The General Data Protection Regulation (GDPR) became law within the European Union with effect from 25 May 2018.
The Data Protection Commissioner has stated the following on their website:
“GDPR very significantly increases the obligations and responsibilities for organisations and businesses in how they collect, use and protect personal data. At the centre of the new law is the requirement for organisations and businesses to be fully transparent about how they are using and safeguarding personal data, and to be able to demonstrate accountability for their data processing activities.”
The implementation of GDPR addresses the storage of customer data. Our position at TBM has always been that a processor should only store relevant information for as long as it is useful. Less form filling at the booking / purchase stage improves the conversion rate. Additionally, it reduces the obligations under GDPR as GDPR is about the protection of personally identifiable data. Less is better and there are many simple steps, which can be taken to make sure such data is not Personally Identifiable.
There is no longer a need, for example, to retain the postal address of a customer. Why bother? Few use postal services to communicate and retaining this data would simply increase the obligation to protect it. In fact, keeping data for no good reason breaches GDPR. A processor is mandated to retain the data required to service a transaction. Nothing more. Similarly, with phone numbers, is there a need for them after the guest has departed? Perhaps for a short period, in the case of something being left behind in the room. There is no need, say, more than 30 days after departure. In addition, phone numbers (almost certainly in the case of mobile) makes the data more likely to be personally identifiable. GDPR is about the security of personally identifiable information, so we remove the personally identifiable attributes as soon as possible. Less is better.
Credit/Charge card data has long been subject to stringent control. All Brand Mix technologies, both partner and guest facing, are SSL Secured and PCI DSS Compliant. We never store or supply Credit Card CVV’s as this would be in breach of the Credit Card Merchant agreement and results serious fines. The moment a transaction is complete, we obfuscate Credit Card information. Where servers and services comply with PCI/DSS, they must comply with security of access, meeting with best technical practice, a significant part of the obligation under GDPR. When customer data is stored, it is kept safe and secure.
GDPR implemented correctly can enhance business and should be approached in with that in mind.
Build customer trust
Improve brand image and reputation
Improve data governance
Improve information security
Improve competitive advantage
Although there has been a certain degree of scare mongering to date, the objective of GDPR is to advise and improve data security. Those that consciously and deliberately abuse the data security of their customers and fail to implement corrective actions, or cease their abuse once advised or warned, can rightly expect a degree of censure. Those who do not respect customer security and confidentiality endanger online commerce and customer trust and should rightly be brought to heel.
Those that work to comply with GDPR and follow guidance or advice to improve their processes should not expect to be punished or fined. This is what the Data Protection Commissioners across Europe have stated as their objective. They wish to advise, educate and improve data security, not penalise genuine businesses working toward GDPR compliance.
Data Storage – Customer Contact Details
The Brand Mix is very much aware of the obligations to which its accommodation, catering, and retail partners must adhere gathering, storing, and using customer information. We have been consistently ahead of the evolving requirements for privacy and security in terms of the financial and personal data of the guest / purchaser.
We have long made available and recommended the use of the short form version of the room or voucher booking engine payment interface when collecting customer data. This limits the information to First Name, Last Name, Email Address, Phone Number, and Country of Residence.
We do not use customer data directly – it is not ours to use, but that of our hotel, catering and retail partners. We simply act to collect the minimum amount of information possible to support a transaction and pass that information on securely.
Credit Card Information
Booking engines and voucher engines use SSL certificates to ensure that all data transferred between the web browser and the web server is secure. This is visible to the booker via the green secure padlock in the address bar of the browser when guests are making a booking or purchasing a voucher.
The credit card details supplied during the booking process are obfuscated in accordance with PCI DSS compliance. We never store CVVs. All customer data is stored on secure servers that are PCI DSS compliant. We also store the software necessary to send email campaigns on these secure and compliant servers.
The GDPR explains how an organisation should obtain customer consent in order to use customer email addresses for marketing purposes.
“They must know exactly what they are consenting to, and there can be no doubt that they are consenting. Obtaining consent requires a positive indication of agreement – it cannot be inferred from silence, pre-ticked boxes or inactivity”.
To ensure compliance, The Brand Mix advises hotels to enable the positive opt-in for email communication in the final stage (payment) of the booking and voucher engine. That positive opt-in explicitly obtains the consent of the customer to use their email address for future marketing communications. This will enable hotels to prove that personal data was collected in compliance with GDPR and a record will be retained showing when, why, and how the data was collected. It will also demonstrate that it was used in a manner compatible with the initial reason for collecting the data.
The options for short form and email opt-in are available for configuration in the IMC. If there are any queries, please contact The Brand Mix support.
Where a website is developed by The Brand Mix, we have contacted each website administrator regarding any data collection beyond the utilisation of the GDPR Compliant Booking Engines. In the main, this consists of newsletter opt-in and contact forms. Where data is collected, it is mandatory to ensure the positive, clear, confirmed knowledge and permission of the user to collect, hold, and utilise this data.
Where customer information is collected prior to GDPR, we would advise processors to minimise such information on a need to have basis. Should there no longer be a need to communicate with those customers, the data should be obfuscated, anonymised or deleted. Where communication is ongoing, always offer an unsubscribe.
Right to be Forgotten
A basic tenet of GDPR is the right to be forgotten. The Brand Mix will accept direction from its customers, clients, and partners at any time to anonymise, obfuscate or delete (forget) any information relating to an end user (collected via TBM Online Engines or Newsletter/Email opt-in) at the direction of the merchant (e.g. hotelier, restaurant, retailer, etc.). We commit to doing so within 14 working days of written (e-mail will suffice) instruction.
Where we are approached directly by an end user, we will commit to exercising an anonymise, obfuscate or delete (forget), no later than 30 working days of receipt of written (e-mail will suffice) instruction and will notify the merchant in the interim of the instruction received and our commitment to do so.
We inform the merchant in order to ensure there is no ongoing issues between merchant and guest where a delete would cause a difficulty. For example, to delete the information relating to a room booking where the guest has not yet arrived would make little sense and prevent the proper servicing of that booking, unless such information has already been transmitted to the safe keeping of the accommodation provider.
Why Anonymise or Obfuscate
The objective of TBM’s commitment to GDPR and the security of user information applies to ensuring information gleaned or supplied is not personally identifiable beyond a reasonable time or used for means other than that for which it is supplied. We need to know a user’s email address and name to confirm a room booking or gift voucher sale. We cannot run our services without that. That is a reasonable use of the information freely supplied. Other than in the support of those transactions, we will never communicate with a user. We act as a channel between the ultimate service provider and the guest / purchaser (user) to support the transaction. We have no other relationship with the user as they are not a TBM customer.
In committing to anonymise or obfuscate information relating to a user, we can still operate our systems, support accounting, resolve issues, and gather high level statistics. For example, we can understand that a significant number of room bookings in many markets occur immediately post the evening news. That does not mean we know anything of the individuals involved, but it does tell us it would be rather foolish to do system maintenance at that time.
TBM complies with the highest standards when collecting and using personal information. No personal information will be retained for longer than is necessary to fulfil a legitimate business need or as required by applicable law. This can mean that information resides on or transits our systems for mere seconds. Regardless of our commitment to act in a timely manner to anonymise, obfuscate or delete user information, we guarantee that if a user has not engaged with us for 3 years then we will obfuscate, anonymise or delete those personally identifiable details from our database. We reserve the right, only, to shorten this period.
For more information visit – GDPR site.