The General Data Protection Regulation (GDPR)
is a major overhaul of the EU data protection law. It upgrades the previous data protection directive of 1995 and is more suited to present day digital challenges, aiming to bring a uniformity to data
protection. The GDPR will have a big impact on the way you collect, store, process, and manage personal data of EU citizens, whether they are your clients, partners or employees.
Since May 25th 2018, any organisation which processes personal data on EU citizens is required to have adequate measures in place and conform to a number of regulations or face risking hefty penalties.
Created to strengthen and unify data protection for individuals across the world, the GDPR aims to return control to EU citizens over their personal data and ease the flow of PII (personally identifiable information) globally.
Table of contents for this article:
Disclaimer : If you buy a third-party product or service from this website, HotelMinder may earn a commission. Our editorial team is not influenced by our affiliate partnerships.
Does it apply to my hotel business located outside the EU?
GDPR applies to data collected and stored on EU citizens, wherever they are in the world. It will have an impact on the entire, global hospitality sector.
The big impact on the hospitality industry
The hotel industry is particularly vulnerable to data threats, due to the multiple points of payment, email and online booking systems and documents containing card data.
A very high volume of payment card transactions occur daily and guest information can often be stored long term.
Typically, a hotel database will hold guest names, addresses, date of birth, credit card details, passport details, and so on.
This is a lot of sensitive data that could be used fraudulently. Couple this with information which is received from multiple sources, such as point of sale systems, third-party bookings, emails, own website enquiries and walk ins, hoteliers are an easy target for cyber criminals.
GDPR is a game changer, because the hotel industry now needs to identity where data is kept and ensure that it is protected.
What if I am not compliant?
If an EU citizen files a complaint, the hotel may face hefty fines.
The maximum fine is set to 20 million Euros, or 4% of the annual global turnover (whichever is the greater).
In the event of a breach, the European Regulator must be notified within 72 hours where this is likely to result in a risk to the rights and freedoms of EU data subjects.
How does it apply to your hotel marketing strategy
Before May 25th, 2018, the rules on collecting potential guest data were pretty flexible.
Hoteliers could market to potential customers through ‘opt-ins’ and target the user with multiple newsletters and email marketing campaigns.
A general consent request can result in the user being signed up to multiple subscriber lists.
Fast forward now to GDPR’s ‘explicit consent’ rule, where hotels must explain to the potential customer what data they are capturing (the nature of the data),
explain to the customer why they are capturing that data (the purpose of the data) and explain to the customer who is requesting that data and who else will have access to this data.
The idea is that the person you’re seeking to collect data from, understands with clarity what data you want and what you’re going to do with it.
It’s only then that they can make the decision to consent.
Now here’s the tricky part; under GDPR this consent only applies to the specific purpose which you have declared.
Gone are the days when you could take that personal data and use it to market across multiple campaigns.
You are now required to ask for consent for each individual marketing campaign or newsletter.
It’s going to require some work.
A good starting point might be with your own
Identify where on the site you request information; it may be a newsletter opt-in or an enquiry form.
Consider the best possible online, user experience alongside being able to clearly outline your data use policy.
It’s not all bad.
If you can clearly show that you respect an individual’s personal data, it shows that you care.
In the future your marketing campaigns will be dedicated to those who are invested in your brand.
An Individual’s Rights and Hotel Response
It’s a hotelier’s responsibility to recognise that data belongs to the guest and define a core data protection policy with that in mind.
Here are some individual rights under the GDPR and what action you can take to ensure compliance:
- The right to be informed – clearly outline what data you are collecting, why and for how long.
- The right to access/modify data – give access to personal data immediately, in a readable format, and edit on request.
- The right to give/withdraw consent – this refers to explicit consent (explained earlier). Offer an option to withdraw consent easily and track how and when you collected the data and consent.
- The right for data erasure – consider the individual’s rights against public interest when receiving a deletion request and delete where appropriate.
- The right to transfer data – give the user access to their personal data to transfer on request.
PCI Compliance and GDPR
If you’re already PCI compliant, then this accreditation lays the foundation for GDPR compliance.
To be PCI DSS compliant, a hotel must have taken appropriate steps when
- Ensuring your IT systems are adequate.
- Encrypting card holder and other sensitive data.
- Secure systems to prevent data breaches (firewall, anti-virus software, access controls).
- Security technology investment.
- Security policy in place and accountability to protect data.
Often, improved security solutions can result in significant operational efficiencies.
And let’s face it, nobody wants the bad publicity and financial repercussions of a data breach post GDPR.
For more practical steps about implementing the right protocols at your hotel, you can read our
GDPR guide for your Hotel in 10 practical steps.
And if you’d like to get expert help and advice then please
get in touch
with us, or
subscribe to our newsletter - we promise not the raid your inbox!