GDPR gives EU citizens (known as the “data subject”) the right to be informed about what is going to be done with their personal data. Not only what data will be collected but how it is going to be used, who else will be involved in using it, what it will be used for and how and when it will be disposed of.
The right to be informed has implications for how you will go about earning consent to collect and use personal data in your business.
If you hold personal data about an individual EU citizen, they have the right to see what that data is. The owners of personal information can make a “Subject Access Request” to any business they think might be holding their personally identifiable information.
There are obligations on the Data Controller regarding how to respond and whether that access is to be provided. There are circumstances under which a business can decline to provide access to personal data but you need to be really sure about what you’re doing.
It is important to note that there are provisions within the Regulations to prevent frivolous attempts to access PII your business may hold.
When a private individual makes a Subject Access Request, this should trigger a specific response process inside your business. If it doesn’t you are risking being in breach of the Regulations. So your public facing employees need to be aware of GDPR and what to do when a Subject Access Request or notification of a data breach is made.
It is really important for all concerned that employees are not panicked into taking the wrong actions. Subject Access Requests will be popular with everyone from newspaper journalists to disgruntled customers. Your business needs to be able to respond appropriately or you can make a lot of trouble for yourself.
There is always a chance that the personal data held within your business will contain errors.
Years of checking over hotel prospect and customer databases have taught me to expect all sorts of errors to appear in even a simple list. Some errors are insignificant, others can have serious implications for the individuals involved.
The Data Subject has the right to make you correct your records. Not just ask for it to be done – they can make you do it and then prove that the corrective action was taken. You also need to record the corrective action.
The “right to be forgotten”.
This is likely to be a popular headline grabber as people seek to invoke their rights to data protection. GDPR provides a way for the data subject to ask to be forgotten but it also contains a number of circumstances under which your business can refuse to comply with the request. You need to know what they are if you’re going to use them.
However if none of these circumstances apply to a particular erasure request and you have to “forget” a data subject, there are a few things you need to think about. For example:
The data subject can ask you to stop processing their personal data. If you are processing PII data for marketing purposes you must cease processing their data straight away. You can still store the data, you just can’t use it. The recommended course of action is to store just enough information to make sure it is not used again.
For example if you are sending out marketing emails and someone asks for your processing of their data to be restricted, how can you make sure you never send them another email?
One way is to keep the email address on a “negative” list which prevents it from being added to a future promotion. This way you can prove you took appropriate action. Of course, you need to design a system process to actually do this. In the case of modern email autoresponder systems you might find some of them already have such a feature.
The problem here is if you delete all records, how can you be sure the email can’t find its way onto another list which sends a fresh message out to the complainant? Retaining the minimum data necessary to ensure the correct course of action helps you to comply.
GDPR does permit you to decline such a request. For example if you need to process the PII in order to meet a contractual or legal requirement. However in terms of marketing those options are unlikely to be available to you.
If you have changed your personal banking current account recently you will have experienced “data portability”. This is where you move from one service provider to another. Your personal data is packaged and moved from the original service provider to the new one.
The banking industry railed against this for a long time and only implemented it under extreme pressure from the banking regulator. The new system for switching banks today is very efficient. Now data portability is enshrined as a personal right under GDPR.
Data subjects can ask for their PII in a machine readable format to be given to them or for it to be sent directly from your business to the new service provider.
So far I haven’t been able to think of a direct example of this being used in the hotel industry but that’s not to say there isn’t one.
The data subject has the right to object to organisations processing their PII. They can object to your business processing it as the Data Controller. They can also object to their data being processed by any Data Processors you use or being transmitted to a 3rd country.
If the Data Subject objects to your processing their data for marketing purposes you need to cease processing straight away. You cannot make a charge for handling their objection in this situation.
Individuals must object on “grounds relating to his or her particular situation”.
Again, there are defences against the Right to Object. For example where the processing is necessary for the “establishment, exercise or defence” of legal claims.
For hotel businesses, the main category of processing will be for direct marketing. There are special rules for direct marketing under GDPR. If your processing is carried out online, then the Data Subject must be able to object online.
Objections for marketing purposes must lead to an immediate cease of processing. No exceptions or arguments.
Automated decision making and profiling is coming to the hotel industry in the form of online booking systems using AI or “Artificial Intelligence”.
This is a technique used to make decisions about individuals for credit card applications or recruitment screening for example. The point about automated processing is that there is a possibility that a harmful decision might be made against an individual. For example they might be charged a higher price for something or denied access to a service completely as a result of the automated processing of their personal data.
There are specific rights and safeguards imposed by GDPR as far as automated decision making and profiling is concerned. Including the right to ask for human processing of the personal data.