In this article, we will review the best practices for Website GDPR.
On May 25, 2018, the European Union (EU) put into effect the General Data Protection Regulation (GDPR). The primary aim of the GDPR is to give individuals in the European Economic Area (EEA) more control over, and transparency into, the use of their personal data and to create a unified framework that all members of the EEA can adopt to protect residents.
The GDPR affects any company that collects and/or processes the personal data of anyone in the EEA. Within the hospitality industry, international travelers browse hotels’ websites and submit information via forms, cookies, or reservations. Under GDPR, the hotel needs to ensure that the data collected is handled correctly and the guest has given consent to use the information for what the hotel wants to use it for.
Cendyn works with individuals for regulations around data protection to monitor the company’s GDPR compliance, assess data protection risks, advise on data protection impact assessments, and cooperate with regulators and hotels. Cendyn acts as a data processor under the GDPR, while the hotel is the data controller.
The following is recommended for all websites that are subject to GDPR:
- Data Privacy page: Publish a data privacy page with a section detailing the use of personal data and cookies.
- SSL Certificate: Ensure the website has an SSL Certificate.
- Cookie Consent: Receive explicit cookie consent before dropping cookies or collecting cookie data (for any cookies not covered underperformance of a contract or legitimate interest) using a compliant third-party tool.
- Website forms with opt-out box: For any website forms, ensure there is a website checkbox defaulted to opt-out, and any third parties receiving the information are clearly named.
- Email opt-in: For any email subscriptions, ensure users actively opt into a marketing email subscription capturing the date and time of consent.
- Double opt-in: All email subscriptions should follow a double opt-in, where the user confirms an email subscription.
- Secure email lists: Email lists should only be sent through FTP or secure means between NXG and client and should not be saved on any personal devices.
- Data subject request form: Provide a data subject request form allowing users to request access to data, rectify data, receive data, opt-out, and to be forgotten.
- Uniform price points:Remove any customized targeting that has different price points for different EU residents (cannot have country-specific priced targeting).
- Website Privacy Notice: Update the website privacy notice to include disclosures required by GDPR.