News Inntopia, GDPR, and You

As the GDPR deadline of May 25, 2018 approaches, we’d like to take a moment to explain what Inntopia is doing about this regulation and how GDPR might impact you and your business.

What is GDPR?

GDPR is the General Data Protection Regulation, a regulation of the European Union which has far-reaching implications for how companies handle personal data of E.U. citizens and those who reside there. The regulation goes into effect May 25, 2018 and applies to all companies who collect, store, process, or share personal data of E.U. citizens and those who reside there, regardless of whether the company maintains a business presence in the E.U. This extensive regulation is comprised of 99 articles which specify steps companies must take to safeguard personal data and define how that data may be used and under what circumstances. For further details of the regulation, please visit this website.

What is Inntopia’s Role in GDPR?

In most instances, Inntopia’s relationship to you is that of a “data processor” under the GDPR framework. That is, we process data on behalf of you, the “data controller”. As a data processor, we have many responsibilities around safeguarding and handling the data you and your guests entrust to us. These responsibilities include but are not limited to:

• Protecting and Safeguarding Data – First and foremost, Inntopia is charged with taking measures to protect the data we store and process. The good news is that we are already doing this. Through initiatives such as our PCI compliance, Inntopia has developed a mature information security program aimed at ensuring we know where your data is, who has access to it, how it is handled, and reducing the risk that it may fall into the wrong hands. In addition to our already robust set of policies, procedures, and technical measures, Inntopia is adopting the ISO 27001 framework. This internationally-recognized information security standard will expand and enhance our existing technical and procedural controls to ensure we are taking all necessary steps to protect your data.
• Enabling Your Compliance – Inntopia has a responsibility to make sure that our systems help facilitate your own GDPR compliance and that we give you the tools needed to maintain compliance as per our agreement with you. To that end, we are developing tools that let you more easily control the data you store in the Inntopia platform. Among these are:
  • Data Retention Features – We are developing features to let you set data-retention polices of your guest data in accordance with your obligations to your guests.
  • Tools to Manage Rights of the Data Subject – Inntopia is developing tools for easier management of customer data, including features that support the rights of the data subject. Rights such as data portability, data deletion (“right to be forgotten”), and data correction. These tools will allow you to more easily update, delete, and retrieve guest data.

What else is Inntopia doing about GDPR?

Inntopia has contracted with a law firm specializing in data privacy and GDPR in particular. We are actively working with an attorney who is an expert in the field to verify that we are complying with all GDPR requirements. This work includes updates to our privacy policy, contract addenda for third-party processors with whom we share data, and representation as our Data Protection Officer (DPO).

What do I need to do about GDPR?

First and foremost, if you don’t have in-house expertise, you should obtain qualified assistance with making sure you are compliant with GDPR. If you collect the personal data of E.U. citizens, you do have obligations under the regulation. Some specific steps you may need to take depending on your specific business situation include:

• Update your Privacy Policy – Your privacy policy must comport with GDPR requirements. You, as the data controller, have an obligation to inform your customer of the lawful reasons for which you are processing their data and how you are processing it. This should include mention of Inntopia as a processor of their data.
• Obtain and Document Consent – You may have an obligation to obtain consent for the processing of data from your E.U. guests, particularly in the case of certain email marketing. You should keep a record of that consent should the need for it arise in the future.
• Maintain Agreements with Processors – Any entities who process data on your behalf (including Inntopia) must maintain a Data Processing Agreement with you. You may receive a Data Processing Agreement from Inntopia, in the form of an addendum to any existing contract in place, that spells out responsibilities of both Inntopia, as the data processor, and you, as the data controller.
• Respond to Requests from Data Subjects – You, as the data controller and the one who maintains the business relationship with the guest (data subject), must respond to inquiries and requests for correction, deletion, or retrieval of personal data. Make sure you have a process in place and that staff are educated on this requirement.

What shouldn’t i do about GDPR?

• Ignore It – It is very likely that you have obligations under GDPR and you should take steps to understand your responsibilities and ensure you are compliant.
• Panic – We’ll get through this together!