The General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) will become law within the European Union with effect from 25 May 2018.
The Data Protection Commissioner, has stated the following on their website:
“GDPR very significantly increases the obligations and responsibilities for organisations and businesses in how they collect, use and protect personal data. At the centre of the new law is the requirement for organisations and businesses to be fully transparent about how they are using and safeguarding personal data, and to be able to demonstrate accountability for their data processing activities.”
The implementation of GDPR addresses the storage of customer data. Our position at In1 has always been, that a processor should only store information that is relevant and only retain it for as long as it is useful. This also improves the bottom line as less form filling at the booking / purchase stage improves the conversion rate. And it also reduces the obligations under GDPR, remember, GDPR is about the protection personally identifiable data. Less is better and there are many simple steps which can be taken to make sure such data is not Personally Identifiable.
There is no longer a need, for example, to retain the postal addresses of a customer. Why bother, no one uses the postal services to communicate and holding this data for no purpose simply increases the obligation to protect such data. In fact, keeping data for no good reason or where there is no process for using such data breaches GDPR as a processor is mandated to the keep data required to service a transaction and no more. Similarly, with phone numbers, is there a need for them after the guest has departed, maybe for a short time in case something is left behind in the room but is there really a need for them say, more than 30 days after departure. If there is no need to call, then don’t keep it. And phone numbers as they are close to unique to a person (almost certainly so in the case of mobile) makes the data associated with it more likely to be personally identifiable. GDPR is about the security of personally identifiable information, so remove the personally identifiable attributes as soon as possible. Less is better.
Credit/Charge card data has long been subject to stringent controls. All In1 technologies both partner and guest facing, are SSL Secured and PCI DSS Compliant. We never store or supply Credit Card CVV’s as this is in breach of the Credit Card Merchant agreement and entails serious fines. The moment a transaction is complete we obfuscate Credit Card information. Where servers and services comply with PCI/DSS they must comply with a level of security of access meeting with best technical practice, a significant part of the obligation under GDPR. When customer data is stored, keep it safe and secure.
GDPR implemented correctly can enhance business and should be approached in that spirit.
- Build customer trust
- Improve brand image and reputation
- Improve data governance
- Improve information security
- Improve competitive advantage
Although there has been a certain degree of scare mongering to date, the objective of GDPR is to advise and improve data security. Those that consciously and deliberately abuse the data security of their customers and fail to implement corrective actions, or cease their abuse once advised or warned, can rightly expect a degree of censure. Those who do not respect customer security and confidentiality endanger online commerce and customer trust and should rightly be brought to heel.
Those that work to comply with GDPR and follow guidance or advice to improve their processes should not expect to be punished or fined. This is what the Data Protection Commissioners across Europe have stated as their objective. They wish to advise, educate and improve data security, not penalise genuine businesses working toward GDPR compliance.
Data Storage – Customer Contact Details
In1 Solutions is very much aware of the obligations that its accommodation, catering and retail partners must adhere to when gathering, storing and using customer information. We have been consistently ahead of the evolving requirements for privacy and security in terms of the financial and personal data of the guest / purchaser.
We have long made available and recommended the use of the short form version of the room or voucher booking engine payment interface when collecting customer data. This limits the information to First Name, Last Name, Email Address, Phone Number, and Country of Residence.
We do not use customer data directly, it is not ours to use, but that of our hotel, catering and retail partners. We simply act to collect the minimum amount of information possible to support a transaction and pass that information on securely.
Credit Card Information
The In1 Solutions booking engine and voucher engine uses SSL certificates to ensure that all data transferred between the web browser and the web server is secure. This is visible to the booker via the green secure padlock in the address bar of the browser when guests are making a booking or purchasing a voucher.
The credit card details supplied during the booking process are obfuscated in accordance with PCI DSS compliance. We never store CVVs. All customer data is stored on secure servers that are PCI DSS compliant. We also store the software necessary to send email campaigns on these secure and compliant servers.
The GDPR explains how an organisation should obtain customer consent in order to use customer email addresses for marketing purposes.
“They must know exactly what they are consenting to, and there can be no doubt that they are consenting. Obtaining consent requires a positive indication of agreement – it cannot be inferred from silence, pre-ticked boxes or inactivity”.
To ensure compliance, In1 Solutions advises hotels to enable the positive opt in for email communication in the final stage (payment) of the booking and voucher engine. That positive opt in explicitly obtains the consent of the customer to use their email address for future marketing communications. This will enable hotels to prove that personal data was collected in compliance with GDPR and a record will be retained showing when, why and how the data was collected. It will also show that it was used in a manner that is compatible with the initial reason for collecting the data.
The options for short form and email opt in are available for configuration in the IMC. If there are any queries, please contact In1 Support.
Where a website is developed by In1 Solutions we have contacted each website administrator regarding any data collection beyond the utilisation of the GDPR Compliant In1 Booking Engines. In the main this consists of newsletter opt in and contact forms. Where data is collected, it is mandatory to ensure the positive, clear, confirmed knowledge and permission of the user to collect, hold and utilise this data.
Where customer information is collected prior to GDPR, we would advise processors to minimise such information on a need to have basis. Should there no longer be a need to communicate with those customers then that data should be obfuscated, anonymised or deleted. Where communication is ongoing using such information, always offer an unsubscribe.
Right to be forgotten
A basic tenet of GDPR, is the right to be forgotten. In1 will accept direction from its customers, clients and partners at any time to anonymise, obfuscate or delete (forget) any information relating to an end user (collected via In1 Online Engines or Newsletter/Email opt-in) at the direction of the merchant (e.g. hotelier, restaurant, retailer, etc.). We commit to doing so within 14 working days of written (email will suffice) instruction.
Where we are approached directly by an end user, we will commit to exercising an anonymise, obfuscate or delete (forget), no later than 30 working days of receipt of written (email will suffice) instruction and will notify the merchant in the interim of the instruction received and our commitment to do so.
We inform the merchant, to ensure there is no ongoing issues between merchant and guest where a delete, would cause a difficulty. For example, to delete the information relating to a room booking where the guest has not yet arrived, would make little sense and prevent the proper servicing of that booking, unless such information has already been transmitted to the safe keeping of the accommodation provider.
Why Anonymise or Obfuscate
The objective of In1’s commitment to GDPR and the security of user information applies to ensuring information gleaned or supplied is not personally identifiable beyond a reasonable time or used for means other than which it is supplied. We need to know a user’s email address and name to confirm a room booking or gift voucher sale. We cannot run our services without that. That is a reasonable use of the information freely supplied. Other than in the support of those transactions, we will never communicate with a user. We act a channel between the ultimate service provider and the guest / purchaser (user) to support the transaction. We have no other relationship with the user as they are not an In1 customer.
In committing to anonymise or to obfuscate information relating to a user we can then still operate our systems, support accounting, resolve issues and gather high level statistics. For example, we can understand that a significant number of room bookings in many markets occur immediately post the evening news. That does not mean we know anything of the individuals involved, but it does tell us it would be rather foolish to do system maintenance at that time.
In1 complies with the highest standards when collecting and using personal information. No personal information will be retained for longer than is necessary to fulfil a legitimate business need or as required by applicable law. This can literally mean that information resides on or transits our systems for no more than a matter of seconds. Regardless of our commitment to act in a timely manner to anonymise, obfuscate or delete user information, we guarantee that if a user has not engaged with us for 3 years then we will obfuscate, anonymise or delete those personally identifiable details from our database. We reserve the right, only, to shorten this period.
For more information visit – GDPR site.