1. Update your Privacy Policy and Terms and Conditions. First and foremost, your hotel website’s Privacy Policy and Terms and Conditions should be updated to reference GDPR rules and regulations. In particular, you will need to be transparent with what you will do with personal information once you’ve collected it, and how long you will retain this information on your website and in any other databases.

2. Ensure your website is secure. Your hotel website should have an SSL (Secure Sockets Layer) Certificate to ensure that all data processing through the website is secure. If your website has an SSL Certificate, the domain will begin with “https,” rather than “http.” SSL Certificates secure all of your data as it is passed from your browser to the website's server.

3. Ensure cookie consent. Website visitors from the EU must provide consent for your hotel website to enable cookies that are used to identify an individual. Like all other consent under the GDPR, consenting to cookies needs to be a clear affirmative action. Hotel websites should present clear terms of service regarding cookie usage with an opt-in box. Do not include pre-ticked boxes on the consent form, as this is against the GDPR regulations. It is important to note that the hotel website should not constrict users to accept cookies in exchange for information, and the hotel must also have a legal basis under the GDPR to use an EU visitor’s IP address to personalize content or identify a user’s device.

4. Ensure the ability for people to opt out or erase their personal data. The GDPR clearly states that a data subject should be able to withdraw consent as easily as they gave it under the “Right to be Forgotten” clause. Controllers must inform data subjects of the right to withdraw before consent is given.

5. Update email opt-in to default to “No” and include specific check boxes for every opt-in. Forms that invite users to subscribe to newsletters or indicate contact preferences must default to “no” or be an un-checked opt-in box. You should also ensure that users provide consent for all ways your hotel will be utilizing their data. For instance, if a user is opting in for email newsletters, this does not mean they are opting in for that email to be used for look-a-like audience marketing. Ultimately, hotels must set up a specific checkbox or form of consent for each separate use of guests’ data. And finally, to ensure that you are in complete GDPR compliance, it’s important to implement a double opt-in process.

6. All web forms must clearly identify named parties. Your web forms must clearly identify each party for which the consent is being granted. It is important to note it isn’t enough to say specifically defined categories of third-party organizations, they must be named in full. For example, your consent form cannot simply say third-party ad networks, it needs to specifically name the ad networks where ads will appear.\

Preparing Your Data Strategy

Once you’ve collected user data from EU residents or anyone living within the EU, it’s important to follow key protocols regarding the use and removal of this data. It is also extremely important that everyone covered by the GDPR has an easy way to access and download any of their personal data collected. Here are some key considerations regarding your data strategy:

1. Provide EU visitors with easy access to download personal data. Your hotel website should provide a request form where EU website visitors can request personal data.

2. Do not keep data for longer than required. While the GDPR does not state a specified timeframe that limits data storage, it’s a good idea to scrub customer data once or twice a year to ensure that all data is accurate and up-to-date. Any inaccurate or incomplete information should be deleted and the hotel is responsible for clearly stating how long the information will be stored within the privacy policy.

3. Allow easy consent opt-out to address the “Right to be Forgotten” and grant EU website visitors the ability to delete their personal data. Your data strategy must allow for website visitors who previously consented to any use of their personal data to easily opt out or “erase” their data, as well as update their opt-in preferences. This user experience should be just as seamless as opting in and be easy to navigate on the hotel website.

Preparing Your Marketing Strategy

The GDPR impacts your email marketing strategy, display remarketing strategy, and any display that utilizes owned customer data for targeting.

1. Make it clear which third-party vendors will be utilizing EU customers’ personal data. When prompting users to opt in to cookie consent or to access their customer profile data for marketing purposes, be sure to clearly list the name of the ad networks and third parties that will be utilizing these cookies and accessing this data for retargeting and building look-a-like audiences.

2. Ensure that all third parties and ad networks are in compliance with GDPR. Have your marketing agency or internal marketing department reach out to any third-party vendors or ad networks to ensure that they are GDPR compliant and have taken appropriate measures.

3. Only use data for the intent in which the EU user opted in. When an EU user grants permission to use cookies or opt in to an email marketing list, only use the data for the marketing for which the user opted in. This means if the user only opted in for remarketing, you cannot use the data to build look-a-like audience targeting. Or, if an EU user opted in to a monthly email newsletter, the user’s email address should not be used for other marketing purposes.

Overall, it’s not only important to familiarize yourself and your hotel staff with the GDPR, it’s important to ensure that all of your bases are covered. To be ready for what’s next on the official launch of the GDPR on May 25, 2018, check out additional resources on The UK Information Commissioner’s Office and review your policies with a data privacy consultant and your legal team.