By now, many resort teams will have heard about the new European General Data Protection Regulation (GDPR) that came into effect on 25th May 2018.
The law is EU-wide and involves any business and their third party suppliers that store and process the personal data of EU individuals.
The aim of GDPR is simple: to give control over their personal data back to citizens and to create a uniform regulatory environment for those doing business with EU individuals.
Importantly, but not widely understood, the regulations need to be implemented by businesses who have EU-based clients or who market to EU citizens, irrespective of where they are located.
So, what is GDPR all about?
Simply explained, the law is specifically changing focus to prioritise the individual’s rights including the right to be informed and the right to be forgotten (erasure of data). Other keys areas include:
- Data security and privacy, which must be by design with a documented process in place;
- A 72-hour timeline requirement for data breach notifications and responses to individual data requests; and
- Granular consent to receive marketing communications.
As a result, businesses now need to operate a higher standard of data security with new policies and procedures in place with data protection and privacy by design in everything that your business does – for leads, members and your staff.
We have also ensured that all our third party suppliers comply with the new GDPR regulations.
Importantly, we have made some significant changes to our software’s functionality that will assist resorts, wherever they are located, with their GDPR compliance. Our clients have received copies of our GDPR Knowledge Base documents which outline the changes that we have made including:
- The ability to flag names, manually and automatically as legitimate interests;
- Merlin’s existing website registration pages have been enhanced to allow double opt-in functionality, a key requirement of GDPR;
- Users can now create an opt-out page and have the link to this opt-out page in all communications sent from Merlin. If a customer chooses to opt-out, they will no longer receive marketing material;
- Users now have the ability to provide granular consent for each customer, indicating the forms of communication they want to opt-in or opt-out of. For example, customers may want to opt-in to receiving emails, but opt-out of receiving calls or text messages. Customers will be able to update their preferences themselves, and there will be controlled rights for users to update these as well;
- Data subject access request – in order to satisfy the requirement to be able to provide a data subject with a report on all information you hold on them, Merlin can now produce this report for you;
- A forget-me function has been included which allows you to delete all information you hold on a Data Subject in line with GDPR requirements;
- Strengthening password requirements in line with global standards for internet security.
All of the above will have strict rights controls through the new GDPR Data Protection Officer User Group which grants users the necessary rights needed to perform specific GDPR processes.
If your current timeshare and fractional software is unable to assist you with your GDPR compliance, then why not contact the Merlin team for a demo of this new functionality? We’d love to show you how our recent enhancements will support your GDPR compliance and make sure you avoid those dreaded big fines.
And our cloud-based software is rather good too.