What B&Bs need to know about GDPR
GDPR and what it means for B&Bs
There’s a been a bit of discussion on the Facebook Group for B&B Academy Alumni about the GDPR which comes into force on 25th May 2018. I’ve done a bit of research and put together this blog post on how I see it applying to B&Bs.
I’m not a legal expert or an expert on the GDPR, but this is my interpretation of how it applies to B&Bs. There’s lots of useful information out there and I’ll refer to useful documents throughout this post. However, I’ve personally found some of the information can be a bit overwhelming and it’s not all necessarily applicable to a very small business.
Thank you to Kaye King of Quercus marketing who has put this slide share together and helped me with this blog post. Also thank you to everyone on the Facebook Group for past course attendees who has asked questions and joined in with the discussion
What is GDPR?
On the 25th May 2018, the General Data Protection Regulations comes into force. These regulations replace the DPA, Data Protection Act and are there to regulate the way you collect, handle and store personal data. Note that they apply to personal data on staff as well as customers. It covers organisations within the EU but also organisations outside of the EU if they store process data on EU citizens. At the moment the UK is still in the EU so that includes all UK citizens. Even post Brexit it’s the UK government has indicated it will implement the same or similar legislation.
It covers ALL data that you hold that could identify someone as individual, whether it’s held electronically or on paper.
Most of the GDPR is similar to the DPA. It’s just a tightening up of the regulations. But there are some changes you need to be aware of. I’ve covered these towards the end of this post.
ICO stands for Information Commisioner’s Office. For all you ever needed to know on GDPR their website is here
Storing Customer Data
You should store all personal data securely, never emailing it to anyone or putting it onto a data stick. If you store the data on a spreadsheet, then this should be password protected.
Sending emails to customers
Probably the way this impacts B&Bs the most is how you use customer emails to communicate with them and whether you need their express consent to do so.
Do you always need to get consent to communicate or store customer data?
You don’t always need consent. If there is another lawful basis for you using your guests’ data then you don’t need additional consent.
You require the guests’ email address as part of the booking process. You can use this email address to send through a confirmation email before staying ( e.g. with details of their stay, directions, terms and conditions and any other information they might need ) and a follow up email after they’ve stayed ( e.g. thank you for staying with us, please leave feedback here, if you want to stay in contact with us – here’s how etc ). You don’t need consent to do this.
What you can’t do is add your guest’s email address to your distribution list and then send them marketing emails without their explicit consent.
Consent must be freely given. So conditional consent it no longer legal. An example of conditional consent would be only allowing guests to sign into your free WiFi if they give you an email address. Then within the terms and conditions you ask them to accept, it says that by accepting the terms and conditions they have agreed that you can use their email address for marketing purposes,
I’ve also seen B&Bs put the consent in their general terms and conditions. So the guest has to agree to the T&Cs before booking and this means they’ve agreed to be included on a distribution list for marketing. Having T&Cs they have to agree to is fine, but including the automatic opt in to the distribution list as part of them is NOT acceptable.
Consent has to be prominent, concise, separate from other terms and conditions and easy to understand. You need to make it very clear how you will use the data.
If you’re asking if people would like to sign up for your newsletter on your website or on a guest registration form, make sure you have consent wording next to the sign up box ( thanks Kaye for the wording )
Please note that the box must not be pre ticked. Guests MUST opt in.
Example of email opt in consent wording
“We occasionally send out information by email with news about the B&B, special offers and news about local events. If you would like to receive these emails please tick this box. We will keep your personal data secure and won’t pass it on to anyone else.
Yes please send me information by email”
Note that I refer to Mailchimp in this blog post. I’m using them as an example because they’re the email sending software I use. There are obviously other providers out there so if you use one these please refer to them.
You must keep written records of how and when someone has given you their permission to use their personal data.
On the course I always recommend that people use newsletter sending software, such as Mailchimp, to collect customer’s email addresses and to send emails.
Mailchimp collects the email address, timestamp and the IP address of everyone who signs up. If you sign everyone up via your newsletter sending software, you have these records kept up to date for you.
It must also be easy for people to unsubscribe from your distribution list. By using software, such as Mailchimp, this automatically includes the unsubscribe or changes preferences information in every email you send.
Double Opt In
Double opt in is a process used by companies, such as Mailchimp, to verify the email address of the person who has signed up for your newsletter. If you’re using double opt in then, after subscribing to your newsletter, the customer will receive an email with a link to the Mailchimp website asking them to confirm their email address
Double Opt In isn’t a legal requirement but it’s an extra measure to ensure the email address is correct.
Do I need to get consent again from people who are already on my distribution list?
You are not legally required to get consent again from people who are already on your distribution list, provided they gave their express consent to add their email to the distribution list, they knew how that email would be used and you have a record of how and when they signed up.
This is probably going to be more of an issue for those of you that have bought an existing B&B and taken over a distribution list from the previous owners, or have been running a B&B forever like me.
The problem I have is that, whilst I’ve always asked people to opt in to my mailing lists, either on a guest registration form, or my old website or, for the last few years, Mailchimp, I don’t have records for the older pre Mailchimp data. So I will be sending an email to my distribution lists asking them to join a new mailing list.
Yes, this will inevitably mean a reduction in the size of my mailing lists. But if they’re not interested enough to sign up again then they’re probably not interested in what I’m selling.
You don’t need consent to contact people on social media such as Twitter, Facebook, Instagram etc because the user has already accepted the terms and conditions of the platform.
What you can’t do is connect with them on social media, then get their email address and add it to your distribution list without their explicit consent. You’d be surprised at the number of email newsletters I receive just because I’ve started following someone on Twitter.
This is taken directly from Kaye’s document.
- You must be very clear about what you will do with the customer data you collect. The way to do this is to write a Privacy Notice for your business.
- The privacy notice tells people what personal data you hold and where it is stored, how long you will hold it for and how you plan to use it
- Although not legally required it’s a good idea to display the policy on your website since you have to have one anyway and it reassures people you are looking after their data
- The ICO has good and bad examples of privacy notices here and consent wording so you don’t have to create one from scratch.
Privacy Notice Example for a B&B
Please feel free to copy, paste and update as required. Note that this was written by me ( Karen ) and is my interpretation of the GDPR guidelines and, as I mentioned in the disclaimer, I’m not a legal or GDPR expert!
This Privacy Notice explains how we at a Hopton House Bed and Breakfast use any personal information we collect about you.
What information we we collect about you
When you make a booking with us we collect the names of all the guests who will be staying, the Home address, email address and telephone number of the person making the booking. We also collect a debit or credit card number to take the deposit equal to the first night of your stay.
How we use the information we hold on you
We use your home address as part of the card payment processing to validate the card.
We will use your email address to send you confirmation of the booking and an email with more details on how to find us and other information you may find useful for your stay.
After your stay you will receive an automatic email from our booking system asking you to fill in a feedback form. We also send you an additional email checking everything was ok with your stay and offering you ways to stay in contact with us by social media or email if you choose to do so.
We will not use your telephone number to contact you unless it for an emergency and/or we have been unable to contact you by email.
How is your data stored
All of the personal and debit/credit card data you supply us, as part of the booking process, is stored securely on a third party system, Freetobook.
Neither we nor Freetobook will share your information with any third party unless there is a legal reason for doing so.
We would like to stay in touch with you to send information about the B&B, any special offers we may have or local events. We send occasional emails ( normally no more than one a month ) to people on our distribution list. The distribution list is managed by a secure third party, Mailchimp.
If you would like to receive these newsletters please click here
you may change your preferences or unsubscribe via Mailchimp at any time.
Neither we nor Mailchimp will pass your details onto any third party
We are required by law to collect the following information on all our guests. We do this by asking you to complete a registration form on arrival.
For commonwealth guests;
- Name and nationality
For non commonwealth guests;
- Name, nationality, passport number, address of next destination
We will keep these forms safely in a locked filing cabinet. We are required to keep these registration forms for a year and show them to a police officer if they request to see them. We will destroy these forms 12 months after your stay.
Access to your information
You have the right to request a copy of the information we hold about you. If you would like a copy of this information please email us at firstname.lastname@example.org
Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour information. This information is used to track visitor use of the website and to compile statistical reports on website activity.
You can set your browser not to accept cookies. See www.aboutcookies.org for more information.
WiFi Surveillance Cameras
We have 3 WiFi cameras on the outside of the B&B. One looks down the drive at the main gate, the other looks over the car par towards the front door of the main house and the 3rd looks out over our garden and paddock. None of the cameras are pointed at the guest bedrooms , door or windows.
We use these cameras for the security of our property, ourselves, our animals, our guests and our guests.’ property.
The data is recorded securely online and is only kept for 10 days.
The only people to have access to this data are B&B owners, Robert and Karen Thorne. The data can only be accessed via an app on our smartphones, both of which are password protected.
END OF EXAMPLE PRIVACY NOTICE
Right to be forgotten
This is one of the main changes between the DPA and the GDPR. A customer has the right to ask you to remove their details from your systems. And if they’ve given their permission to pass data onto a 3rd party, you must also stop doing this.
However the Right to be Forgotten doesn’t override any legislative requirement. So, as an example, you are required to register all guests who come to stay at your B&B and keep this data for a year. ( This is all in the Pink Book, but as a reminder, If the guests are from a Commonwealth country you just need their name and nationality. If they are non commonwealth you also need their passport number and next destination address )
You are also required to keep financial records for 7 years, so the guests can’t asked to erased from these financial records.
The information in quotes below is taken directly from the VisitBritain Pink Book Website
“Right to Access
The GDPR also expands the rights of customers to access the information that you hold on them. This has two parts – first, on request from the customer, you are required to inform them if personal data concerning them is being processed, where and for what purpose. Second, if requested, you must provide a copy of all the personal data you hold on the person electronically and free of charge. This includes any information you have made on the person’s file so if you have added notes such as, “likes the Sunday Times”, “owns a Spaniel called Arthur” or “never leaves a tip”, you also need to provide this information.
Notification of Data Breaches
The GDPR will require you to notify the Information Commissioner’s’ Office within 72 hours of first having become aware of the breach where that breach is likely to “result in a risk for the rights and freedoms of individuals”. For any breach, you are required to notify the customers “without undue delay” after first becoming aware of a data breach.
It is worth thinking about the impact of these changes on your business now to schedule any amendments that you need to make into your website maintenance and company policy manual update programmes.
Guidance and more information on GDPR can be found on the Information Commissioner’s’ Office website. “
If anyone asks for their data to be deleted or to see the data you hold you must do so within one month and free of charge.
This isn’t new to the GDPR but how you use, handle and store data viewed or recorded by surveillance equipment, such as CCTV is covered by the DPA.
What is new is that guests now potentially have the right to request to see this data and for it to be deleted.
There’s a 12 point guide issued by the home office on best practise.
- 1.Use of a surveillance camera system must always be for a specified purpose which is in pursuit of a legitimate aim and necessary to meet an identified pressing need.
- 2. The use of a surveillance camera system must take into account its effect on individuals and their privacy, with regular reviews to ensure its use remains justified.
- 3. There must be as much transparency in the use of a surveillance camera system as possible, including a published contact point for access to information and complaints.
- 4. There must be clear responsibility and accountability for all surveillance camera system activities including images and information collected, held and used.
- 5. Clear rules, policies and procedures must be in place before a surveillance camera system is used, and these must be communicated to all who need to comply with them.
- 6. No more images and information should be stored other than that which is strictly required for the stated purpose of a surveillance camera system, and such images and information should be deleted once their purposes have been discharged.
- 7. Access to retained images and information should be restricted and there must be clearly defined rules on who can gain access and for what purpose such access is granted; the disclosure of images and information should only take place when it is necessary for such a purpose or for law enforcement purposes.
- 8. Surveillance camera system operators should consider any approved operational, technical and competency standards relevant to a system and its purpose and work to meet and maintain those standards.
- 9. Surveillance camera system images and information should be subject to appropriate security measures to safeguard against unauthorised access and use.
- 10. There should be effective review and audit mechanisms to ensure legal requirements, policies and standards are complied with in practice, and regular reports should be published.
- 11. When the use of a surveillance camera system is in pursuit of a legitimate aim, and there is a pressing need for its use, it should then be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value.
- 12. Any information used to support a surveillance camera system which compares against a reference database for matching purposes should be accurate and kept up to date.
Suggested GDPR B&B Checklist
- Do an audit and document all the ways you collect, store and use customer data
- Identify any actions you need to take to make data more secure, such as keeping paperwork locked away securely and password protecting spreadsheets and computers
- Identify all the 3rd party systems ( e.g. your booking system ) you use in your business and check that they are GDPR compliant
- Review your email distribution lists. If you don’t already used software like mailchimp then sign up for them ( this really is the best way of keeping track of how and when people sign up ). Ask your newsletter subscribers to re subscribe of necessary.
- Write a Privacy Notice and add it to the terms and conditions on your website
- Check your terms and conditions and remove any wording that doesn’t comply with the GDPR ( e.g. by accepting these terms and conditions you are agreeing to receive regular newsletters from us )
- Update your website so if you’re already asking people to sign up for your newsletter, ensure that the wording is clear ( see example above )