When it comes to GDPR, is “consent” the sole contributor to compliance?

GDPR sets a high standard for obtaining valid consent and it is considered one of the lawful bases for processing personal data, but such a requirement is not always needed. However, legal aspects like the necessity of processing for the performance of a contract, compliance with a legal obligation, protection of vital interests, and many other legitimate interests exempt the liability on consent.

Apart from obtaining consent of data subjects, GDPR compliance also involves various other obligations and principles, such as transparency, purpose limitation, data minimization, accuracy, storage limitation, and security of personal data, in addition respecting the subject’s to right to access, rectification, erasure, and objection.

Consent does not become the sole contributor to compliance with GDPR. The following are some of the areas that are essential to be covered by any assessment process for GDPR compliance.

Data Mapping and Inventory:
• Identify and document all personal data collected and processed by the hotel.
• Determine the sources of personal data and the purposes of processing.
• Maintain an inventory of personal data categories, including guest information, employee data, marketing data, etc.

Lawful Basis for Processing:
• Establish a lawful basis (e.g., consent, contractual necessity, legal obligation) for processing guest and employee data.
• Ensure that guests are informed of the specific purposes for collecting their personal data.

Privacy Policies and Notices:
• Create a comprehensive and transparent privacy policy detailing how the hotel collects, uses, and protects personal data.
• Ensure the privacy policy is easily accessible and written in clear and understandable language.

Consent Management:
• Implement a consent management system to obtain and manage guest consent for processing their personal data.
• Provide clear options for guests to give and withdraw consent, and keep records of consent received.

Guest Rights:
• Enable guests (customers) to exercise their rights, such as the right to access, rectify, delete, restrict processing, and data portability.
• Establish procedures for handling guest requests and ensure timely responses.

Data Security:
• Implement appropriate technical and organizational measures to protect personal data from unauthorized access, loss, or theft.
• Regularly assess and update security measures, including encryption, access controls, and employee training on data security.

Data Retention:
• Define and adhere to specific retention periods for different categories of personal data.
• Regularly review and securely dispose of data that is no longer necessary for the identified purposes.

Third-Party Processors:
• Ensure that any third-party service providers or processors handling personal data (e.g., cloud storage, reservation systems) comply with GDPR requirements.
• Establish data processing agreements with third parties to clarify their responsibilities and ensure adequate protection of personal data.

Data Breach Response:
• Develop a data breach response plan outlining procedures for detecting, reporting, and responding to data breaches.
• Notify the relevant supervisory authority and affected individuals promptly and in accordance with GDPR requirements.

Staff Training and Awareness:
• Provide training to employees on data protection principles, GDPR requirements, and their responsibilities regarding personal data handling.
• Foster a culture of privacy awareness and regularly update employees on changes in data protection regulations.

Cross-Border Data Transfers:
Ensure compliance with GDPR rules for transferring personal data outside the European Economic Area (EEA), using mechanisms such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).

Data Protection Officer (DPO):
• Designate a Data Protection Officer if the hotel's processing activities meet the criteria defined by GDPR.
• Ensure the DPO is knowledgeable about data protection laws and acts as a point of contact for privacy-related matters.