How to Prepare for GDPR
In case you haven't heard by now, GDPR is coming. What is it? The short answer is that GDPR stands for General Data Protection Regulation and is the European Union's privacy law around how personal data is collected and handled. For a longer answer, we encourage you to read this excellent article from Wired or for the complete breakdown the Wikipedia page is a helpful reference.
You're probably asking yourself "I'm a hotelier in the US, why should I be concerned with the EU's regulations?" Great question! The EU's regulations apply anywhere an EU citizen does business. That means if an EU citizen books your hotel online or stays at your hotel, you are held to the GDPR standards.
GDPR is a serious issue and per Article 28 your property is considered a “data controller” and your vendors are “data processors”. GDPR stipulates that responsibility for compliance fall on the “data controllers”. What this means is you should work with the appropriate people at your property and your legal team to understand and evaluate your exposure, including working to understand any vendors you are currently using that capture consumer data. For example this would include your PMS, CRS and CRM providers.
As a data processor working on your behalf, it is required that we have an agreement stipulating the nature of the data use and identifying us as a authorized data processor for your organization. We will be sending you a simple addendum to your existing agreement in the near future for your review. This will not change any fees or services currently being offered to you by GCommerce.
Here are several key steps we believe are important to consider to prepare your property for the implementation of GDPR:
- Call your lawyer to define your privacy policy and terms and conditions for the use of your website. We are not able to provide stock language and we strongly encourage you to discuss this with your legal team.
- Cookie Tracking - An easy to opt-in or opt-out of Cookie Policy. We have sourced a low-cost 3rd party that can help you with this called One Trust. Their service is $30-45/mo with a $750 set-up fee and we can help facilitate a connection, demo etc. Once you are signed up with them they will provide a code snippet that your web firm or GCommerce can place on the website and you are done. If GCommerce is your web firm, please work with your Account Executive on pricing for adding this code snippet.
- Form Submission Data - It is generally safer to use a 3rd party like MailChimp or a more robust eCRM for all submission forms on website to feed into. These provide easy opt-out options for your email marketing databases. Should you like a recommendation for a third party system to be used, GCommerce is happy to assist both in the selection and implementation.
- Retargeting lists - Current retargeting lists that were built prior to May 25, 2018, which were not given the opportunity to consent previously, are not technically grandfathered and should be rebuilt. Typically our retargeting lists are cleansed every 30-45 days, so over time, with the cookie tracking policy in place, your retargeting lists will be valid.
- Email lists used for advertising - Historically, marketers have been able to utilize email databases to reach audiences on advertising channels such as Facebook and Google. As of May 25, 2018, any email address being utilized for advertising will need to be given the opportunity to consent in order to maintain GDPR compliance.
- Google Analytics data - If GCommerce handles your Google Analytics account, we are electing to not allow Google Analytics data to automatically expire. If you would like us to change this setting at any time, please contact your Account Executive.
Call your account executive for specific recommendations for your property or contact us via the form below.