Guide to GDPR

When is it happening?

On the 25th May 2018 the new rules around GDPR become enforceable.

What is GDPR?

GDPR means General Data Protection Regulation. The directive applies across all EU countries and its goal is to give control back to all citizens and residents over their personal data. It affects personal data that must now be processed according to several data protection principles. Click here to see the official GDPR guide including the steps businesses should take and a useful check list. 

The principles of the General Data Protection Regulation:

•    Lawful, fair and transparent
•    Collected for specific and legitimate reasons
•    Used in relevant way and is fit for purpose
•    Accurate and up-to-date
•    Kept or stored only as long as required
•    Secure and confidential. Handled with integrity

 

The key takeaways from this are that data must be collected, and used and stored, only where relevant and necessary, and in a secure and confidential way.

Customers (guests) whose data you have will now have the following rights.

•    The right of access. All data must be in categories. Customers (guests) can request what categories you have, such as email, name, address and can request for a copy of this data within the category to be supplied
•    The right to erasure. It must be possible to delete and prove deletion of data stored. The customer (guest) can request proof their stored data has been removed in line with GDPR
•    The right to transfer data. If the customer (guest) would like to transfer their data to another service provider then you must assist in providing it and must not block the transfer of data

In addition companies must be able to show how data has been processed or used to a supervisory body, so records of actions are required.

 

FAQ 

Will keeping guest data (for a specific timeframe) fulfil the legal requirements?

As long as you disclose this to your customers in your privacy policies and procedures, you can store guest data for a reasonable timeframe i.e. as:
•    required by your local legislation
•    is industry standard 
For elina clients: For full details on what information should be provided to your guests at point of data collection click here.

Please note, that you need to adhere to the regulation and ensure you have stated how long you will be keeping your guest's information and for what purpose.
If you are operating outside of the EU and you are still welcoming European clients it is  good practice to disclose the data protection policy to guests in your privacy policies and procedures. 

What information does Elina store?

Since businesses must be able to show who has access to their data, elina PMS is well positioned. Every elina user can (and should) have a unique user login, which in turn may be limited to access only certain parts of elina and its information. You can monitor what active users there are, their names and what access levels they have been granted. Users are tracked with each login recorded, including with details of where they logged in from and what they did.

For elina clients: To see what guest details may be stored in elina please review our guest profile creation article here.

 

How do we assure the data is securely transmitted/stored?

Data is stored on our secure servers, which are managed by us directly. Our servers are scanned regularly and a copy of the resulting compliance summary may be requested from us by our customers at any time. 

elina PMS, the property management system and booking engine are all part of the same system platform. Data is therefore stored in a single location, securely.  

For elina Clients: Here are more details on the storage of your data.

 

How can I delete guest data?

Elina allows deletion of guest profiles. This can be done by using the "delete button" in the profile edit screen, and guests may request removal or details of their data via an easy form on the Guest Lounge within your booking engine. 

 

As part of the changes with GDPR you will need to inform your guests via your email templates or website that they have the right to withdraw their profile. We recommend updating your Terms and Conditions and Policy text, which you set up when you first installed your elina system, as a minimum action.

Take advantage of your marketing tool and create a post-departure communication to inform your guest of the option to manage their data via the Guest Lounge on your website. Guests may log into their guest lounge to see (and manage if you permit them) what information you store about them.
   
You can choose to delete the profile entirely or remove information (name, phone, address, etc.) from it, but leave it active.

Note: if you opt to delete a guest profile, this will remove it from all future view, but it will NOT remove information related to it stored in bookings or invoices. Consult your data protection officer on which option is best for your case.

 

What are our partners doing to Become GDPR Compliant?

The Elina platform is connected with several business critical systems, from Channel Managers to accounting platforms and revenue management systems.  If you have connected your elina system to benefit from the additional functions of any of these platforms, take the time to learn how your data is being managed and handled on those platforms, and inform your clients (guests) where that is relevant.

 

For some of our clients, we provide and fully support channel management through STAAH.  STAAH are fully committed to upholding the privacy and rights of our customers and their customers as outlined in the new legislation and have published rich content on their site on the topic. Please read more information here.

 

Other channel managers and third parties that we do not directly resell or manage internally will be communicating with you independently - please have a look on their websites/blogs or contact them directly.

 

Please be aware that after a period of the GDPR act being enforceable in Europe, elina shall be sending a questionnaire to all our clients for feedback on any issues in relation to GDPR and elina. We will use that and regulatory recommendations to assess whether there are features or recommendations that we might extend further to all elina platform users.

 

For follow up questions please do not hesitate to contact the Elina Concierge Team.