The new General Data Protection Regulation (GDPR) comes into force on 25 May 2018 as part of new legislation designed to update and expand the Data Protection Act 1998.
Compliance with the GDPR is relatively straight-forward if you are already complying with existing data protection regulations. You need to remember three main things in looking at what changes you need to make to the way you handle and use the personal details of customers when the new regulations come into effect:
- If you are already complying with the Data Protection Act, you will be complying with 80-90% of the requirements of the GDPR. The GDPR isn’t a whole new set of requirements, it simply builds on existing requirements.
- The GDPR is designed to give customers more control over the information that companies have on them. If you look at it from the perspective of what you would expect from other companies when you give them your data, you will have a fair understanding of what you should do with your customers’ data.
- Remember when looking at your storage and use of personal data, this extends beyond things like a person’s name, address, phone number and includes images and recordings (i.e., CCTV recordings), comments they have put on your website or notes that you have taken to help staff (e.g., “has a nut allergy”, “requires wheelchair access” or “reads The Times”).
Keeping these points in mind, here’s what you need to look at to make sure that you comply with the GDPR.
1. The information you take from people, and the length of time you keep it, should be determined by the purpose for which it is required
This a pre-existing requirement of the Data Protection Act but it is a good starting point for discussing the additional requirements of the GDPR. The level of information you have on someone and the length of time that you keep it must be proportionate to the legitimate purpose for which it is kept. This means that there is no blanket right for you to keep a customer’s personal information indefinitely and that you should always be reassessing what information you are keeping. This should include the regular removal of personal information where there is no justifiable reason for keeping it.
For example, CCTV footage of the car park used to help protect customer’s cars should be regularly wiped when it is no longer needed.
2. Personal data can only be used for the purpose that was agreed when the customer gave it to you.
For example, If the customer gives you their email address so that you can email them confirmation of their booking, this does not allow you to send them marketing emails or pass their details to a third party to send them offers. Customers have to actively give you express consent as to how you can use their information. This means that customers have to “opt-in” rather than “opt-out”, so you can’t have a “pre-ticked” consent box on your website which says, “tick here if you don’t want to receive emails with offers”.
3. The customer has the right to withdraw consent on how their information is used at any time and the process for doing this must be simple
This means that if the customer has agreed to allow you to use their information for a particular purpose, they still have the right to demand that you stop using it for that purpose at any time.
For example, if a customer has agreed to receive marketing emails, they can, at any time, inform you that they no longer wish to receive these emails and you must stop ending them. As a rule of thumb, the process for them withdrawing consent should be as simple as the process by which they gave consent. So, if you had an opt-in button than gave consent for marketing emails, you should have an “unsubscribe” button for allowing consent to be withdrawn.
4. The customer has the right to know what information you keep on them and why you are keeping it
There are two parts to this. First the customer has the right to ask you what personal information you are keeping on them and why you are keeping it. You are required to explain what the information you hold and justify why you are holding it. Bear in mind Point 1 above – you must explain why the level of information you hold and the time that you have held it is proportionate to the purpose for which it was taken.
The second part of this is that the customer has the right to ask you to show them all the person information that you hold on them. As mentioned above, this would include any CCTV recordings on which they appear and any notes you have attached to their booking.
5. The customer has the right to be forgotten.
The principle here is that the customer retains “ownership” of their data. This means that not only can the customer demand that you stop using the data they provided, they can demand that you remove all their personal data from your records. For example, rather than just asking you not to send emails, the customer can ask you to remove their email address from your database.
6. The customer’s rights under the GDPR do not over-ride the requirements of other legislation
It is important to note that the customer’s rights under the GDPR don’t over-ride the data requirements of other legislation. For example, the Immigration (Hotel Records) Order 1972 requires you to record the full name and nationality of all guests and to keep this information for 12 months. As such, a guest cannot ask you to delete this information from your records until 12 months have elapsed. Similarly, a customer cannot ask you to delete any financial information you are required to keep for tax purposes.
For more information and help guides, go to the Information Commissioner’s Office website or call their dedicated small business helpline on 0303 123 1113.