Bed & Breakfast News Issue #46 Spring 2018

14 | Bed & Breakfast News | Summer 2017 Prompt reporting of data breaches In one of the most onerous provisions of GDPR as far as small businesses are concerned, if you find your business has suffered a security breach, the breach must be reported to the authorities and all stakeholders (eg all your guests or enquirers whose data has been compromised) with 72 hours of its discovery. That could be a tall order for many B&Bs. Data security Viruses or ‘Malware’ are a major threat and the reason for 94% of breaches in the hospitality sector. So install better Anti- Malware security, update virus definitions on a regular basis and maintain logs. Payment gateways are one of the primary ways to store guest card details. Consider using a third party ‘vault’ provider. By using these vaults, the sensitive information is removed from your custody & you are given a digital ‘token’ system that can be used for billing. You thus move the risk of storing data to a third party who specializes in that. Many booking systems and payment providers use ‘tokenized’ credit card information - check with yours. User consent – must be ‘opt in’ rather than ‘opt out’ for what reason you will keep and use the data, and require the user to explicitly consent to that use. Your subsequent emails should offer them the opportunity to change their consent (i.e. unsubscribe). To summarise, GDPR does appear onerous, but everyone is in the same boat as far as compliance is concerned, and all the big systems suppliers and payment processors have invested massive effort in their compliance, so do take advantage of that. And remember that the main enforcement effort will be against egregious abusers of data privacy, rather than small businesses struggling to do the right thing but breaking the letter of the rules in the early days. Further reading: Official guidance from the UK Government regulator, the ICO: https://ico.org.uk/for-organisations/guide-to- the-general-data-protection-regulation-gdpr/ and specifically for small businesses: Finally to what is for many the thorniest issue - especially if you use email marketing. You can no longer assume consent (eg from an enquirer, to be emailed by you) if the user has not ‘opted out’. They must actively opt in. Consent must be informed and for explicit reasons (not vague and catch-all). https://ico.org.uk/for-organisations/business/ So where you gather data - eg in enquiry or newsletter sign-up forms - you must explain https://ico.org.uk/global/contact-us/advice- service-for-small-organisations/ GDPR FAQs for small hospitality businesses: https://ico.org.uk/for-organisations/business/ general-data-protection-regulation-gdpr- faqs-for-small-hospitality-businesses/ ICO Advice service for small organisations:

Bed & Breakfast News Issue #46 Spring 2018 | Page 14