GDPR Update

The changes we've made to comply with the new GDPR Provisions.

Hannah Benneworth avatar
Written by Hannah Benneworth
Updated over a week ago

We've made some changes to Inn Style in order to be fully compliant with the new GDPR Provisions that come into effect on 25th May 2018.

GDPR: You and us

In order to be GDPR ready, we've redrafted our Terms of Service between you and us. These will come into effect on Friday 25th May 2018. Your continued use of Inn Style signifies your acceptance of these terms. We have also renewed our Privacy Policy.

Being GDPR ready for you – our accommodation owners – isn’t just about the relationship between you and us. The important bit is supporting you in your obligations to be GDPR compliant in your relationship with your guests.

GDPR: You and your guests

In general data protection regulation terms, Inn Style has been the Data Processor and you, the Accommodation Provider, the Data Controller.

Being the Data Processor, Inn Style’s obligations are limited to process data on your instruction. We have never been able to market to your guests using your guest data, or share your guest data with other Inn Style accommodation providers. We never will.

You should not regard this communication as legal advice. The objective of this communication is for you to better understand what new features we have introduced to Inn Style to help you comply with your GDPR obligations to your guests.

Because you are the Data Controller, it's important that you accept GDPR as your responsibility. Our responsibility is to support you with an enhanced product feature set.

Consent Boxes: We're giving you the choice whether to incorporate them in the booking and check-in processes

GDPR isn’t as black and white as you’d hope for – interpretation and compliance is up to you! Inn Style does not want to be prescriptive so we are giving you a choice.

You don't necessarily have to ask guests to explicitly opt-in to your marketing list.

Yes, GDPR suggests you might ask for a clear opt-in to marketing lists – but it also gives you the option to market using something called legitimate interests.

Not quite as clear-cut, but GDPR regulations allow you to argue a case that marketing to a guest who has booked and stayed at your accommodation is within both you and your guests legitimate interests. Many of our users will adopt this stance, and will therefore not ask for a direct marketing opt-in – as long as there is a clear unsubscribe link on emails sent from your third party marketing systems.

Inn Style can’t make the above choice on your behalf. We've therefore built a feature set into our product to ensure that we cater for both options – no matter which one you choose.

In the Guest Experience tab, you can decide whether or not to obtain the opt-in from guests at booking/check-in. By switching it on, you're asking for explicit opt-in to your marketing programmes. By switching it off, you've decided to opt for the legitimate interests route. By default, it will be off.

Inn Style isn’t a marketing tool. It is a Property Management System that helps you sell online – whether that be on your own website or using our integrations with Booking.com, Expedia and Staylists.

How you use your guest data to market your business is up to you. But obviously you should now do this within the confines of GDPR regulation.

We have always allowed you to export your guest data to use for marketing purposes. It is your data after all. From 25th May, when you export your data via the Reservation Report you'll see four new fields for the opt-ins: email, sms, post and phone.

Each field can have one of three values. Yes (where explicit opt-in has been granted by the guest –see below), No (where consent has not been given when asked), and Unknown (for all bookings before 25th May 2018, where Inn Style has not asked on your behalf for an opt-in marketing consent). If you opt for the legitimate interests route and have chosen not to ask for explicit marketing opt-in, these fields will also have Unknown as their status.

If you choose to use the Inn Style opt-in boxes we will, as a minimum, ask for consent for two separate channels: email and sms. You can also switch on post and phone if required.

The opt-in consent will read as follows:

“I understand that [Accommodation Provider] would like to contact me with further information and details of special offers and other promotions relating to [Accommodation] and I hereby consent to receiving such communications:

o by email
o by SMS

The Opt-In Fields on each guest reservation can be viewed and edited whenever necessary.

If you choose to ask for explicit opt-in

From 25th May, when a guest books online using Inn Style, they'll be presented with a clear (unticked by default) marketing opt-inbox for email and sms consent before confirming their booking. (In your Guest Experience settings you can add post and phone as two additional channels). This consent box will define the value (yes or no) of the Opt-In fields within your reservation report.

When a guest books and does not positively opt-into marketing communications, you should not market to them.

After 25th May, you cannot rely on legitimate interests if you are explicitly asking guests to grant an opt-in. There is an argument that for all data you hold prior to 25th May you are able to apply legitimate interests to that – even if after 25th May you decide to ask for opt-in consent.

Offline Bookings entered into Inn Style (e.g. telephone bookings)

If you've chosen to ask for a marketing opt-in, we'll take the view that when you take offline bookings, the default state of the marketing opt-ins for that new guest record is No. You're free to ask guests on the phone if they consent to an opt-in, but we think it’s easier to ask them when they are checking in. (See below)

To avoid having to read out your privacy policy on the telephone (which is your legal obligation), we recommend that you email the booking confirmation through Inn Style. This email will clearly state that the reservation has been made in accordance with your Terms and Conditions and Privacy Policy, linking to your own website.

We'll also set the opt-in to a default No for all bookings that come through channels such as Booking.com, Expedia and Staylists. Again we recommend that, should you require marketing opt-ins, you obtain these at check in using the Registration Forms.

We've redesigned the paper Registration Forms to now have marketing opt-in check boxes. You should retain these Registration forms to evidence opt-in. If marketing opt-in consent is granted by a guest at check-in, you'll be able to set this to Yes in your guest reservation.

Guests' right to delete personal records

GDPR also grants consumers the right to easily request deletion of their personal data. We're supporting you with the tools to do exactly that.

From 25th May, you'll find a delete personal data button on a guest's reservation. This will not delete the reservation, but will only delete personal data attached to historical, fulfilled reservations. It is in your legitimate interests to have the guest data available for current and future reservations, as without it you will not be able to fulfil your contractual obligations to your customer. Your Privacy Policy should explain the process a guest needs to follow to delete their personal data.

What about your Privacy Policy and registration with the Information Commissioner's Office (ICO)?

You should already be registered with the ICO as a data controller. GDPR does not introduce that as a new requirement. If you aren’t please do so at: https://ico.org.uk/for-organisations/register/

There is no debate: you are a Data Controller!

GDPR regulations require all Data Controllers to have a Privacy Policy where you clearly explain to consumers why you hold their data, what you do with it, and what process they have to follow to delete their data from your systems and records.

Inn Style has a revised Privacy Policy but, as we are Data Processors, it follows a very different form to your new GDPR–ready Privacy Policy. You cannot rely on our Privacy Policy for your guest data.

We thought long and hard about preparing a template Privacy Policy for accommodation providers. However, we came to the conclusion that this isn’t something that we can comfortably provide. GDPR requirements mean that Privacy Policies now need to be incredibly specific.

Our concern is that if we were to provide a template, there's a high risk that it may not cover everything required by you, the accommodation provider, and we could be in the firing line if anything were to go wrong.

Instead, we've prepared and attached a document briefly setting out the requirements under the GDPR Article 13 that are usually covered off in a Privacy Policy. We hope this is helpful.

You'll now be able to add the URL to your Privacy Policy in your Communication tab, underneath the existing reference to your Terms and Conditions. If either of these fields contain a link to your own website, we'll display both of these links in the Agree to Terms box before a guest can complete their reservation. If one or both of these fields are blank, we will not serve them as we do not believe it is our obligation to ensure you have either. Our users that have both these links will record direct consent to both the Terms and Privacy Policy at point of booking.

For offline bookings (e.g. telephone bookings), the booking confirmation email sent to your guest will clearly state that the booking is taken in accordance with your Privacy Policy and Terms and Conditions. It will contain both links (if specified in your Communication settings). We encourage you to send these confirmation emails to avoid you having to read everything over the phone! 

Re-Permissioning Campaigns

At Inn Style, we only have visibility of the data that we hold on your behalf. We think it should be your decision to choose whether you go for the direct consent opt-in route, or can justify the legitimate interests approach.

Everyone is aware that organisations contact you asking for opt-in consent. These campaigns are called re-permissioning campaigns. These organisations have taken a view that they aren't able to justify the legitimate interests route, and that they probably haven’t obtained a direct opt-in consent for their email lists in the past.

We can’t make a decision on your behalf as to whether a re-permissioning campaign is appropriate or not. We do think that you could motivate a legitimate interests argument on guest data you hold as a result of those guests staying at your accommodation. 

If you have an extensive email marketing list, we suggest you segment it. If it contains lists of prospective guests who have never stayed at your accommodation and have never consented to you using their data, then we would suggest you re-permissioning those emails by offering an incentive for anyone that opts – or you can simply delete these records.

Your guest data we hold in the Inn Style Database is only a subset of your total marketing data. The data we hold for you is most certainly of those guests who have made reservations at your accommodation. But you'll have lots more data – so have a think about how you're going to deal with it. Remember, Inn Style is a Property Management System – and not a marketing suite – so we can't offer comprehensive advice on how to deal with GDPR.

In order to help you to decide whether it's appropriate to run a re-permissioning campaign (to obtain consent from the data subjects that you want to market to), I've also attached a copy of the Re-Permissioning Decision Tree which our solicitors, Taylor Vinters, produced as a reference to when re-permissioning is (and more importantly isn’t) likely to be necessary.

We've also prepared a one-pager on direct marketing for accommodation providers – although, as this is a complex area and a one pager risks oversimplifying the position, we've also included a link to the ICO’s Guidance on Direct Marketing. The most relevant paragraphs of the guidance are likely to be paragraphs 127 to 141 (which relate to email and text marketing to consumers). We think it’s important to communicate the full guidance (which covers B2B marketing and marketing by other media).

You'll notice that both the documents we refer to are co-branded Inn Style and Taylor Vinters, who are our solicitors. We think highly of Taylor Vinters. They have very specific sector experience and have worked with us for a long time. Taylor Vinters would, of course, be happy to talk to you if you wanted any specific legal advice. Please get in touch if you would like an introduction.

There are a lot of GDPR resources online but our CEO has turned to Suzanne Dibble for a charity of which he is a trustee. Adrian thinks Suzanne demystifies many of the concepts by keeping it real (she has a free Facebook Group with lots of good resource and discussion). Her pack, containing the templates you may need, costs just under £200, is good value and very helpful. If you choose to purchase it, please note we are NOT an affiliate of her business and earn no income by bringing it to your attention. We make no warranties and your purchase is only made in accordance with her terms of business.

As always, our team are on hand to help with questions you may have about the new features relating to GDPR. However, to reiterate, we cannot and will not offer legal advice on the matter.

Thank you for your continued business. Every one of us appreciates it.

Warm regards,

Hannah and the team at Inn Style.

Did this answer your question?