7 GDPR principles and what they mean

The GDPR is the new data protection law that comes into force in May 2018 and drastically affects the marketing world. If you manage personal data of EU citizens, you must fully understand what GDPR means for your hotel and therefore we inform you of its 7 principles.

You probably already know why GDPR is so important to marketers around the world. It is the biggest change in the field of data protection since 1995 and applies to all companies that collect, process or store personal data of EU citizens. We previously discussed the huge challenge GDPR posed to the hotel industry due to the sheer volume of sensitive personal data and credit card information that hoteliers collect and process. The use of booking engines and multiple online payment points makes hotels more vulnerable to cyber-attacks and data breaches.

As you can see, the new legislation is very important for the hotel industry. For this reason, you should know exactly what GDPR consists of in order to prepare and comply with the new regulation. Let’s look at the 7 GDPR principles listed and explained below:


1. Legality, fairness and transparency

Collect data according to a lawful basis, fully inform the user and keep your word.

The concept of legality states that all processes that are in any way related to personal data of EU citizens must meet the requirements described in the GDPR. That includes data collection, storage and processing. The legislation has instructions and rules for each step of your data management policy.

Equity means that your marketing actions, whether performed by a data controller or a data processor, must match the information received by the data subject. In short, keep the promise you gave your customer in the notice before you collected their data. Use personal data only for the purposes you stated in the legal basis and only for the period of time you indicated.

A clear notice is what the concept of transparency is all about. The data subject must be informed regarding the purposes, use and time period during which their data will be processed. In other words, you must inform your customers exactly what you are going to do with their data and who will have access to it.

2. Purpose limitation

Be specific.

As we said earlier in the concept of fairness, you must keep your promise. In the legal notice, in addition to other things, you must inform your customers about what the purpose of the data collection is. As stated in the legislation, this purpose must be “specific, explicit and legitimate”. Data may be collected and used only for those purposes that have been conveyed to the data subject and for which consent was received.

3. Data minimization

Gather the minimum data you need.

The GDPR is designed to drive data collection to the minimum necessary. The personal data to be collected must be “adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.” Bear in mind that, under GDPR, you will have to justify the amount of data collected, so make sure you design an appropriate policy and document it.

4. Accuracy

Store accurate and up-to-date data.

Personal data must be “accurate and, where necessary, kept up to date”. You must ensure that you do not retain old and outdated contacts and ensure that inaccurate personal data is deleted without delay.

5. Storage limitations

Retain data for a necessary limited period and then delete it.

This principle refers to ‘data minimization’ and states that personal data should be “kept in a form that allows identification of data subjects for no longer than necessary”. For this reason, you should establish what the retention period is for the personal data you collect and justify that this period is necessary for the specific purposes. Do not forget to document it.

6. Integrity and confidentiality

Keep data secure.

The principle of integrity and confidentiality requires that personal data be handled “in a manner [that ensures] appropriate data security,” which includes “protection against unlawful processing or accidental loss, destruction or damage.”

The principle of integrity and confidentiality requires that personal data be handled “in a manner [that ensures] appropriate data security,” which includes “protection against unlawful processing or accidental loss, destruction or damage. Therefore, you must implement efficient anonymization systems.

× !Hola¡ Estamos aquí para ayudarte