Key points about General Data Protection Regulation and system changes to Anytime Booking to help with compliancy
GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. And non-compliance could cost companies dearly. Here’s what every company that does business in Europe needs to know about GDPR, regardless of Brexit.
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
It only applies to B2C communications, not B2B communications as its primary intent is to prevent mass spam emailing of consumers.
GDPR will apply from 25 May 2018.
There’s a wealth of information on the internet about becoming GDPR compliant for your business. Visitor the Information Commissioner’s Office website for the latest updates.
You may find the ICO’s 12 Step Guide to preparing for GDPR useful. Read here.
We recommend that you consult with a lawyer about what your business responsibilities are and what you need to do to ensure that you are fully compliant by that point and time.
Anytime Booking update has focused around marketing and specifically, email lists.
What are the key changes to make in practice?
Anyone holding customer (guest) data will need to review how they gain consent to make sure they meet the GDPR requirements: on being specific meaning, granular, clear meaning, prominent, opt- in, documented and easily withdrawn. The key new points are as follows:
Unbundled: consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
Active opt-in: pre-ticked opt-in boxes are invalid – use unticked opt-in boxes or similar active opt-in methods (eg a binary choice given equal prominence).
Granular: give granular options to consent separately to different types of processing wherever appropriate.
Named: name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR.
Documented: keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented.
Easy to withdraw: tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.
Here are some of the changes we’ve made.
This system change is focused around helping your guest consent to email marketing outside of the standard booking emails. Here’s a summary of the change:-
The customer-facing booking form
Once your customer has registered or logged in, there will be an additional area for Contact Permission. We have kept the wording very generic to help everyone.
You can formulate your own message in the Contact Permission area of the booking form, notifying your guest of the kind of additional communication you are likely to make. Go to Setup > Documentation > Terms and Conditions > Contact Permission. Only when there is text in this field, will the ‘Read More’ button appear live, see above.
The Customer Login area
When your customer next logs in to pay their balance, or simply view their details, a notification will appear asking the same question about whether they would like to opt in or out of your marketing emails. This will only appear if they haven’t yet updated Contact Permission. This is designed to help gather your guests contact permission ahead of the GDPR update on 25th May 2018.
Syncing to Email Marketing
If you are using our email marketing module, this information is automatically updated for you. Within your Anytime Booking Master List you’ll notice a new Custom Field called ‘GDPR compliant’, so you can start to send non-booking related information to them.
Using our email marketing takes the hard work out of emailing your customers; you can easily email a segment of your customer database quickly, like everyone who is GDPR compliant and brought a dog during August last year. Cool stuff really.
Read more about our email marketing module here.
Tell us if you would like to start using Anytime’s email marketing feature.
Exporting your Customer Records
If you are using an email marketing platform elsewhere, you can export your Customer Records as a .CSV file and you’ll notice an additional column for GDPR compliant = Y or N. You can filter and sort before sending a campaign.
The columns you’ll see in the .CSV file.
What happens when your guest makes contact and exercises the right to be forgotten?
GDPR is helping everyone to think about how their information is stored and who has access to it. They might make contact by phone to request that you unsubscribe them from future communications or have their contact details deleted.
You can easily unsubscribe this person within the email marketing module and/or remove the email address from the Customer Record.
If you delete the Customer Record completely from within your Anytime Booking account, you are permanently deleting the record and any historical bookings associated with this customer. This action does not affect your cash list and booking reports for tracking financials. The name fields will just be empty.
Anytime Booking and our commitment to Security and Data Protection
As a third-party service provider and booking management solution to you, we have long had a commitment to security and data protection. Our internal processes, both for the development of our system and every other aspect of the business, are all focused on keeping our customers’ data safe and secure.
Our databases are held within a London data centre and are ISO9001:2008, ISO27001, and SSAE16 / ISAE 3402 certified.