GDPR compliance for property managers

What you need to know about data protection

As a property manager, you will receive a lot of data about your guests. This data can be classified as the following:

Personal data, which can be used to identify your guest. This includes name, age, address, social security number, and so on.

Sensitive data, which tells you more about your guest. Examples of this are race, religion, bank account number and so on.

Irrespective of the data you collect, starting 25th of May, 2018, it must be used solely for the purpose it was provided.

An example of this is: You collect the name, address, phone number of the guest who wants to book your property. This information should be used only for activities such as communicating with the guest during their stay, maintaining their records for bookkeeping purposes, and so on. This data cannot be used for any other activity unrelated to the booking, such as posting this data on social media and similar forums.

All personal data provided to you as a property manager must be protected by implementing the right processes and safety measures.

Upgrade your data protection

To ensure that you are compliant with the GDPR policy come 25th May, go through the following clauses; they might have a direct/indirect impact on how you deal with guest data:

You’ve heard this phrase but don’t understand how it affects you? Here is the simple breakdown: Your guest, at any point in time, might request you to remove their personal data from your systems. Once you receive this request, you must not only remove this data from your system but also stop providing it to your business partners or any other third party, even if the consent was given by the guest at the time of procurement.

However, such a request should not be accepted in cases where you are obligated by law to hold on to certain guest information. For instance, you are required to keep financial data of guests for up to 7 years (in EU) and 5 years (in the US), even if the guest requests you to remove it from your systems.

Before you request for their data, you must clearly express the purpose of obtaining it and ask for consent.

For example, if you plan to use their contact information for sending promotional offers and sharing it with your third-party vendors, you must express it clearly before obtaining the data.

Similarly, guests should be able to easily withdraw their consent at any point in time.

This allows customers to access any information about them that you may have saved in your system.

Such a request can be two-fold:

If requested, you are obliged to share the purpose of the data that is being used; the how, when, and why.

You must also divulge the customer’s personal data along with any additional notes that you may have jotted down about them, such as their preferences in tea or newspaper.

The 5 commandments of data protection

In summary, we feel confident that you will be GDPR-compliant if you keep these tips in mind:

  1. Protect all personal data like it were your own.
  2. Use personal data only for the purpose it has been prescribed.
  3. If you are collecting and using sensitive data, ensure that it is being done so for lawful purposes.
  4. Do not hold on to personal data for longer than it is necessary.
  5. Do not transfer personal data to any other country unless you are sure that the country enforces adequate data protection measures.

Need help?

Does your mind boggle when you think of GDPR? Or have questions but no answers? We are happy to help.

Just drop us a line at [email protected].