Since leaving the EU we have our own version of GDPR, snappily titled UK-GDPR, but we also need to be aware that the original GDPR applies where we process the personal data of EU citizens and residents, who we encounter as both Guests and employees.
Regardless of the form of direct marketing, you should have the ability to unsubscribe – there might be a link in an email they’ve sent you, or other contact details if it’s post. If you can’t find a way to unsubscribe, you always have the right to contact their Data Protection Officer or Privacy team, and you can usually find their contact details in the company’s privacy notice. You have the right to object to direct marketing: let them know and they’re obliged to respect your wishes promptly (within a month, usually).
You’re correct! We use a two-step process to make sure confidential data remains safe when sent. When we email the information, we need to make sure that data are password protected and the password is sent by a different form of communication. If the data and password are both in someone’s inbox, you don’t add any security as if the email inbox is compromised then both the file and password are visible. Remember, always send the protected file and the password by different communication channels. Our Sharing Email Guidelines here gives pointers on how you can achieve this.
There are a lot of changes and updates to our laws as the UK and EU adapt at a fast rate. The primary data protection laws that we work with are the UK’s and Europe’s General Data Protection Regulations (UK-GDPR and GDPR), the Privacy and Electronic Communications Regulations (PECR) and ePrivacy Regulations, and the UK’s Data Protection Act 2018 (DPA2018) but as a global organisation, we’re keeping an eye out for new and updated laws around the world that also affect us.
Taste delicious! Sadly, this question is less about our favourite snack and more about web browser cookies. ‘Cookie’ is the term used for small amounts of information stored on your device that can be accessed by the websites you visit, and they are often used for security, login, and tracking purposes. Cookies can be used to track where you go and what you do online, remember what goods you’ve added to your online shopping cart and personalise your webpages. The danger however in cookies is that the data they store can be used to build a profile on you, your behaviours and preferences, and potentially intrude on your right to a private life. Discussion about cookies can be very technical, so get in touch with Privacy or our friends in IT Security and we’ll answer any specific concerns.
Excellent question, and it depends on the type of marketing - we’ve always used consent for our marketing activities. Quite often when a guest calls we find that we have some consent from them but they may have forgotten when and how they agreed. Sometimes they’ve created a new profile and so we hold two different sets of consent for them. If any guest wants us to stop marketing towards them we’re always happy to do so and we’ll update their details accordingly.
We record guests’ consent for marketing through MyAccount. If you’re asked to update a guest’s marketing preferences or contact details, always make sure you’re looking at the correct guest’s records, as the wrong address or name being changed could lead to marketing being sent to the wrong person! So, remember to be vigilant when collecting and updating guest information, and they always have the right to opt out of direct marketing if they want.
We’d rather not if we can help it, as the response rate isn’t great! Ideally, we want to refresh consent at positive points in the guest journey when they’re likely to say ‘yes’. Of course, we’re all working hard on return to service so we’re all aware that some business priorities have to happen first. We’re hoping we can work with our marketing teams on enabling this journey later in the year. That said, our guests can always update their marketing preferences at any time by logging onto their MyAccount, using the link at the bottom of marketing emails or by contacting our Contact Centre by the usual routes.
Great question, there is actually a few terms that we use that sometimes get mixed up, so I’ll cover a few more than you asked!
Data Protection and Data Privacy are quite often used interchangeably, but they have a significant difference:
- Privacy is broader and considers the ‘why’ as much as the ‘how’.
- Data Protection is more about the ‘how’: the policies, processes and protections that we put in place to keep the personal data we use secure.
- GDPR is one of the many laws that applies to our processing of personal data.
People, especially guests, often say ‘GDPR’ when they mean ‘data protection’. Although we usually know what they mean, hopefully you now understand the difference!
DPIA stands for “Data Protection Impact Assessment”, a process we go through when we’re thinking about using personal data in a new or changed way. A DPIA helps us identify and document data-related risks. Many of our projects often require a DPIA to be conducted, as those projects are changing how we work with data in the business.
Today, the 28th January, is the 41st anniversary of the signing of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108 to its friends), one of the most important pieces of data protection law in history. Most current data protection law worldwide can be traced back to this original agreement. Today, there are 55 signatory countries to the Convention.
A big thank you for all your questions from all of us here in the Privacy Team, we hope that you’ve enjoyed our answers and as always if you have Privacy issues or concerns give us an email at Privacy@carnivalukgroup.com and finally, did you know that the UK has an average score of only 64% on the National Privacy Test? More surprising is that puts the UK as the second highest country by national privacy score. Now that we’ve answered your questions, do you think you can do better than the UK average? Why not take 5 minutes to test yourself at http://nationalprivacytest.org. Good luck!