GDPR Considerations for Tourism Business Providers
GDPR Considerations for Tourism Providers
The Information Commissioner’s Office has produced a GDPR guide for organisations which is available on the ICO website.
It contains the advice given below, a useful 12-step guide and checklists to help you achieve compliance with the regulation.
GDPR will apply to all businesses that collect and use the personal data of EU citizens. This will apply even after the UK leaves the EU.
GDPR requires that you have a lawful basis for the processing of personal information
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Your business will be able to avail of most of these lawful purposes, for example:
The Tourism (Northern Ireland) Order 1992 part IV the Regulation of Tourist Accommodation requires that certified tourist establishments keep a register of visitors using the sleeping accommodation provided.
Overnight accommodation providers; therefore have a legal obligation to keep a visitor register, which records the personal information of their guests. Your guests similarly are required to supply this information.
You must therefore keep this information securely, out of sight of other guests and retain it for a minimum of one year.
Data protection law states that information given for one purpose cannot be used for another purpose.
As a result, the visitor register cannot be used for any other purpose.
If you intend to carry out any kind of marketing activity, then typically consent would be the lawful purpose and this should be obtained separately from the visitor registration process.
The GDPR sets a high standard for consent, but the biggest change is what this means in practice for your consent mechanisms.
The GDPR is clear in that an indication of consent must be unambiguous and involve a clear affirmative action (an opt-in). It specifically bans pre-ticked opt-in boxes. It also requires distinct consent options for processing operations.
Consent should be separate from other terms and conditions and should not generally be a precondition of signing up to a service.
You must keep clear records to demonstrate consent.
The ICO guide explains this in more detail.
Customer Care should be at the heart of your approach to handling your guests personal information. Treating your customer data with respect to their rights and freedoms and being fair and transparent with your use of their data will earn the trust of your clientele.
The information commissioner’s website has lots of advice and guidance on data protection and other regulations that govern how you process your customers information.