The General Data Protection Regulation (GDPR)
is a major overhaul of the EU data protection law. It upgrades the previous data protection directive of 1995 and is more suited to present day digital challenges, aiming to bring a uniformity to data
protection. The GDPR will have a big impact on the way you collect, store, process, and manage personal data of EU citizens, whether they are your clients, partners or employees.
Since May 25th 2018, any organisation which processes personal data on EU citizens is required to have adequate measures in place and conform to a number of regulations or face risking hefty penalties.
Created to strengthen and unify data protection for individuals across the world, the GDPR aims to return control to EU citizens over their personal data and ease the flow of PII (personally identifiable information) globally.
Table of contents for this article:
GDPR applies to data collected and stored on EU citizens, wherever they are in the world. It will have an impact on the entire, global hospitality sector.
The hotel industry is particularly vulnerable to data threats, due to the multiple points of payment, email and online booking systems and documents containing card data.
A very high volume of payment card transactions occur daily and guest information can often be stored long term.
Typically, a hotel database will hold guest names, addresses, date of birth, credit card details, passport details, and so on.
This is a lot of sensitive data that could be used fraudulently. Couple this with information which is received from multiple sources, such as point of sale systems, third-party bookings, emails, own website enquiries and walk ins, hoteliers are an easy target for cyber criminals.
GDPR is a game changer, because the hotel industry now needs to identity where data is kept and ensure that it is protected.
If an EU citizen files a complaint, the hotel may face hefty fines.
The maximum fine is set to 20 million Euros, or 4% of the annual global turnover (whichever is the greater).
In the event of a breach, the European Regulator must be notified within 72 hours where this is likely to result in a risk to the rights and freedoms of EU data subjects.
Before May 25th, 2018, the rules on collecting potential guest data were pretty flexible.
Hoteliers could market to potential customers through ‘opt-ins’ and target the user with multiple newsletters and email marketing campaigns.
A general consent request can result in the user being signed up to multiple subscriber lists.
Fast forward now to GDPR’s ‘explicit consent’ rule, where hotels must explain to the potential customer what data they are capturing (the nature of the data),
explain to the customer why they are capturing that data (the purpose of the data) and explain to the customer who is requesting that data and who else will have access to this data.
The idea is that the person you’re seeking to collect data from, understands with clarity what data you want and what you’re going to do with it.
It’s only then that they can make the decision to consent.
Now here’s the tricky part; under GDPR this consent only applies to the specific purpose which you have declared.
Gone are the days when you could take that personal data and use it to market across multiple campaigns.
You are now required to ask for consent for each individual marketing campaign or newsletter.
It’s going to require some work.
A good starting point might be with your own
Identify where on the site you request information; it may be a newsletter opt-in or an enquiry form.
Consider the best possible online, user experience alongside being able to clearly outline your data use policy.
It’s not all bad.
If you can clearly show that you respect an individual’s personal data, it shows that you care.
In the future your marketing campaigns will be dedicated to those who are invested in your brand.
It’s a hotelier’s responsibility to recognise that data belongs to the guest and define a core data protection policy with that in mind.
Here are some individual rights under the GDPR and what action you can take to ensure compliance:
Do you have useful and safe processes in place to manage guest data?
Meet HotelMinder - We help ambitious independant hoteliers gain full control by increasing occupancy, direct sales and guests satisfaction with the latest technology & expert know-how.
Hoteliers need to undertake action now to bolster data security and avoid the risk of breaches.
Everyone in your organisation who deals with Personal Guest Information should be aware of GDPR.
Hotel staff must be aware of how to collect, access, use, and disclose personal information as well as how to restrict access to cardholder data.
Employees must also be advised on how to create strong passwords, and know how to properly dispose of documents containing payment card data.
If you’re already PCI compliant, then this accreditation lays the foundation for GDPR compliance.
To be PCI DSS compliant, a hotel must have taken appropriate steps when
Often, improved security solutions can result in significant operational efficiencies.
And let’s face it, nobody wants the bad publicity and financial repercussions of a data breach post GDPR.
For more practical steps about implementing the right protocols at your hotel, you can read our
GDPR guide for your Hotel in 10 practical steps.
And if you’d like to get expert help and advice then please
get in touch
with us, or
subscribe to our newsletter - we promise not the raid your inbox!
Benjamin was born in Lyon, France, with a insatiable thirst for adventure and entrepreneurship. He fell in love with Ireland and opened his first hotel in Dublin in 2008,
experiencing first hand the lack of key in hand professional hospitality services tailored for independant hotels owners.
HotelMinder was born not long after.
In depth articles, guides, tips and recommendations about Hotel Technology, Digital Marketing, Revenue Management & Hotel Operations.