The General Data Protection Regulation (GDPR)


The General Data Protection Regulation (GDPR) will become law within the European Union with effect from 18 May 2018.

The Data Protection Commissioner, has stated the following on their website: “GDPR very significantly increases the obligations and responsibilities for organisations and businesses in how they collect, use and protect personal data. At the centre of the new law is the requirement for organisations and businesses to be fully transparent about how they are using and safeguarding personal data, and to be able to demonstrate accountability for their data processing activities.”

The implementation of GDPR addresses the storage of customer data. Our position has always been, that you should only store information that is relevant, and only retain it for as long as it us useful to you. This also improves your bottom line as less form filling at the booking stage improves your conversion rate. There is no longer any need to retain the addresses of customers.

All Brand Mix technologies. both partner and guest facing, are SSL Secured and PCI DSS Compliant. We have never stored or supplied Credit Card CVV’s as this is in breach of your Credit Card Merchant agreement and entails serious fines.

GDPR implemented correctly can enhance your business and should be approached in that spirit.

  • Build customer trust
  • Improve brand image and reputation
  • Improve data governance
  • Improve information security
  • Improve competitive advantage


Although there has been a certain degree of scare mongering to date, the objective of GDPR is to advise and improve data security. Those that consciously and deliberately abuse the data security of their customers and fail to implement corrective actions, or cease their abuse, once they have been advised or warned, can rightly expect a degree of censure. Such actions endanger online commerce and all customer trust and should rightly be brought to heel. Those that work to comply with GDPR and follow guidance or advice to improve their processes should not expect to be punished or fined. This is what the Data Protection Commissioners across Europe have stated as their objective. They wish to advise, educate and improve data security, not penalise genuine businesses working toward GDPR compliance.

Data Storage – Customer Contact Details

The Brand Mix is very much aware of the new obligations that hotels must adhere to when gathering, storing and using customer information. We have also been consistently ahead of the growing requirements for privacy and security in terms of the financial personal data of the guest / purchaser.

We have now implemented the short form version on your booking engine payment form for collecting customer data. This restricts the information to Title, First Name, Last Name, Email Address, Phone Number, and Country of Residence.

Credit Card Information

The Brand Mix booking engine and voucher engine uses SSL certificates to ensure that all data transferred between the web browser and the web server is secure. This is visible to the booker via the green secure padlock in the address bar of the browser when guests are making a booking.

All credit card details supplied during the booking process are obfuscated in accordance with PCI DSS compliance. All customer data is stored on secure servers that are PCI DSS compliant. We also store the software necessary to send email campaigns on these secure and compliant servers.

Customer Consent

The GDPR explains how an organisation should obtain customer consent in order to use customer email addresses for marketing purposes.

“They must know exactly what they are consenting to, and there can be no doubt that they are consenting. Obtaining consent requires a positive indication of agreement – it cannot be inferred from silence, pre-ticked boxes or inactivity”.

 To ensure compliance, The Brand Mix is advising hotels to enable the positive opt in for email communication in the final stage (payment) of the booking and voucher engine that explicitly obtains the consent of the customer to use their email address for future marketing communications. This will enable hotels to prove that personal data was collected in compliance with GDPR and a record will be retained showing when, why and how the data was collected. It will also show that it was used in a manner that is compatible with the initial reason for collecting the data.

The options for short form and email opt in are available for configuration in the IMC. If you have any queries, please contact The Brand Mix.

Where your website is developed by The Brand Mix we will be in contact regarding any data collection beyond the utilisation of the GDPR Compliant Brand Mix Booking Engines. Where you collect data, you must ensure that you have the positive confirmed knowledge and permission to collect, hold and utilise this data.

Where you have collected customer information prior to GDPR, we would advise you to minimise such information to a need to have. Should you no longer need to communicate with those customers then you should obfuscate that data. Where you do communicate using such information you should always offer an unsubscribe. Basically, a customer has the right to be forgotten.

For more information visit – GDPR site.




Get In Touch

Get started with The Brand Mix and tap into an entirely new channel of business for your hotel.
Submit your details below and we'll set up a time to chat.