As an operator of a short let hospitality business – a holiday cottage or apartment for example – GDPR presents you with a series of challenges.
The quantity of personal data you use will be much smaller than for many other businesses. You may even operate without employees and do all the work yourself.
If this is the case for you, the thought of having to jump through all the compliance hoops may appear a little daunting.
There is certainly a lot to do. You will need systems that achieve the same ends as those used by larger businesses. But you don’t need to make them as complicated. Your needs are more straightforward. You still need to get the job done in terms of protecting the personal data of your customers and the people associated with your business, but in a way that is appropriate for your business. It all depends on what you do when you process personal data.
At the most basic, you might be running your short let hospitality business using nothing more than a notebook and a telephone.
You place advertisements in tourist authority brochures or in the classified ad columns of holiday publications and you wait for people to telephone or write to you. Which means there is no use of personal data for your marketing.
When someone makes a booking, you note their name, address and telephone number (this could be the only personal data you process) in your booking diary on the dates they want to stay with you; you cash their cheque (which contains some more personal data) or send them a letter asking them to transfer the payment to your bank account. You will give the customer a receipt written on a duplicate pad you bought out of your local high street stationer. They get the top copy, you keep the carbon copy.
Your GDPR compliance records can be written or typed on a few sheets of paper. Your data processing is simple, your records need to be enough to reflect that simplicity. If you don’t use computers for your business, you don’t need computers to be ready for GDPR. You can do it all on paper.
But you’re looking at this on a computer. So it’s possible you’re using some sort of technology in your business. You can still do most of the work on paper. Indeed we encourage you to do so.
Your lawful reason for processing personal data in this context is to fulfil the contract with your customer.
For the GDPR, you need to have a written record of: The personal data you process; why you need it; what you do with it; where it is stored; how long it will be stored for and how you will dispose of it.
You need to be clear what you intend to do with your booking diary and receipts pad at the end of each year. You are going to need them to prepare your business accounts, whether you’re running your hospitality business as a sole trader, partnership or limited company. So you have a responsibility to comply with tax and business law requirements. You need to keep the records safe,
It’s all common sense really.
You dispose of records you no longer need or are required to keep promptly and securely. For example, you don’t just throw the books in the bin, you shred them or burn them. And you have a document which says this is what you do, on which you make a note every time you do it.
If your short let hospitality business is a bit more complicated you might want to take advantage of some information technology. You might have several properties in your portfolio; you might have some employees; you might want to use the internet for getting bookings.
This means a different type of processing and some new considerations.
How you go about processing personal data in this scenario is going to be a bit more involved than for the simple model noted above. You will need to think about your data partners, the personal data you actually collect vs what you really need to collect. The purpose of the personal data processing and the accuracy of collection and use needs to be clear to everyone in the business who handles it.
Using personal data for direct marketing purposes brings with it a new series of responsibilities.
The lawful reasons for processing data available to you are going to be more involved than simply fulfilling a contract. You now have options such as Consent and Legitimate Interest. Each of which needs a certain amount of preparation, rigour and monitoring.
Your responsibilities for protecting personal data are obviously much more involved once information technology is involved. There are well publicised issues such as computer hacking and viruses to contend with, but there are also very simple but equally damaging problems you need to consider.
Data on a computer is very easy to copy and share nowadays. Copies can be made on all sorts of devices. Do you know where they are?
Then there is the issue of data accuracy. You are responsible for maintaining accurate personal data. Information technology makes it all too easy to make recording and input errors. Everyone who handles data needs to know what to do to rectify matters.
The GDPR emphasises that whatever systems you choose, they need to be “appropriate” for your business. There will be a cost in terms of time and money. The decisions about how much of each you really need to spend are up to you.
To that end, you can find a lot of good advice on the ICO website. It is free. There is even a section specifically designed for small businesses.