Going into effect next Friday (May 25th), the European Union’s new data privacy law GDPR is helping to codify consumer privacy and data protection rules. Even if you have not explicitly heard the name “GDPR,” you have probably seen some of the fallout of this rule, as companies email out updated privacy polices.
Although you are not based in the European Union, these new rules likely impact your business. As a result, it is good to have an understanding of the impacts and what you may be required to do as a result of the rules.
GDPR rules apply to any business that collects information about citizens of the European Union. If you have any EU guests reserving online or providing personal information when inquiring, reserving or registering, these rules govern such data collection and use. But even for non-EU guests, the ideas and rules set out in GDPR are designed to codify privacy and security best practices. Such practices are a good roadmap for all customer interactions; adopting and applying these practices will help gain consumer trust and ensure that personal information is carefully managed. And as other regions adopt similar privacy safeguards (California has a ballot initiative that will be voted on this Fall), the GDPR launch provides a good opportunity to review your policies and practices.
Broadly, GDPR requires that companies:
- understand how and where personal information is collected and stored
- develop explicit data governance policies about how they manage such data
- have clear privacy policies that enumerate data collection, retention and related policies
- ensure that guests provide unambiguous, granular consent for data collection
- maintain technological best practices for data transmission and storage
- be prepared to share collected data, discontinue data collection, and/or expunge data on a person at her/his request.
A full list of requirements should come from a more authoritative source, but these are the basics. To learn more about some of the specific details, the UK Information Commissioner’s Office has a good outline of twelve steps to prepare for GDPR.
And there is nuance to the above requirements as well. For example, MailChimp explains that pre-checked boxes do not count as consent. There blog post has other best practices for helping ensure that your email mailing list is compliant with these requirements.
Most of the rules and requirements are about company policy and governance, and so require outfitters to be careful andĀ conscientiousĀ in how they collect and use personally identifiable information. But the rules also touch on a number of technological details.
Already, Arctic Reservations is designed to store information in a way that secures personal details, limits unauthorized use and defends against data breaches. For example, the software implements encryption and security best practices, access is controlled and logged, and security tools such as user permissions and two factor authentication are available to manage user roles.
We have begun rolling out updates to further assist with GDPR compliance. These updates will effect two areas in the software:
Customer records. GDPR ensures that individuals can request a copy of all personal information that exists, and can request that such information be deleted. A new option has been added when deleting a customer record to fully expunge data. This will remove all data regarding the customer, including even their name. Note that such an option should be applied with caution (especially with previous guests, as some information retention may be required for liability and insurance purposes); as a result, this option is only available to administrators.
Checkout and inquiry forms. The checkout form has been updated to explicitly reference agreement with the privacy policy, in addition to the payment terms and cancellation policy. Similarly, text has been added to other online forms including inquiries and registration. We recommend that outfitters add their privacy policy URL to Arctic, in the general section of the settings page.
Finally, it is worth reiterating the details of Arctic’s privacy policy. We do collect basic information on outfitters to ensure that we can provide service, issue invoices, etc. In addition, we aggregate anonymized usage information and statistics across all installations. This information helps us understand how features are used and prioritize future feature development. But we ensure that such information contains no personally identifiable information on your guests. Today, we updated our privacy policy to clarify these protections.
