What is lawful basis for processing?
The GDPR refers to lawful bases for the processing personal data, which are broadly similar to the conditions for processing in The Data Protection Act 1998.
Will my existing reasons for processing personal data comply with the GDPR?
In many cases, your condition and basis for processing data will be the same. However, it is considered best practice to revisit the way in which you currently process data, to make sure you apply the most appropriate lawful basis.
For some organisations within the hospitality industry, the processing of personal data will involve working with third parties or subcontractors. For example, making use of a third-party booking system. In this context it is best practice to review these arrangements to make sure all stakeholders are aware of their obligations under the new legislation.
Will the GDPR affect the way I market services to potential customers?
Whilst there are similarities with the Data Protection Act 1998, there is now a shift to clear affirmative action being taken by customers to provide unambiguous consent.
This means that pre-ticked boxes, that may have been used previously, are unlikely to comply with the requirements of the GDPR. People must now opt-in to your marketing activites, rather than opting out.
You need to be upfront and clearly present your intentions for processing personal data. Requiring individuals to go to great lengths to find your fair processing information or providing general or vague statements on what you wish do with people's data is unlikely to comply with the GDPR.
This does not have to come at the expense of having a functional user experience on your website or other marketing platforms. Please see the ICO’s guidance on Privacy Notices, Transparency and Control for more information on effectively communicating your privacy information.
I am unsure if the way my organisation currently retains data will comply with the requirements of the GDPR
As with the previous legislation, the GDPR does not outline specific retention periods for the different categories of personal data.
However, the principles of the GDPR say data needs to be adequate, relevant, and kept for no longer than is necessary for the purposes for which it is being processed.
This means, as a data controller, you will need to consider the personal information you hold, and determine if the retention period applied is appropriate.
For example, retaining guest payment information indefinitely on the off-chance there may be repeat business in the future is unlikely to comply with the requirements of the GDPR. As an organisation, you should proactively identify old, out-of-date personal data and securely remove this from your systems.
I am unsure if the security measures my organisation has in place are sufficient. What happens if we suffer a breach?
The GDPR includes provisions that promote accountability and governance. This means both the operating systems you use and the training provided to staff regarding the processing of personal data will need to be considered and, if required, updated to comply with the requirements of the GDPR.
Your organisation should be clear about the information it holds, where and how it is stored, and who the information is being shared with.
Should your organisation suffer a data breach, the GDPR requires this to be reported to the ICO within 72 hours, where possible. It is expected that action plans for both preventing and responding to data breaches are put in place by your organisation.
One of the significant ways in which an organisation can look to further safeguard personal data is to implement a Data Protection Impact Assessment (‘DPIA’). Organisations should look to implement a DPIA when processing data in way that is new or has a perceived risk to the information. For more information on DPIAs, please consider our guidance here.