General Data Protection Regulation (GDPR)

For support requests (and discussion) by users of the Holiday Letting System.
To prevent SPAM, registrations are approved only for users. (Send us an email before registering if you have a good reason and are not a user). Remember, you can view the forum without registering.

Moderator:bblake

bblake
Site Admin
Posts:52
Joined:Sat Mar 01, 2008 3:42 pm
General Data Protection Regulation (GDPR)

Post by bblake » Thu May 17, 2018 12:05 pm

These are some thoughts about the new General Data Protection Regulation (GDPR) and how they might affect property owners who use the Holiday Letting System to manage their properties. While I've done much reading and even attended a short course, I am not an expert so this interpretation is my own. This post is based on a recent newsletter, and users are welcome to add their thoughts.

Do I have to comply? If you use LetSys you are holding personal data electronically, and you do need to comply with the new regulation. There is much information online to help you plan, and you could usefully start with this checklist from the Information Commissioner’s Office (ICO): https://ico.org.uk/media/1624219/prepar ... -steps.pdf

Basis for Consent. I believe that you have a contractual relationship with your customers (who rent your properties) which allows you to hold data with a legal basis of “Legitimate Interest”. It is a good idea to have a privacy statement which spells this out and to which the customer’s attention is drawn when booking. For our own holiday cottage, we have spent some time producing a simple privacy statement, which we have inserted into our booking conditions. Customers have to tick a box showing they accept them. In case it helps you, here it is:
YOUR PRIVACY IS IMPORTANT: Contact and other information essential to manage your let is kept electronically. You consent to this by placing the booking. We commit to keeping this information secure. We never share it with anyone outside the business and we never collect data about you automatically on our website. We retain your information only as long as necessary for tax and insurance purposes. We do not store any credit card or bank details. If you agree to this when booking, we may send you a maximum of two newsletters or special offers per year. You can change this choice at any time. You also have the right to see any information we hold about you on request. We conform to all applicable privacy legislation.
Of course, your business may be very different and you will need your own Privacy Policy. Ours is much shorter than many we have seen, but we are great believers in keeping things straightforward. There is much misunderstanding about GDPR and we think that some (so called) experts may be doing good business by making GDPR more complex than necessary.

Compliance with GDPR: You must comply with the provisions of GDPR touched upon by the above privacy statement. It is essential to ensure that your computer, containing the customer data, is kept as securely as possible. Those of us who travel with the booking data on our laptops must be aware that these are often stolen and you should ensure your computers are protected by a strong password. You can also consider encrypting your hard drive with a tool such as bitlocker. LetSys stores customer data in a proprietary format, so most casual thieves would not be able to extract your customers contact details, but a competent hacker would easily manage this. However the risk is low for a number of reasons, including the difficulty of extracting the data and the fact that you will only be holding details of relatively small numbers of customers. But it would good practice to ensure you have thought carefully through how to protect your data and be able to show what choices you have made and why in the event of a complaint. Remember that LetSys stores all your customer data in a single “root” folder, normally C:\LetSys, and the LetSys backup tool is the best way to back this up with a single click. We recommend keeping your backups very securely, and delete them regularly. You can easily add a password and encrypt the backup files using 7zip (our recommended backup utility). We could enhance LetSys to automatically encrypt the backup files using a password which you would configure (and which would be stored encrypted.) If any recipient of this newsletter thinks they might want this feature, please let us know.

Do you need to register with the ICO? Another issue is whether you need to register with the Information Commissioner’s Office (ICO) which costs £35 per year. The online tool told us that we needed to register our own holiday letting business. However, after a long wait I managed to talk to Paul Damerill in the registration team, and was told we did not need to register, as a very small business. He seemed most interested in whether we did any credit checking or had CCTV (we don’t). You may get different answers of course.

Do you need to reconfirm consent from your customers? Our view is that you do not, providing you made it clear in the past that you were storing data electronically (which we did) and that you delete data once it is no longer needed (see below). You should have done this anyway, under the previous Data Protection Act.

Are you able to send news and special offers to your customers? GDPR seems pretty clear that you should not be sending emails out without asking your customers if they are willing to receive them. LetSys will now help with that for new bookings and you can record the answer with the "Omit from Mailshots" checkbox. But what about your existing customers who signed up before GDPR took effect? Most of you will recently have been deluged with emails asking for consent from you to stay on various distributions lists. This has been very unpopular, and the response rate has been as little as 10% - see reference below. However, if you think you already have a valid consent from your customers (or others on your distribution list) to receive emails, separately from just making a booking, you may be able to avoid doing this, although opinions differ.
If you decide you need to do this, you can use the mailshot feature in LetSys to send out an email asking for old customers to reply asking to be kept on your lists, but you will have to manually process the responses, unfortunately.

The interpretation of GDPR is still evolving. Last week new guidance from the ICO makes it clear that many people are misinterpreting GPDR. Please see: https://iconewsblog.org.uk/2018/05/09/r ... -the-gdpr/ There was also an interesting article in the Guardian on Saturday 12th May which you can see here: https://www.theguardian.com/money/2018/ ... ignore-it

You do need to delete information once it is no longer needed for tax or insurance purposes and there is information about how to do this in the Help files under “The Archive / Cleanup window”. This also discusses retention periods for tax data, which nets down to 7 years! Insurance companies may suggest keeping data for longer than this.

Comments are welcome!

Post Reply