GDPR FAQs

Background Questions

 

What is it?

GDPR is the acronym for the General Data Protection Regulation being introduced on 25th May 2018. The GDPR will cover any organisation that processes data relating to EU citizens. It will change how organisations treat data that they hold on individuals and, despite some confusion and negative opinions, it can benefit businesses. This is because more personal relationships with customers will be formed, and data will be cleaner and more valuable to your business. Initially, it might look a bit difficult to get off the ground, but don’t be put off it’s something you need to do and it will benefit your business. Take a look at our e-book for a more extensive look at the GDPR.

What legislation do we have today?

In the UK, businesses currently operate under the Data Protection Act 1998, which was established before people had the online presence they do now.

The DPA lists the data protection principles in the following terms:

  • Personal data will be processed fairly and lawfully.
  • Personal data is obtained only for the specified and lawful purpose.
  • The data captured will be adequate and relevant – not excessive for the purposes it’s being used for.
  • Data will be accurate and kept updated.
  • Personal data should only be kept for as long as necessary.
  • Appropriate measures will the taken to protect against data breaches.
  • Personal data will not be transferred outside the EU unless the rights of data subject can be assured.

Why is it changing?

There is now a shift in the amount of data being produced. The GDPR will focus heavily on protecting individuals and their data. In our constantly expanding digital world, the GDPR will strengthen consumer privacy rights and clear up any uncertainty over the consent needed for using your customer’s data.

What happens in light of Brexit?

UK businesses will still have to comply with the GDPR regulation because they interact with EU organisations and use the data of EU citizens. It applies worldwide.  

What happens if I don’t comply?

In short, you may be faced with increased financial penalties. At the moment, there is a £500K cap on monetary penalties with regards to data protection. However, if you don’t comply with these new rules, your business could be fined a much higher amount. The charges are different depending on how seriously you neglect the regulation’s points but can be up to 4% of your annual global turnover or €20 million (whichever is greater).

seo website

What is actually changing?

1. Wider definition of personal data 

Personal information historically included name, address, contact details, bank information, and so on. With the GDPR, information like online identifiers (e.g. an IP address) will also be classed as personal data. Changes in technology, and ways that organisations collect information mean that a wider definition of personal data is needed.

2. Data subject rights
Data subjects have new rights, and these can be separated into three key areas.

a) Consent

Processing data:
In the case of processing a restaurant booking, a diner gives personal data so they can make a restaurant reservation. A diner agrees to this exchange of information by agreeing to the restaurant/venue’s privacy policy and terms and conditions. These should clearly outline what personal information will be used, how long it will be stored for, who it is to be shared with (if at all), and how it is stored.

Marketing:
Consent also relates to opting in to marketing information. Opting in to marketing communications from your restaurant must be voluntary, and you can no longer use a pre-ticked opt-in (or an automatic opt-in) as consent for communications.

Clarity:
When you ask customers to opt in to marketing, consent must be clear and specific. If you are part of a group, customers must opt in to promotions and offers from each of your restaurants. You must also ensure you use plain language, and you cannot hide a marketing opt-in in your Terms and Conditions or Privacy Policy. If you’re not already GDPR compliant, you may have to refresh existing consent.

Retention:
Please note that consent given does not last forever. Personal information will be retained for the purposes of making a booking and, if diners’ opt in, marketing. In the case of making a booking, it can only be used for a limited time, so you must ensure you have a retention policy in place (more on this below). For the purposes of marketing, you should ensure you refresh opt-ins on a semi-regular basis.

b) Right of Access

Diners (Data subjects) should be able to track any changes to data held and request all information that a restaurant has on them. Data subjects can also request a free electronic copy of their data. The £10 admin fee venues were allowed to charge for this copy, no longer applies. Data subjects can withdraw their consent at any time and have their data erased. Data protection should be an integral part of company policy.

c) Right to be Forgotten

Under the GDPR, an individual will be able to access their personal data, and ask for their data to “be forgotten”. Therefore, data controllers (venues or ResDiary) must erase all of the data subject’s personal data, cease using the data, and stop any third party from using the data (if applicable).

3. Data Controllers v’s Data Processors

Under the GDPR, the responsibilities of data controllers versus processors have changed. Data controllers used to be the only party accountable for any breach. Now, under the GDPR, processors will have more accountability.

Data controller: determines the purposes and means of processing personal data.

Data processor: responsible for processing personal data on behalf of a controller.

It’s important to understand the difference between being a data controller and data processor. In the context of ResDiary, when bookings are made for a restaurant using ResDiary technology on any other digital platforms, via the ResDiary.com portal or the ResDiary Now app, then the restaurant, or partner, is responsible for tracking marketing preferences.

When a restaurant is the owner or controller of data, ResDiary is not responsible for how they use diners’ information. To learn more about how a restaurant may use such personal information, you should review its privacy notice.

4. Retention periods

You will need to:

  • review the length of time you keep personal data.
  • consider the purpose or purposes you hold the information for when deciding whether (and for how long) to retain it.
  • securely delete information that is no longer needed for this purpose or these purposes.
  • update, archive, or securely delete information if it goes out of date.

5. Information Governance and Security

The GDPR should be built into your systems and process from the get-go. This is “Privacy from Design”. Under this, controllers are required to discard personal data that is no longer required.

6. Data Breach Notification

Data controllers must notify a supervisory authority without “undue delay” within 72 hours of learning about a breach. Controllers must notify them what kind of breach it is, the impact of it, and who to contact in their organisation, namely the Data Protection Officer.

7. Global

This will affect all companies that process data of EU citizens, regardless of whether or not they reside in the EU.

ResDiary FAQs

ResDiary-specific

Where is the data physically stored?

Data is stored securely in data centres managed by Rackspace in the UK.

How do you store/process data to ensure you are compliant? 

To be compliant, an organisation must only store/process data:

  • That is needed for lawful processing  (to deliver a service)

or

  • That someone has consented to give

This is what ResDiary currently does. 

Who is the data shared with externally?

ResDiary doesn’t share data externally, however, if a customer books through a third party (e.g Time Out), they may have opted in to the third party’s marketing list. This means the data will be stored on their systems too. ResDiary only shares data with external business partners, or third-party initiatives about particular offerings that diners have opted into.

How long is the data kept for?

The GDPR outlines that you need to know how long you’ve kept data for, so we’ve agreed our data retention period will be 18 months. This means we will delete subscribers to marketing after 18 months of inactivity. We will be giving you the tools to create your own retention policy. Please note that your policy may be different from ours or other venues, depending on the type of venue you are.

How can data be amended/supplemented?

You can do this via updates to the diner record on your ResDiary system. Please note that ResDiary offers a role-based permission system, through which you can control the members of your team who can update and track any changes.

When and how is the data deleted?

Data can be deleted upon request either by you or by us. Data can only be deleted by ResDiary if a diner booked on resdiary.com or the ResDiary Now app. If a diner booked via social media/a venue’s widget/website, then the restaurant must delete that customer’s data. A diner can contact ResDiary at privacy@resdiary.com to delete their record.

Can we remove old/obsolete data – delete an audit trail?

You can delete customer records via Reports -> Customer List in ResDiary. We are looking to provide tools to allow either deletion or anonymisation of old data.

What back-up and security is available for the data held in ResDiary?

We use one of the leading Managed Security Service Providers – Rackspace. Thousands of organisations, including global enterprises, use this company.

Who is the point of contact at ResDiary in the event of a data breach?

The point of contact from ResDiary is the Chief Operating Officer, Mike Breewood, who is also our Data Protection Officer. He will invoke the data control procedure with the Chief Technical Officer, Colin Winning, as required. Then we will report the breach to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. We will notify affected venues within 48 hours of becoming aware of the breach.

How would data be deleted in the event of us no longer working with your company?

Data will be deleted 12 months after a venue cancels their contract with ResDiary. This is in case you wish to return to ResDiary.

We will need to have explicit consent for use of personal data held for marketing, will this be a feature enabled for new guests created?

Yes, you will need explicit consent to market to individuals. We have already removed automatic opt-ins from our widgets, which is one aspect of becoming compliant. Other aspects relate to delivering clear and separate opt-ins for ResDiary and restaurants, and providing the appropriate audit trail of consent. This work is in progress and will be delivered over the coming months.

Will we need to update our venue’s privacy policy?

If you already have a privacy policy, you will need to update it to take the GDPR into account. If you don’t already have a privacy policy, you must create one. If you pass on customer information to a third party to do your email marketing, you will need to insert this information into your privacy policy. We are creating a standard privacy policy for restaurants. It will be available soon. Ideally, you should link the privacy policy from any widgets you have, and in any emails you send.

Should we delete data if a guest cancels?

If you download emails from the system and a guest cancels then their data doesn’t need to be removed from your system. If they opted in to marketing communications, then they can still be advertised to.

We’re part of a group of restaurants. What should we do?

If a guest booked for one restaurant you cannot use their details to promote all your sites since they didn’t opt in to communications from all sites. You may only advertise to them if they opted in to marketing communications to that site. The more specific you make your options for diners when opting in to communications, the better. We would advise you to separate your marketing by site. In the coming months, we will be creating tools to help you with this.

Are confirmation emails still okay to send?

Confirmation emails are classified as a service email, and these types of emails are still okay to send under the GDPR. It’s like a confirmation email you receive after making a purchase from your favourite online shop.

Are post-dining feedback emails okay to send?

You’re still able to send an email to a diner for post-dining feedback. In the ResDiary Privacy Policy, it is outlined how data is used. In the Privacy Policy it says that, ResDiary not only uses personal information to process reservations, but to “send you (the diner) information (via email) relating to our products and services, including reservation confirmations and updates, receipts, updates, technical notices, security alerts, and support and administrative messages”.

We also say that we shall “seek your feedback on the services we provide” and “collect data, including without limitation from you, with the purpose of improving the booking service and to provide feedback to the restaurant”.

Like confirmation emails, this is classified as a service email, and these types of emails are still okay to send under the GDPR. As a venue, you will also need to include information on post dining feedback emails in your terms and conditions.

Do I need to delete my marketing database?

We would recommend that you start afresh with your database, but that doesn’t mean deleting it altogether. Start by refreshing your opt ins.  A low-risk strategy would be to email those who are engaged with your brand and ask them to update their marketing preferences. You can tell they are engaged if they have opened or clicked through on your emails. The remainder, you would delete. Under no circumstances contact those who previously unsubscribed to ask if they want to opt in again.

ResDiary will be including functionality to track when, how, and what consent was taken in giving customer information. After this, restaurants can contact their database to ask them to refresh opt-ins.

What steps you have taken to ensure your compliance with the regulation?

  • We have reviewed our consumer privacy policy and consumer T&C’s.
  • We have changed the back end of the diary so venues have a log of all the changes made to a customers profile and who did it – soon this will be made
  • Unticked marketing opt ins on all widgets.
  • Creation of a marketing preferences landing page.
  • See here for more information:

What contractual clauses you have in place with us to ensure are meeting your obligations under these regulations.

We will be working on a contractual agreement about data.

Who in your organisation can access the data held on our behalf and for what purpose?

Authorised users in our Customer Support and development teams can access diaries and data within diaries when necessary. This is normally only necessary when resolving issues on behalf of our restaurant operator customers.

Under the new GDPR guidelines, if we take a restaurant booking over the phone are we able to ask them if they wish us to opt-in to receive marketing emails and if they are happy for us to retain their information? Our query is what proof do we then have that they have agreed to this when it is just verbally over the phone?

Use the double opt-in for verbal consent to marketing, especially if a number of staff members take bookings over the phone. This would ensure that even if a staff member ticked the marketing box for the diner by accident, then the diner would still have to give electronic consent by confirming via email. Therefore, there would be written consent, which is a better/safer option than simply just verbal consent. In terms of legal implications, consent has to be obtained clearly, and the data controller (your venue) has to demonstrate this. Therefore, a double opt-in really seals the deal in terms of consent.

Where do I go to download the email addresses of customers that have booked who have hard opted in for future emails from my venue? Are we allowed to continue to contact the email addresses we have got from bookings pre the new hard opt in tick boxes?

Before you download any email addresses that you currently have you will need to refresh customers’ marketing preferences. Choose the customers that have interacted (clicked, opened etc) with your emails/marketing in the past year. By refreshing marketing preferences, you’ll have to send an email saying “Please update your marketing preferences” and if customers don’t respond you can take that as a “no I don’t want to refresh my marketing preferences”. Since they haven’t given explicit consent, you will have to remove them from your database.

The reason for this is that pre-ticked opt-ins/checkboxes for marketing are no longer allowed under the GDPR. This was how ResDiary obtained marketing consent previously on all our widgets, on the portal, and on our app. We have now changed this so that diners have to affirmatively tick a checkbox to show they have consented to receive marketing. At the moment we can’t track see which option diners used to opt-in. Therefore, a low-risk strategy is to do as suggested above. Please note, that you should not send the “refresh marketing preferences” email to anyone that’s opted out of marketing from you, this is not in line with the GDPR nor current data protection legislation.

Where can I download a copy of diner data we have stored on Resdiary? 

This functionality is currently in the pipeline.

Take a look at what we’re doing to prepare here and what we’ve already done here. There are more updates to the diary are still to come, and will be available in the near future.

Share on: