1.
Practical
recommendations
for holiday rental
owners
to prepare for
GDPR
ORGANISED BY

2.
Practical recommendations for holiday
rental owners to prepare for GDPR
Speaker:
Nicola Erlich
Holiday Rental Industry Analyst
Host:
Amelia Sutton
Marketing

3.
Disclaimer
This session provides general information and comments for
holiday rental home owners and rental managers on their
obligations under GDPR and recommendations for moving
towards GDPR compliance.
It is not intended to be a comprehensive description of GDPR
and does not constitute official legal advice which should be
sought before drawing any conclusions on your particular
circumstances.

4.
The biggest change to our data protection laws in 20 years. Are you ready?
Deadline: 25th May 2018

5.
Overview
This webinar will cover:
- What is GDPR
- GDPR – the myths, the responsibilities and the
opportunities
- GDPR and the Holiday Rental Industry
- Practical recommendations for becoming GDPR-
compliant

6.
What is
GDPR?
General Data Protection Regulation
Europe’s new data protection laws, replacing the
previous 1995 data protection directive.
Comes into effect on 25th May 2018.
New law applies if:
◦ Establishment is in the EU
◦ Offers goods/services to EU residents
◦ Customer is located in the EU
◦ Web visits from users located in the EU
Holds businesses more accountable for the data
they hold.
Greater protection and rights to individuals.
Personal data definition expanded.

7.
Evolution not
Revolution!
Your business should already
have a pretty robust system
in place regarding data
protection, usage and
security practices so you will
not be starting from zero.
Improving on the existing
foundation of good practices
is a positive step in building
trust with your customers.

8.
GDPR & the Travel
Industry
The travel industry will be particularly affected
by GDPR due to the everyday use of personal
data.
Examples of personal data in the travel industry:
• Bookings and reservation data,
• Existing customer lists and
• Correspondence with customers.
Also it is the most targeted industry for
cyberattacks so tight security measures &
breach procedures are crucial.

9.
GDPR - Separating Fact from Fiction
• Regulators have corrective powers
• Can issue a reprimand or corrective order
High risk of
penalties
• No special skills/knowledge/tools needed
• Improving on your existing good practices
Time consuming
& costly
• An opportunity to offer a personalised service
• Target customers who want your services
Direct marketing
is dead

10.
GDPR & Holiday Rentals:
5 Key Areas
Part 1:
Controller v Processor
Who is responsible for
what?
1
Part 2:
Personal Data
What is it, and how to
manage it?
2
Part 3:
Individual Rights
What new rights do
people now have?
3
Part 4:
Consent & Privacy
How to get permission
to use people’s data.
4
Part 5:
Roadmap
What steps must you
take to comply?
5
What you need to know about GDPR, with industry specific examples for your holiday rental
business.

11.
Part 1:
Data Controller
& Processor
Data Controller
A controller is an entity that decides the
purpose and manner that personal data is
used.
Processor
The person/group that processes the data on
behalf of the controller. Processing is
obtaining, recording, using and storing
personal data.
Not everyone that handles the personal data of individuals is the
same.
The data protection law has defined two types of people that
handle personal data: controller and processor.

12.
Part 1:
Personal Data Flow Chart
Third Parties
Processor
Data Controller Holiday Rental Website
Home Owner
Rental
Manager
Legal Others
Rental Manager
Legal Others

13.
Part 2:
Personal Data
ID / Passport details:
name, address, race,
origin, biometric data
Contact information:
email address,
telephone number
Sensitive data:
financial and
payment information
“Personal Data” means any information relating to a person that enables them to be
identified directly or indirectly.
This includes sensitive data such as payment information.
COLLECT – STORE – USE – SHARE DATA? You have to abide by the rules.
From a travel industry aspect, personal data could include the following types and sources of
information:

14.
Part 3:
Individual Rights
Right to be informed
Individuals need to
be informed when
you collect or
process their data.
Right to be forgotten
Individuals can ask to
have all their data
deleted from your
records.
Right to access
Individuals can now
ask for access to
their data, and why
you are processing it.

15.
Part 4:
Consent &
Privacy
Consent is the permission given by individuals to allow you
to process personal data.
What data do you need to provide service to your
customers?
How do you get their consent to use their data?
All personal data must be:
• Freely given,
• Specific,
• Informed, and
• Unambiguous
Sensitive personal data must have:
• Explicit consent

16.
Part 5:
Roadmap to
GDPR-
compliance

17.
Part 5:
Roadmap to GDPR-compliance
Audit
Review what
personal data is
held and why.
1
Review privacy
policy
Be transparent &
specific in your
data usage.
2
Establish
legitimate basis
Lawful basis to use
personal data
without consent.
3
Get consent
Users must give
opt-in consent.
4
Security
Review hardware,
software &
procedures.
5
Report breaches
Plan of action for
security breaches
6

18.
Part 5.1:
Roadmap – Data Audit

19.
Part 5.2:
Roadmap –
Privacy Policies
Customer privacy is at the heart of GDPR so must be at the
heart of your data protection policies
Update privacy policies:
• Easy to find online
• Clear and precise language
• Transparency on how personal data is:
• Obtained
• Controlled and used
• Retained for ongoing purposes
• Securely storage

20.
Part 5.3:
Roadmap –
Legitimate legal
basis
Three ways you are allowed to use data
1. Contractual Data
Online travel bookings:
◦ are a contract
◦ a legitimate legal basis to use personal data
◦ NO consent required to carry out the task of making the
booking
◦ direct marketing considered a possible “legitimate
interest”
2. Legitimate Interests
• Legal obligations – passport details
• Fiscal obligations
• Protection against fraud
3. Explicit Consent

21.
Part 5.4:
Roadmap –
Obtaining
consent
GDPR wants you to think about privacy and data protection
from the beginning, not just as an after-thought. This is
“Privacy By Design”
• Limited Data
Only collect what is necessary.
• Data Assessment
Keep checking the confidentiality of your systems.
• Limit Processing
Only use data for the purpose it was collected for.
• Record Keeping
Use good practices to record the data you have, how you
obtained it, how you used it and how you store it.

22.
Part 5.4:
Consent –
Soft Opt-In
***IMPORTANT !! ***
There is a way to continue to use personal data (for
marketing) without legitimate legal basis or explicit
consent.
Privacy & Electronic Communications Regulations (PECR)
- Email and text marketing ONLY
- Allows for opt-OUT instead of opt-IN consent under GDPR
- Assumes interest in similar goods or services provided.
- PECR is currently under review so position may change.
Advice by Farina Azam, partner at Travlaw

23.
Part 5.5:
Roadmap – Security
The threat is real. Data breaches are happening all the time.
The sensitive personal data and credit card information,
collected and shared makes the Travel Industry one of the
most vulnerable to data breaches.
Big travel brands have the resources and funds to protect
themselves against cyber threats.
Smaller businesses, such as holiday rental owners, are the
low hanging fruit – the easy targets – for hackers.
The tourism industry accounted for the largest number of
cyber attacks in 2016.

24.
Part 5.5:
Roadmap-
Security
Where do you keep customer personal and sensitive data?
What online security do you have in place? Is it secure?
Areas to review:
• Hardware & software vulnerabilities
• Use encryption:
• Communications
• Cloud storage
• System passwords security
• Malware protection

25.
Part 5.6:
Roadmap –
Breaches
In the case of a data breach, i.e. hacking, you must report
within 72 hours to:
- the relevant authorities;
- your affected customers.

26.
Opportunities
The focus is usually
on the negatives of
non-compliance, but
there are a lot of
positives businesses
should take
advantage of.

27.
Key Takeaways
Start now. Don’t wait until 25th May
Focus on these simple steps as priority to improving your business
procedures:
1. Audit – Start with an audit to get an overview of your current
procedures
2. Consent – Make the changes moving forward to getting opt-in
consent.
3. Security – Protect your business and the data you hold with good
security practices
Your clients, and the GDPR regulators, want to see that you are trying to
implement GDPR.
Trust is the cornerstone of good business practice.

28.
Useful
Contacts
We don’t claim to have all the answers. In between a lot
of GDPR hype there are some incredibly useful resources
that have been published on the regulation. Here’s where
to go if you’re looking for more in-depth reading:
- The full regulation. It’s 88 pages long and has 99 articles.
- The ICO’s guide to GDPR has lots of useful tools and
information for small businesses.
- ICO Small Business Helpline: +44 0303 123 1113 Ext.4
- EU GDPR is the EU’s official website for the regulation.

29.
Thank you
for
participating!
About Spain-Holiday.com
Spain-Holiday.com is the leading holiday rental platform offering
more than 15,000 quality holiday rental homes in Spain.
Their industry blog, RentalBuzz, provides the community of
holiday rental owners with the latest industry news, extensive
coverage on tourism laws in Spain, in-depth guides, travel trend
reports and useful tools.
Note: This document does not constitute official legal advice and we recommend that you consult with an expert
about your specific circumstances.