NAVIS & The General Data Protection Regulation  (GDPR)

What GDPR means for your business and why it’s important to partner with technology companies that are GDPR-compliant.

The General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) went into effect on May 25, 2018. The regulations are intended to help European Union citizens stay in control of who collects their information and how it’s used. GDPR impacts how personal data is collected, stored, shared and processed, as well as empowering European Citizens to take total control of their data privacy. Despite being a European Union regulation, GDPR has far-reaching implications for any business with European customers.

NAVIS’s GDPR Commitment

NAVIS is committed to providing the highest level of security and service to our clients and their guests.  We take data security and privacy very seriously at NAVIS.  We have invested heavily in bolstering our technical infrastructure, modifying our products and developing tools to help clients become GDPR compliant.

Became PCI Level 1 Certified.  Not just “compliant”, but “certified” by 3rd party auditors.  A large part of GDPR compliance is ensuring all systems and processes that hold personal information are properly protected.

Updated Service Agreements and Privacy Policies to reflect GDPR standards.

Modified our systems and processes to seamlessly capture the “Country” information of guests so clients continue to grow their marketing database.

Changed our products to acquire the proper consent from guests so clients can communicate and market to them in the future.

Worked to proactively improve the quality and completeness of the data in our clients’ databases to help populate “Country” information.

Developed tools and reporting to help clients search for and create a complete record of guest data found in our systems.

We’re applying GDPR standards to all data, not just the European Union. NAVIS and our clients will be prepared as more US-based regulations come in the future.

Frequently Asked Questions

How will NAVIS interact with our PMS data in relation to GDPR?

Nothing has changed in relation to how NAVIS will interact with your PMS data post-GDPR.   Your PMS data is integrated into the NAVIS platform to ensure that we have a complete view of your guest database and to make it easier for the call center to identify previous guests.

Will we need to gather guest data from sources outside of NAVIS?

Yes, your compliance with GDPR goes beyond NAVIS.  GDPR encompasses your entire organization and all places where guest data may be stored.

Does NAVIS have a GDPR certificate like the PCI Level 1 AOC?

There is no certificate or governing body that certifies if you are GDPR compliant.  Although having a PCI Level 1 certificate certainly helps ensure you are partially GDPR compliant because of the security and controls in place for data protection.

Will NAVIS assist in pulling guest history or do I pull it myself?

NAVIS provides existing clients the tools, training and means of pulling guest history when a request is made.  NAVIS will not be responsible for pulling guest history on the behalf of a client.

Does NAVIS capture “Country” information for clients using the NAVIS platform?

NAVIS provides areas within the platform where “Country” information can be captured in the system.   The success of capturing this information is dependent upon the policy and processes employed by the client and their staff.

How does NAVIS capture and document guest consent?

Documenting guest “consent” is a key requirement to GDPR compliance.  NAVIS provides best practices for gathering guest consent through a number of different means.  While certain processes and procedures are put in place, it’s still the responsibility of the client to get proper guest consent and document that consent within the NAVIS platform.

How does NAVIS verify the legitimacy of a guests’ request for their information?

NAVIS provides existing clients the tools and means for pulling guest history, but the verification of guest requests and decision to pull history is the responsibility of the client.

Will NAVIS permanently removed guest data from the NAVIS database?

NAVIS will retain personal data for the period necessary to fulfill the purpose for which data was collected unless a longer retention period is required for legal, security or other reasons permitted by law. If desired, clients of NAVIS can obfuscate or change the name and contact information of a guest, therefore making it non-personally identifiable. As a best practice, you should always try to delete or overwrite guest data from the source first. i.e. for booked stays, delete the guest information or obfuscate their name and related information in the PMS. This will update the NAVIS CRM records via the PMS integration. For lead information (not booked) you should delete or obfuscate the record in the NAVIS CRM.

Do I really need to designate a “security officer” within my organization?

Yes, GDPR requires you designate someone responsible for the policies and procedures related to personal data.  NAVIS requires this as well.  This person will act as the primary contact for training and best practices pertaining to GDPR compliance and using the NAVIS solution.

Is a guest’s oral “consent” sufficient for GDPR?

Yes, guests can give oral consent and this meets the requirement of GDPR.  These conversations are recorded by NAVIS and saved for up to 3 years.  These recordings can be used to prove that consent was given if contested by a guest.

Can the recordings be given to a guest who is questioning if consent was given?

No, you should not download the recordings and provide them to a guest.  These recordings capture all information (other than credit card details) that was discussed during the entire conversation.  These often contain personal information from other individuals on the recording that shouldn’t be shared –  i.e. agents name, other guests on the reservation, etc.  You could be in violation of GDPR if you provided the full conversation to a guest and another person’s information was included without their consent.

What if I don’t have country information or don’t know if I have proper consent?

As part of the NAVIS solution we implemented safeguards to give you greater control over your data and avoid potential mistakes.  All European Union records and any guest with an unknown country will go into a new status called “Privacy Hold” until the guest double opts-in.

What if a guest has missing information and they never opts-in or provides their “country” information after being sent the double opt-in email?

By default, the guest will stay within the “Privacy Hold” until a record is completed.  According to GDPR any record that does not have a country should be treated as if it could be a European Union citizen.  We recognize that you know your guests better than we do.  Due to the volume of client CRM records that do not have a country, we are making this configurable so you can choose your level of tolerance to adhere to this portion of the law.

Does my contract or agreement with NAVIS cover the new GDPR regulations around privacy?

Clients on the Master Services Agreement (MSA) have already been updated. If you’re on an older agreement or unsure what agreement you have in place, please use the form in the sections above to submit a request for the Addendum. Someone will research your situation and respond to whether any next steps are needed.

With all these email lists, opt-ins and what-if scenarios…I’m lost. Can you help?

GDPR is touted as the largest privacy regulation to occur in 20 years. You don’t need to navigate this alone. We’re hosting interactive GDPR Narrowcast Webinars on Tuesdays through June from 11 am to 12 pm Pacific. GDPR Reach Webinars on Thursdays through June from 11 am to 12 pm. Our Client Advocate and Education teams are here to help and committed to making sure you’re successful.

Can I be notified of new sub-processors that NAVIS contracts with in the future?

As a normal course of business, NAVIS may leverage 3rd party vendors and form new contracts to assist with functions of the business.  According to GDPR regulations, a vendor may meet the definition of Sub-Processor(s).  If you wish to be notified of new NAVIS Sub-Processor(s) in the future please email us or complete the form below.  In your communication please indicate you wish to be notified of future sub-processors and you will be added to the list for future notifications.