New Data Protection Regulations

[sparkJS]

Please don't think that because we are tiny businesses that no one will be interested. Your guests are 'data subjects' and have the right to protection. They are likely to be the first people to make your life difficult if you don't look like you are complying.

However the old Data Protection Act covers about 90% of what you are required to do.

[GillianF]

'We' don't seem to be any nearer knowing what to write on our booking forms, in our Ts&Cs to comply with the requirements of the new law. Nor, how we store the information, how long we keep it, what we do with it etc. etc.

[sparkJS]

Do you use guests personal info for marketing purposes? If so then make some opt ins for them to tick to get their consent to do this.

On your booking form, refer them to your privacy policy which explains exactly what you do or may do with their data. My agency has updated theirs on their website and I don't see any reason why you should not base yours on one like this.

[greenbarn]

the old Data Protection Act covers about 90% of what you are required to do.

That’s a very good point. The key difference with GDPR seems to be the requirement to document, and the need to indicate our “lawful basis for processing” which seems to me(?) to be “Contract” (plus “Consent” if we use mailing lists).

I found a reference on the ICO website to some earlier stuff on DPA which included the below checklist; rather than just read through and think “yup” to the relevant bits for us, it’s now more a case of answering the questions fully with how and why and using that as a part of producing the Privacy Statement.

This short checklist will help you comply with the Data Protection Act (the Act). Being able to answer ‘yes’ to every question does not guarantee compliance, but it should mean that you are heading in the right direction. At the end is a list of guidance on particular areas where you may need more help as well as telephone helpline numbers.
Do I really need this information about an individual? Do I know what I’m going to use it for?
Do the people whose information I hold know that I’ve got it, and are they likely to understand what it will be used for?
Am I satisfied the information is being held securely, whether it’s on paper or on computer? And what about my website? Is it secure?
Am I sure the personal information is accurate and up to date?
Do I delete/destroy personal information as soon as I have no more need for it?
Is access to personal information limited only to those with a strict need to know?
If I want to put staff details on our website have I consulted with them about this?
If I use CCTV, is it covered by the Act? If so, am I displaying notices telling people why I have CCTV? Are the cameras in the right place, or do they intrude on anyone’s privacy?
If I want to monitor staff, for example by checking their use of email, have I told them about this and explained why?
Have I trained my staff in their duties and responsibilities under the Act, and are they putting them into practice?
If I’m asked to pass on personal information, am I and my staff clear when the Act allows me to do so?
Would I know what to do if one of my employees or individual customers asks for a copy of information I hold about them?
Do I have a policy for dealing with data protection issues? Do I need to notify the Information Commissioner?
If I have already notified, is my notification up to date, or does it need removing or amending?
If you need any more information about this or any other aspect of data protection, please Contact us: see our website www.ico.org.uk

[greenbarn]

One snippet I’ve been digging into - How Long do we keep Your Data?

There’s a legal requirement to keep data needed for tax/accounting/audit purposes for 6 years (maybe 7 if you’re VAT registered?) so data collected for a confirmed booking will be kept for 6 years; for data collected from eg a failed enquiry or anything else with no resulting transaction, I don’t see that we can justify keeping it for that length of time, so X months (12? 24? What?)
For data that’s part of an approved mailing list, presumably it’s justifiable to keep that until such time as a guest opts out (either using the clear “Opt out” box required on your website, or by using the “unsubscribe” required on every mailshot).

So the answer to “How Long do we keep Your Data?” would be a readable summary of that lot.

This does, of course, give rise to the question of how to sort and bulk delete data that’s beyond its use-by... Although we’ve already been doing that to meet our responsibilities under the DPA, haven’t we?

One down... maybe.

[Zingara]

Fair processing notice: this explains to your renter what / why / how you collect / store their data.,

I have a template from the NLA, much of which can be deleted when considering a short-term holiday rental. It does, however, go through all the details that you are required to give your 'tenant' (Data controller, registration no. etc etc). I would think a proforma would only run to a side of A4 and could be sent out with each agreement / uploaded to the documents section of HA / OD.

I probably won't be doing any 'holiday' rentals this year, but I'm happy to forward the proforma by pm if someone would like to have a look?

[Joanna]

Having trawled through the ICO info and various other sources I came up with this:
https://chandlerscottage.co.uk/privacy-policy/

Any feedback would be much appreciated. Feel free to adapt it if you find it useful but please, please, please don't just copy and paste - Google does not like duplicated content and both our sites could be penalised!

On the enquiry form we have this "We only use your email address to answer your enquiry and not for any future marketing. See our privacy policy for more details."

We also have opt-in boxes for our mailing list with a note that specifies what we're going to send.

When we signed up with MailChimp I went through and made sure everyone on our list had actively opted in. That left us with a tiny list but we get a high 'open' rate - often over 50%. Building the list is painfully slow and GDPR doesn't help. On the plus side I suppose it's making us think about how to encourage people to join and stay on our lists which is probably good for marketing.

As for keeping data, as I understand it, if someone enquiries and doesn't book then we have to delete their contact info immediately - under GDPR we have no right to keep it beyond dealing with their original enquiry.

I think MailChimp ask us to check our list every 6 months and there's an implication that if people haven't opened one of our emails in 6 months we should ask them to re-opt-in or remove them.

Interestingly MailChimp doesn't have a delete option for the email addresses of people who've unsubscribed. I suppose that protects us from accidentally adding them back into the list later on but does keeping the address also break GDPR rules?

That's just reminded me that I need to add to my privacy statement that we share email addresses with MailChimp. We used to say we'd never pass details on to anyone else but the reality is that we move data around a lot - PIMS, MailChimp, Wave, Stripe, Dropbox, etc.

Mostly I think we comply with GDPR but deleting old data is an issue - I have years of backups and it would be a mammoth task to go through and sift out the old customer details to delete them without deleting the accounting info that has to be kept 6 years and so on.

I'm hoping that at the end of the day if we look like we're taking privacy seriously that will help reassure potential guests that we're professional and responsible owners. It may be another opportunity to differentiate us from more casual holiday lets. There has to be an upside, right??

[newtimber]

Having trawled through the ICO info and various other sources I came up with this:
https://chandlerscottage.co.uk/privacy-policy/

Any feedback would be much appreciated.

It's clear and I like it but it is missing a few things required under GDPR, like how long you're storing the data for, the right to lodge a complaint with the ICO, the purposes of the processing... https://ico.org.uk/for-organisations/gu ... egulation/

[Drax]

There is some useful information with regard to Data Protection on the Visit Britain site under the heading 'Legislation for Tourist Accommodation.
It would appear that I am failing on several points with regard to this legislation, including the following;
*I have not notified the Information Commissioners Office (ICO).
*Currently I have not informed my guests of all of the requirements of Data Protection and their rights.
* I do not record the nationality of my guests. (This could be a delicate matter for some people who may be immigrants. Do I ask them for their nationality if they have a foreign accent or look 'foreign'?)
Also it would seem the Guests Comments book will have to have the guests names and addresses deleted in order to comply with this legislation.
I will have to get 'cracking' to address these issues.

[Joanna]

Thanks Newtimber. Good point about the retention schedules, I'll add them in and also the right to lodge a complaint. A link to the ICO would be relevant there too.

I thought I'd covered the purpose of processing with phrases like 'improve site performance', 'in order to respond' and 'process and manage your booking'. Do I need to be more specific?

[newtimber]

I thought I'd covered the purpose of processing with phrases like 'improve site performance', 'in order to respond' and 'process and manage your booking'. Do I need to be more specific?

According to the link I posted, you have to say the

Purpose of the processing and the legal basis for the processing

I think somewhere the legal basis is defined.

[Joanna]

I found the definition (they don't make it easy do they?). There's a list of possible lawfull purposes and I think the ones that apply to us are mainly 'consent' and 'contract'.

This seems to have the pertinent info on it - check the 'More information' boxes to get the definitions.

https://ico.org.uk/for-organisations/re ... checklist/

[Emmy]

Yesterday I posted a question on "Personal Websites" about a Wordpress Cookie Widget but I'm now wondering if it should be posted on here instead... My question:

I wondered if anyone could please recommend a simple Wordpress widget for cookies, please? Ready for this new legislation. My Promote My Place website has one built in, but my Sewing Holidays website doesn't and instead of just downloading one and hoping for the best, I thought I'd ask on here.

I'd be interested to hear which you use and grateful for any suggestions as to which I should install.

[greenbarn]

As for keeping data, as I understand it, if someone enquiries and doesn't book then we have to delete their contact info immediately - under GDPR we have no right to keep it beyond dealing with their original enquiry.

AIUI (usual disclaimer!) keeping the data for analysis as an aid to eg deciding where to spend on marketing is fine and would come under the “Legitimate Interest” heading (qv). From a practical housekeeping standpoint that might make life easier. Again, the time for which the data is kept would have to be specified.

[newtimber]

I found the definition (they don't make it easy do they?). There's a list of possible lawfull purposes and I think the ones that apply to us are mainly 'consent' and 'contract'.

This seems to have the pertinent info on it - check the 'More information' boxes to get the definitions.

https://ico.org.uk/for-organisations/re ... checklist/

Unless you have asked them to give their consent and agreed to it, I don't think consent is right. I think in as far as responding on enquiries, it's legitimate interest, consent for the marketing and contract when they book??