The General Data Protection Regulation (the “GDPR”) goes into effect on May 25, 2018. The regulation harmonizes the patchwork of privacy regulations currently in effect around Europe. The regulations help people stay in control of their information, and HelloShift agrees with this principle. We are not in the business of making money from selling customer data or using it for anything other than helping hotels delight their guests. GDPR requires that companies take security and privacy seriously. It also requires transparency about how data is stored, moved, and processed. Companies must allow data subjects to control their data, and EU residents can ask for their data to be corrected, deleted, or exported. Companies need to document how they bulk process their customers’ information. They must enforce policies to protect that data, and for larger data processing operations, they need to have a Data Protection Officer with the power to control how data is processed and protected. Like the laws currently in effect, the GDPR defines when it is okay for companies to move data out of the EU.
The HelloShift system can collect the following kinds of information:
The GDPR gives additional protection to extremely personal information like ethnicity, health status, sexuality, and religious affiliation. HelloShift is not designed for hoteliers to collect and store this kind of information.
The data collected is kept in a secure data centre that has up-to-date physical and technical measures for protection, including locked doors, ID passes for security, CCTV, and controlled access.
More importantly, the data we collect must be protected by your staff. Human error is the greatest threat to data security. Training around privacy and security can help your staff prevent data leakage. For example, staff should try to use strong passwords, and they should not allow guests to overlook screens bearing information of other guests.
Since hoteliers decide what data they collect and they have the direct relationship with the guest, under the GDPR, hotels are data controllers. HelloShift is a data processor, so we are restricted in how we use the data we collect, and you control that. When you use HelloShift, your guests’ data is processed in a GDPR-compliant and secure way.
As a controller you have the right to know anyone HelloShift shares guest data with. We can only share data at the direction of you, the data controller.
As a data controller, you have the right to know exactly when HelloShift processes your customers’ subject data and what we do with it.
HelloShift will notify you within 72 hours in the unlikely event that there is a breach of our secure storage systems, and we will assist you in determining your notification obligations.
The GDPR gives people certain rights to correct, erase or export their data, and these requests must be fulfilled within thirty days. When you receive a request it is critical that you communicate this request to all of your data partners, including HelloShift, as soon as possible. HelloShift is committed to complying with data requests within 25 days, in order to give you time to include our response in the thirty day period.
You should be transparent about any data processors you are working with, but explicit consent to use HelloShift is not legally required by the GDPR. Any time you collect subject data you must have a legal basis to do so. One basis of consent is performance of a contract. Since you have a contract with your guest, you can collect and process data to perform that contract. HelloShift provides the means for you to follow through on these contractual commitments, and this is all perfectly compliant with the GDPR without consent.
We cannot give you legal advice and ultimately you are responsible for your compliance to all laws. The information here is our best effort to help you understand GDPR and its impact on hospitality.