General Data Protection Regulation (GDPR) is a new regulation that tightens security requirements for the personal data and privacy of EU citizens. The law goes into effect on May 25 and, with strict penalties for non-compliance, it will change how companies do business in Europe.Here’s what you need to know about how Zenoti supports your business in complying with GDPR.
What is GDPR?
GDPR was adopted by the European Parliament in 2016. It requires businesses to protect personal data and privacy of EU citizens, and it regulates the exportation of data outside the EU. The same standard applies to all 28 member states of the EU, so if your company does business anywhere in the EU it has to meet the same standard.
What type of information does GDPR protect?
- Basic information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
Does GDPR apply to my company?
Companies are impacted by GDPR if they store or process information about EU citizens within EU states, even if they don’t have a business presence in the EU. Read more about the specific criteria here.
How is Zenoti impacted by GDPR?
Zenoti is categorized as a data processor under GDPR. At a high level, this means GDPR requires Zenoti to clarify what personally identifiable information Zenoti stores and processes, how it is used and how long the information is retained. GDPR also requires Zenoti to allow our customer's guests to view, edit, delete and print their data. We have to provide the right to restrict processing (for non-essential uses, like marketing) and obtain parental consent for guests who are less than 16 years of age (can be lowered to 13 years old by some states). Finally, GDPR places restrictions on automated decision-making and profiling of customer data; however, we do not currently perform either of these activities for our EU customers nor do we collect any data classified as "special category" by the regulations.
How will Zenoti meet GDPR requirements?
Zenoti already meets several requirements of GDPR. We already offer the ability to edit, update and delete a guest’s profile in the system, and we are in the process of adding the ability to print guest data. We’re also in the process of updating Zenoti to record consent for non-essential uses like marketing when creating a new guest profile. Our EU customers currently obtain this consent independently and will continue to do so in the future. The same is also true of parental consent.
Zenoti also already meets the requirement of data protection under GDPR. We are hosted on the Amazon Web Services (AWS) infrastructure, which also implements several safeguards and is approved by the EU to host and manage data of EU citizens. Zenoti has also registered with the EU-U.S. Privacy Shield Framework and is committed to the program’s rules regarding the collection, use and retention of personal information.
Zenoti is also in the process of updating our data retention policies to be in-line with GDPR. All system monitoring and logging data that may contain personally identifiable information, such as a Internet IP addresses, etc., are already purged after a set duration (different for each type of data). All of these updates will be completed by the May 25 deadline.
How will GDPR change my Zenoti account?
Some of the GDPR changes will be implemented for all Zenoti customers; this includes the ability to capture parental consent and print customer data. Other features, such as recording consent for non-essential marketing use, will only be made available to EU customers. All changes for GDPR will be available in Zenoti by the May 25 deadline.
How can I learn more about GDPR and Zenoti?
For more information on GDPR and Zenoti, including how to configure your account for GDPR compliance, read the support article here.