Data Protection Act 1998 and GDPR Act 2018
- All serviced and self-catering accommodation premises must keep a record of all guests over the age of 16. The record should include their full name and nationality.
- We must keep each guest’s details for at least 12 months.
To comply with the Immigration (Hotel Records) Order 1972 we need to collect the following information from guests on their arrival:
For all who are not British, Irish or Commonwealth guests:
- passport number and place of issue (or other document which shows their identity and nationality)
- details of their next destination (including the address, if known) on or before departure.
Clayhanger Guest House Exemptions: we do not need to notify the information Commissioner if we are only holding personal data for one or more of the following core business purposes:
- advertising, marketing and public relations provided that:
- we hold only the data necessary, on the people necessary for us to do our own advertising
- we do not disclose the information to any third party not involved with our advertising without the consent of the person whose data it is
- we only keep the personal information as long as it is necessary to do the advertising
- staff administration (subject to similar conditions as advertising)
- accounts and financial records (subject to similar conditions as advertising).
Normally if you are going to hold information on a guest for any purpose other than handling the booking, such as later marketing, you need to obtain consent.
The Act does not specify what form this consent has to be in, it may be an informal, spoken ‘yes’, but you should give guests enough information for them to make an informed decision (e.g., what personal information you intend to hold and why).
Guests can give their consent on booking, when they check in or when they check out. You should keep all consents on record.
You may want to produce a simple form that can be used either over the telephone, on emails or in writing, which:
- explains to guests the personal information on them that you want to hold and why
- asks guests for their consent
- has a space to record whether or not consent was given.
Clayhanger Guest House has a data Protection/GDPR consent form that guest are asked to sign on arrival.
Data Protection 1998:
- Right of access: individuals have a right to know what information on them you are holding and why you are holding it, although you are allowed to charge up to £10 to provide the person with this information. If you receive a written request from an individual for this information (with any relevant fee), you must respond within 40 days stating:
- whether you hold any personal data on them
- what the data is, the reason you are holding it and those to whom it has/may be disclosed, along with an intelligible copy of the information and details of the manner in which it was collected.
- Right to prevent processing for the purposes of direct marketing: if you receive a written request from an individual to cease using the personal data you hold on them for direct marketing, you must do so.
- Right to prevent processing likely to cause damage or distress: if you receive a written request from an individual to cease using the personal data you hold on them, because it is causing or likely to cause substantial damage or distress to them or another, you must do so.
- The General Data Protection Regulation (GDPR)
- The General Data Protection Regulation (GDPR) comes into force on 25th May 2018, replacing the Data Protection Act (DPA).
- Generally, the requirements of the GDPR are much the same as the requirements of the DPA. This means that if you are complying with the DPA at the moment, then you probably do not need to change your current system of collecting, handling and storing customer data. You will need to concentrate on the additional requirements and modify your system accordingly.
- The main changes are:
- The Right to be Forgotten
- This is the main change. A customer can, at any time, request that you remove all their personal data from your system. If the customer has previously agreed that you could provide their data to a third party, you must also stop doing this if you receive a Right to be Forgotten request. However, it is important to note that any Right to be Forgotten request does not override requirements to hold information under other legislation. For example, you are required by law to keep financial records for seven years, therefore a customer cannot request that you delete records of any financial transactions they undertook in the last seven years.
Clayhanger Guest House will exercise your right to be forgotten if it is no longer a legal requirement for us to retain any data on you. You may request this in writing and we will write back to you to confirm your data deletion or the need to keep it under law.
- Improving Consent and Withdrawal of Consent
- The conditions for consent have been strengthened so that you must be clear and upfront with customers about what exactly they are consenting to when they sign-up. This is to stop companies hiding the details in their terms and conditions. So, if you are planning to pass their information on to a third party and to email them a newsletter, you must tell them in simple and clear language next to the box they are ticking.
- Importantly, it must be as easy for customers to withdraw consent as it is to give consent. So if you have a simple tick-box online where customers give consent, then there should also be a simple tick-box online to withdraw consent.
Clayhanger Guest House will ask you to sign a consent form on arrival and an online check box agreeing to our terms and conditions. If you wish to withdraw consent there is a simple online form on our website to complete which we will acknowledge within the given guidelines of the information Commissioner and action as soon as possible and notify you of the completion of your request.
- Right to Access
- The GDPR also expands the rights of customers to access the information that you hold on them. This has two parts – first, on request from the customer, you are required to inform them if personal data concerning them is being processed, where and for what purpose. Second, if requested, you must provide a copy of all the personal data you hold on the person electronically and free of charge. This includes any information you have made on the person’s file so if you have added notes such as, “likes the Sunday Times”, “owns a Spaniel called Arthur” or “never leaves a tip”, you also need to provide this information.
Clayhanger Guest House will action any such request either written or via our online form within the guidelines of the information commissioner free of charge and in writing to you.
- Notification of Data Breaches
- The GDPR will require you to notify the Information Commissioners’ Office within 72 hours of first having become aware of the breach where that breach is likely to “result in a risk for the rights and freedoms of individuals”. For any breach, you are required to notify the customers “without undue delay” after first becoming aware of a data breach.
Clayhanger Guest House will notify you of any data breaches without undue delay after our becoming aware of it. We will do this in writing to your last known address given to us at the time of booking.