If you process people’s personal data, you definitely need to comply with GDPR. Compliance with the UK’s Data Protection Act (1998) is not sufficient. Very few businesses will be unaffected by GDPR. Don’t forget you may store personal data on employees as well as customers.
In this article we look at a selection of some of the basics of GDPR regulations and will explore these in more detail in other articles.
GDPR defines personal data as anything that can be used to identify a person directly or indirectly. Names, photos, email addresses, bank details, posts on social networking websites or IP addresses.
GDPR defines processing of personal data as any activity you carry out using personal data. This could be as simple as requesting, storing or sharing data. Essentially, if your business comes into contact with any personal data in the eyes of GDPR this is likely to be classed as “processing”.
GDPR makes a distinction between “Data Controllers” and “Data Processors”. A data controller determines the purposes and means of processing personal data. A data processor is responsible for processing personal data on behalf of a controller.
Serviced Accommodation operators will process personal data on guests, enquirers, landlords and possibly employees too. How you capture, store and use this data all needs to be documented.
If you are a serviced accommodation operator you will almost certainly be a data controller in the eyes of GDPR. If you use channel manager services such as Supercontrol, Tokeet or others then they are likely to be seen as your data processors. There may be other services you use that would also be classed as a data processor for your business. You need to look at your supplier list and decide which of them you share personal data with and who you would class as a data processor.
After this you need to make sure you have a processing agreement in place with your data processors. Some useful guidance is available on the Information Commissioners Office website on GDPR data processing agreements. Essentially, these are documents that detail things like their obligations and responsibilities. The agreements should also cover off detail such as security of data too.
In the next article, we’ll go on to look at data mapping requirements under GDPR.