General Data Protection Regulation (GDPR)
GDPR (General Data Protection Regulation) is a European law which will affect all businesses and how they use personal data. The regulations are extensive but are essentially all about giving consumers (ie your guests) more control of their own data.
The rules come into force on 25 May 2018. At SuperControl we are making a number of changes to help our clients comply with these regulations.
Full data mapping
We are building an exhaustive map of all data handled by SuperControl. This will include connections with other Data Processors so that we can ensure that we have the correct Data Processing Agreements with all partners.
GDPR introduces much tighter rules around subscriptions. Your guests will need to opt-in to receive any marketing communication from you, including how you want to send this. For example, if you want to send them email marketing and a brochure this will now count as two subscription options.
Until now SuperControl has included a standard "opt-in" tick box on every form. We will extend this with a new feature that lets you create your own subscription options. When guests tick subscription options we will correctly log this consent.
You will be able to filter by the different consent options and export data.
We will also provide additional subscription links for channel or bookings that you add manually.
Guest data search
GDPR means that guests can contact you to find what data you are holding about them. A guest can also request for data to be removed, if it is no longer required. SuperControl already has tools to help you find, remove and mask guest data.
As a second phase of the GDPR project we will be providing specific tools to make this process easier.
Currently the email invitations to guests to place a review come directly from UpFront Reviews. This will change to come directly from you, like other booking emails. We hope that this will also encourage more guests to place reviews.
Ongoing security projects
Behind the scenes we will be carrying out a range of other security projects. We have a very experienced security consultant in-house who is constantly testing and improving our application and hosting environment.
Our aim is to implement "privacy by design" across the whole company. Privacy and security will be at the core of any future system developments.
Is there some text I can add to our Terms and Conditions to explain how our relationship with SuperControl?
Yes, our legal advisor suggests that you could tell your guests the following:
“We use SuperControl to manage our online booking process. We have a written contract with SuperControl to ensure that they will process your data on our behalf in compliance with all applicable Data Protection Laws.”
No. You just need to show it on your website. If you do not have a website, we recommend you seek legal advice.
Yes. Under Admin > Terms and conditions.
Do I need to ask permission in the booking confirmation letter to keep contact details?
No. You don't need specific permission to process a transaction.
Do I need to tell my guests about the booking websites I advertise my properties on?
Providing you don't input personal data on any of the sites yourself, then no.
Do I need to tell guests that their booking is added to my SuperControl account?
No. SuperControl is a Data Processor. It's system exists to process your data on your behalf.
If previous guests do not want me to keep their details, do I need to inform SuperControl?
At the moment, yes. You need to raise a support ticket requesting SuperControl to remove the data from your account on your behalf. We will then send you a form to complete to detail the exact criteria of data that you would like to be permanently deleted.
Do I have to ask all of my previous guests for their consent to keep them on my mailing list?
If previous guests subscribed to your newsletters in the past, those permissions have been transferred to the default consent option.
All existing guest records where guests have not subscribed to the new opt-in methods would need to re-subscribe - similar to all of the opt-in emails you are probably receiving from websites you have used in the past. You could do this using a marketing email tool, eg MailChimp.
Do I need to ask PayPal to delete guest records as well?
No. The guest enters their data directly into PayPal.
If an iPhone is used to store images of payments or to send holiday business information to a third party, how does this comply with GDPR?
You need to ensure you are not capturing personal data unnecessarily.
If there is anything you are uncertain about, we strongly advise you to seek legal advice.