The General Data Protection Regulation (GDPR) for your hotel

The General Data Protection Regulation (GDPR) is a major overhaul of the EU data protection law. It upgrades the previous data protection directive of 1995 and is more suited to present day digital challenges, aiming to bring a uniformity to data protection. The GDPR will have a big impact on the way you collect, store, process, and manage personal data of EU citizens, whether they are your clients, partners or employees.

Since May 25th 2018, any organisation which processes personal data on EU citizens is required to have adequate measures in place and conform to a number of regulations or face risking hefty penalties. Created to strengthen and unify data protection for individuals across the world, the GDPR aims to return control to EU citizens over their personal data and ease the flow of PII (personally identifiable information) globally.

Does it apply to my hotel business located outside the EU?

GDPR applies to data collected and stored on EU citizens, wherever they are in the world. It will have an impact on the entire, global hospitality sector.

The big impact on the hospitality industry

The hotel industry is particularly vulnerable to data threats, due to the multiple points of payment, email and online booking systems and documents containing card data. A very high volume of payment card transactions occur daily and guest information can often be stored long term. Typically, a hotel database will hold guest names, addresses, date of birth, credit card details, passport details, and so on. This is a lot of sensitive data that could be used fraudulently. Couple this with information which is received from multiple sources, such as point of sale systems, third-party bookings, emails, own website enquiries and walk ins, hoteliers are an easy target for cyber criminals. GDPR is a game changer, because the hotel industry now needs to identity where data is kept and ensure that it is protected.

What if I am not compliant?

If an EU citizen files a complaint, the hotel may face hefty fines. The maximum fine is set to 20 million Euros, or 4% of the annual global turnover (whichever is the greater).
In the event of a breach, the European Regulator must be notified within 72 hours where this is likely to result in a risk to the rights and freedoms of EU data subjects.

How does it apply to your hotel marketing strategy

Before May 25th, 2018, the rules on collecting potential guest data were pretty flexible. Hoteliers could market to potential customers through ‘opt-ins’ and target the user with multiple newsletters and email marketing campaigns. A general consent request can result in the user being signed up to multiple subscriber lists.

Fast forward now to GDPR’s ‘explicit consent’ rule, where hotels must explain to the potential customer what data they are capturing (the nature of the data), explain to the customer why they are capturing that data (the purpose of the data) and explain to the customer who is requesting that data and who else will have access to this data. The idea is that the person you’re seeking to collect data from, understands with clarity what data you want and what you’re going to do with it. It’s only then that they can make the decision to consent.

Now here’s the tricky part; under GDPR this consent only applies to the specific purpose which you have declared. Gone are the days when you could take that personal data and use it to market across multiple campaigns. You are now required to ask for consent for each individual marketing campaign or newsletter.

It’s going to require some work. A good starting point might be with your own hotel website. Identify where on the site you request information; it may be a newsletter opt-in or an enquiry form. Consider the best possible online, user experience alongside being able to clearly outline your data use policy.

It’s not all bad. If you can clearly show that you respect an individual’s personal data, it shows that you care. In the future your marketing campaigns will be dedicated to those who are invested in your brand.

An Individual’s Rights and Hotel Response

It’s a hotelier’s responsibility to recognise that data belongs to the guest and define a core data protection policy with that in mind. Here are some individual rights under the GDPR and what action you can take to ensure compliance:

• The right to be informed – clearly outline what data you are collecting, why and for how long.
• The right to access/modify data – give access to personal data immediately, in a readable format, and edit on request.
• The right to give/withdraw consent – this refers to explicit consent (explained earlier). Offer an option to withdraw consent easily and track how and when you collected the data and consent.
• The right for data erasure – consider the individual’s rights against public interest when receiving a deletion request and delete where appropriate.
• The right to transfer data – give the user access to their personal data to transfer on request.

Hotelier Action Steps

Hoteliers need to undertake action now to bolster data security and avoid the risk of breaches.

Be Clear and Transparent

• All data collection must meet GDPR requirements.
• Collect the minimum amount of data required for that purpose.
• The user must be informed of the purpose of data collection and the time period of processing.
• Only use the data for that agreed purpose (no more multiple marketing campaigns).
• Data must be accurate and amendments made if necessary.
• Store data for a limited period and then erase.
• Data must be kept “in a manner [ensuring] appropriate security”, which includes “protection against unlawful processing or accidental loss, destruction or damage”.
• Prove your compliance to GDPR - Organizations must be able to demonstrate documents that prove their compliance with GDPR.

Record Keeping

• Create a clear guideline for how PII is collected and managed. A hotel must keep technical and organisational records to prove it is protecting data and have that available to view.
• Opt-in on your website – to allow your hotel to store PII data. Explain the process and enable access and modification or deletion.
• Know the location of all PII held and ensure strict guidelines in accordance to the hotel data protection policy.
• Ensure efficient security systems are in place for maximum data protection.

Training

Everyone in your organisation who deals with Personal Guest Information should be aware of GDPR. Hotel staff must be aware of how to collect, access, use, and disclose personal information as well as how to restrict access to cardholder data. Employees must also be advised on how to create strong passwords, and know how to properly dispose of documents containing payment card data.

PCI Compliance and GDPR

If you’re already PCI compliant, then this accreditation lays the foundation for GDPR compliance. To be PCI DSS compliant, a hotel must have taken appropriate steps when processing payments such as:

• Ensuring your IT systems are adequate.
• Encrypting card holder and other sensitive data.
• Secure systems to prevent data breaches (firewall, anti-virus software, access controls).
• Security technology investment.
• Security policy in place and accountability to protect data.

Often, improved security solutions can result in significant operational efficiencies. And let’s face it, nobody wants the bad publicity and financial repercussions of a data breach post GDPR.

For more practical steps about implementing the right protocols at your hotel, you can read our GDPR guide for your Hotel in 10 practical steps.

And if you’d like to get expert help and advice then please get in touch with us, or subscribe to our newsletter - we promise not the raid your inbox!

More articles about Opening & Setting Up

• The General Data Protection Regulation (GDPR) for Your Hotel
• GDPR Guide for Your Hotel - 10 Practical Steps
• How to Create Your Hotel Competitive Set Analysis?
• Top Hospitality KPIs to Evaluate Your Hotel Performance