Bed & Breakfast News Issue #46 Spring 2018 | Page 13

Visit our website: | bandbnews.co.uk | 13
Identify data security weaknesses
(eg personal data in email or on Excel
spreadsheets with no encryption or
password protection)
Map how your data is gathered,
processed and stored
Learn the document definitions of
personal data and train your team to
identify it (for example, a photo is
data if it identifies an individual)
Consider who should be the Data
Protection Officer and if an external
one is appropriate
Ensure your business has consent to
gather, store or process data and assert
when they have an obligation to do so
(e.g. to process bookings)
Consider what you do in the context
of the Six Privacy Principles i.e. Data
Governance and Quality
Consider which third parties you exchange
data with (such as you booking systems
provider, and payment processor)
Check with your systems suppliers
Does your hotel and management software
comply with the GDPR rules? If you have
not done so already, do check the help and
guidance on GDPR compliance given by your
booking system supplier.
One of the key issues for B&Bs is the need
to deal with ‘data discovery’. You receive
guest payment card information through
your website, or by phone, or email, at the
time of checkout, written on credit card
authorization forms, or even by SMS or
WhatsApp messages or fax. So this data
will often be in multiple locations. The new
challenge is to protect this information – but
first you need to be aware of where it is.
So ‘mapping’ where and how you gather
and store data is important – as guests or
enquirers have the right to request sight of
data on them, to make corrections to it, or
to demand its deletion.
Experts advise that businesses must be able
to prove to the regulator (the ICO) their
monitoring of data movement through
‘system logs’ in order to track and oversee
action to their systems if necessary.
B&Bs should now become more cautious
of any third-party partners, so they don’t
prove a threat to your business in terms
of data protection. Under GDPR, ‘data
processors’ are captured by the regulations
as well as ‘data controllers’. For example, if
a B&B, as a data controller, is outsourcing
the process of data to a third party who
is not GDPR compliant, the B&B would
still be held responsible if any data breach
occurs. Current credit card sharing practices
between OTAs and hotels/B&Bs, for
example, may need to be changed.
You are probably already well aware of
how to securely handle payment card
information: for instance, that it is unsafe
to write down or email card details and
sensitive information. Here, using a
reputable and compliant booking system
and payment processor is a positive
benefit, as their systems will be designed
to be compliant with PCI and GDPR if used
properly.