GENERAL DATA PROTECTION REGULATION
The General Data Protection Regulation (GDPR) became law within the European Union with effect from 25 May 2018.
The Data Protection Commissioner has stated the following on their website:
“GDPR very significantly increases the obligations and responsibilities for organisations and businesses in how they collect, use and protect personal data. At the centre of the new law is the requirement for organisations and businesses to be fully transparent about how they are using and safeguarding personal data, and to be able to demonstrate accountability for their data processing activities.”
The implementation of GDPR addresses the storage of customer data. Our position at In1 has always been that a processor should only store relevant information for as long as it is useful. Less form filling at the booking / purchase stage improves the conversion rate. Additionally, it reduces the obligations under GDPR as GDPR is about the protection of personally identifiable data. Less is better and there are many simple steps which can be taken to make sure such data is not Personally Identifiable.
There is no longer a need, for example, to retain the postal address of a customer. Why bother? Few use postal services to communicate and retaining this data would simply increase the obligation to protect it. In fact, keeping data for no good reason breaches GDPR. A processor is mandated to retain the data required to service a transaction. Nothing more. Similarly, with phone numbers, is there a need for them after the guest has departed? Perhaps for a short period, in the case of something being left behind in the room. There is no need, say, more than 30 days after departure. In addition, phone numbers (almost certainly in the case of mobile) makes the data more likely to be personally identifiable. GDPR is about the security of personally identifiable information, so we remove the personally identifiable attributes as soon as possible. Less is better.
Credit/Charge card data has long been subject to stringent control. All In1 technologies, both partner and guest facing, are SSL Secured and PCI DSS Compliant. We never store or supply Credit Card CVV’s as this would be in breach of the Credit Card Merchant agreement and result in serious fines. The moment a transaction is complete, we obfuscate Credit Card information. Where servers and services comply with PCI/DSS, they must comply with security of access, meeting with best technical practice, a significant part of the obligation under GDPR. When customer data is stored, it is kept safe and secure.
GDPR implemented correctly can enhance business and should be approached with that in mind.
Build customer trust
Improve brand image and reputation
Improve data governance
Improve information security
Improve competitive advantage
Although there has been a certain degree of scare mongering to date, the objective of GDPR is to advise and improve data security. Those that consciously and deliberately abuse the data security of their customers and fail to implement corrective actions, or cease their abuse once advised or warned, can rightly expect a degree of censure. Those who do not respect customer security and confidentiality endanger online commerce and customer trust and should rightly be brought to heel.
Those that work to comply with GDPR and follow guidance or advice to improve their processes should not expect to be punished or fined. This is what the Data Protection Commissioners across Europe have stated as their objective. They wish to advise, educate and improve data security, not penalise genuine businesses working toward GDPR compliance.
Data Storage – Customer Contact Details
In1 Solutions is very much aware of the obligations to which its accommodation, catering, and retail partners must adhere when gathering, storing, and using customer information. We have been consistently ahead of the evolving requirements for privacy and security in terms of the financial and personal data of the guest / purchaser.
We have long made available, and recommended the use of, the short form version of the room or voucher booking engine payment interface when collecting customer data. This limits the information to First Name, Last Name, Email Address, Phone Number, and Country of Residence.
We do not use customer data directly – it is not ours to use, but that of our hotel, catering, and retail partners. We simply act to collect the minimum amount of information possible to support a transaction and pass that information on securely.
Credit Card Information
Booking engines and voucher engines use SSL certificates to ensure that all data transferred between the web browser and the web server is secure. This is visible to the booker via the secure padlock in the address bar of the browser when guests are making a booking or purchasing a voucher.
The credit card details supplied during the booking / purchase process are obfuscated in accordance with PCI DSS compliance. We never store CVVs. All customer data is stored on secure servers that are PCI DSS compliant.
The majority of our customers direct us to use their preferred Payment Gateway (PG) supplier and we support over 40 PG companies and growing, worldwide. In1 supports, Hosted Payment Pages (HPP), whereby we direct the payment action to the payment interface / form on the securely hosted Payment Page of the chosen PG service. By this means we simply request the appropriate payment value; the processing and security of payment and the entry of sensitive data occurs outside the realm of In1 servers and we received a positive or negative response and reference from that service. With HPP we do not store other than the acknowledgement reference returned to us by the PG service. We therefore have nothing payment related on our servers that is subject to GDPR.
We also strongly advise our customers that for Voucher Sales, such transactions are single shot and any card related data should not be stored. In all cases such transaction are 3D Secure to the current highest standard and that there is never a reason to return to the Payment Information of the Customer. The Voucher transaction occurs, the Voucher is issued and from a purchase perspective the transaction is now complete. There is never a reason to store any card information.
We also store the software necessary to send email campaigns on our secure and compliant servers. In all cases we prefer to transfer such information to our customers for their own use. We repeat, the information associate with all transactions, Room Bookings, Voucher Sales and Mailing Opt-Ins is the property of the customer and not that of In1.
The GDPR explains how an organisation should obtain customer consent in order to use customer email addresses for marketing purposes.
“They must know exactly what they are consenting to, and there can be no doubt that they are consenting. Obtaining consent requires a positive indication of agreement – it cannot be inferred from silence, pre-ticked boxes or inactivity”.
To ensure compliance, In1 Solutions advises hotels to enable the positive opt-in for email communication in the final stage (payment) of the booking and voucher engine. That positive opt-in explicitly obtains the consent of the customer to use their email address for future marketing communications. This will enable hotels to prove that personal data was collected in compliance with GDPR and a record will be retained showing when, why, and how the data was collected. It will also demonstrate that it was used in a manner compatible with the initial reason for collecting the data.
The options for short form and email opt-in are available for configuration in the IMC. If there are any queries, please contact In1 Solutions support (firstname.lastname@example.org).
Where a website is developed by In1 Solutions, we have contacted each website administrator regarding any data collection beyond the utilisation of the GDPR Compliant Booking Engines. In the main, this consists of newsletter opt-in and contact forms. Where data is collected, it is mandatory to ensure the positive, clear, confirmed knowledge and permission of the user to collect, hold, and utilise this data.
Where customer information is collected prior to GDPR, we would advise processors to minimise such information on a need to have basis. Should there no longer be a need to communicate with those customers, the data should be obfuscated, anonymised or deleted. Where communication is ongoing, always offer an unsubscribe.
Right to be Forgotten
A basic tenet of GDPR is the right to be forgotten. In1 Solutions will accept direction from its customers, clients, and partners at any time to anonymise, obfuscate or delete (forget) any information relating to an end user (collected via In1 Online Engines or Newsletter/Email opt-in) at the direction of the merchant (e.g. hotelier, restaurant, retailer, etc.). We commit to doing so within 14 working days of written (e-mail will suffice) instruction.
Where we are approached directly by an end user, we will commit to exercising an anonymise, obfuscate or delete (forget), no later than 30 working days of receipt of written instruction (e-mail will suffice) and will notify the merchant in the interim of the instruction received and our commitment to do so.
We inform the merchant in order to ensure there is no ongoing issues between merchant and guest where a delete would cause a difficulty. For example, to delete the information relating to a room booking where the guest has not yet arrived would make little sense and prevent the proper servicing of that booking, unless such information has already been transmitted to the safe keeping of the accommodation provider.
Why Anonymise or Obfuscate
The objective of In1’s commitment to GDPR and the security of user information applies to ensuring information gleaned or supplied is not personally identifiable beyond a reasonable time or used for means other than that for which it is supplied. We need to know a user’s email address and name to confirm a room booking or gift voucher sale. We cannot run our services without that. This is deemed a reasonable use of the information freely supplied. Other than in the support of those transactions, we will never communicate with a user. We act as a channel between the ultimate service provider and the guest / purchaser (user) to support the transaction. We have no other relationship with the user as they are not a In1 customer.
In committing to anonymise or obfuscate information relating to a user, we can still operate our systems, support accounting, resolve issues, and gather high level statistics. For example, we can understand that a significant number of room bookings in many markets occur immediately post the evening news. That does not mean we know anything of the individuals involved, but it does tell us it would be a bad idea to do system maintenance at that time.
In1 complies with the highest standards when collecting and using personal information. No personal information will be retained for longer than is necessary to fulfil a legitimate business need or as required by applicable law. This can mean that information resides on or transits our systems for mere seconds. Regardless of our commitment to act in a timely manner to anonymise, obfuscate or delete user information, we guarantee that if a user has not engaged with us for 3 years then we will obfuscate, anonymise or delete those personally identifiable details from our database. We reserve the right, only, to shorten this period.
For more information, visit GDPR site.