- 10th July 2018
- Posted by: Amit Khanna
- Category: Hotels
GDPR Compliance for hotels can be a sore subject for many operators, who typically hold extensive marketing databases containing personal information. In this blog, we aim to help you understand your obligations and steps to take towards compliance.
Successful hotels run on the quality of their staff, an efficient flow of data and secure vendor relationships, but these are often the weak links in the security chain.
Data breaches can spread quickly and be complex and costly to remediate: for example, in 2017 a number of hotel groups including Four Seasons, Hard Rock and Loews Hotels reported a data breach that impacted multiple properties and locations – the source being a third-party reservations system.
Hotels are awash with personal data and remain a favourite target of fraudsters due to their numerous customer touch points:
- Customers make online reservations
- Present passports
- Payment cards at the front desk
- Sign up for loyalty programs linked to credit cards
For hotels offering a wider array of guest services, the threat is multiplied, exposing the interconnection of business entities within a hotel and external suppliers.
The EU’s General Data Protection Regulation (GDPR) has shined a bright spotlight on the vulnerabilities in hotels. GDPR compliance for hotels requires a detailed assessment of hotels’ business processes, supplier relationships, technology partnerships, and personal data protection procedures. The Regulation strengthens the rights of EU citizens and residents while placing responsibility for compliance on the individual hotel or hotel group – the data controller.
Insights into Hotels’ GDPR Preparations
A recent survey by strategic payment consulting firm Edgar, Dunn & Company found that most medium and large hotel brands operate with a highly fragmented or poorly defined data management system. Some 57% of respondents admitted that they have not started GDPR implementation, while the findings also revealed a huge lack of GDPR planning or implementation amongst medium and smaller hotels (less than 2,500 rooms).
Half of the survey respondents pointed out that their greatest challenge is the absence of qualified staff, while 33% said they did not understand where the GDPR would have an impact and 35% indicated they lacked support from their suppliers.
Guest data is handled in silos according to 40% of the survey respondents, while 40% indicated there was a single customer relationship management database. Some 20% did not know where guest data was held and the report concluded that Data Security or Data Protection Officers did not have a clear vision of who uses guest data, when these are used and in which department they are used.
The survey of UK-based hotels took place between September and November 2017 and EDC approached more than 300 small (less than 100 rooms), medium (101 to 199 rooms) and large international hotel chains, with more than 200 rooms.
Kick-Starting GDPR Compliance for Hotels
Being compliant with the Payment Card Industry Data Security Standard (PCI DSS) is certainly a positive step, but it is a giant leap from there to full GDPR compliance and the two sets of requirements are not comparable. There are still a number of actions that can be taken to reach GDPR compliance for hotels:
1. Understand the “new normal” of GDPR
Senior management must understand the main issues and risks involved. Everything in GDPR is driven by one or more of the seven core principles, so it pays to understand them, as you take steps towards GDPR compliance for hotels. Article 5.1 states that personal data shall be processed lawfully, fairly and transparently; collected for a specific purpose; be limited to what is necessary, be accurate; kept for no longer than is necessary and be processed using appropriate security measures. Article 5.2 emphasizes accountability, stating that the data controller shall be responsible for, and be able to demonstrate compliance with, the above principles. Key stakeholders must buy into this standard of data privacy as the “new normal” and ensure an implementation plan is formed and executed
2. Carry out a Data Audit
This crucial early step provides the foundation for GDPR compliance. The Regulation’s requirements cannot be met without answering key questions such as what personal data does your organization hold? How did you get it? What do you do with it and how long is it stored for? Hotels are bombarded with information from numerous sources including their own booking engine, point-of-sale systems, third party booking systems, email messages, telephone calls, and even written notes. All these data inflows and outflows must be captured and a data asset register or inventory created.
3. Don’t panic about Marketing
A common misconception about the GDPR is that the only option available to marketers is consent, which must be “freely given, specific, informed and unambiguous”. In many cases however legitimate interest should be preferred due to its flexibility. Using legitimate interest requires a balancing assessment, where the interests of the business are weighed against the rights of the individual. Once passed, it can be used as the lawful basis for both B2C and B2B marketing. Under the Privacy and Electronic Communications Regulations (PECR), it’s also possible to carry out B2C direct marketing where there’s an existing relationship with the customer, using the soft opt-in. They offer the chance for hotel marketing departments to get creative and remind customers of brand value and what they’d be missing out on.
A GDPR Checklist for Hotels
Compliance with the GDPR is a marathon, not a sprint. In the UK, the ICO will want to see evidence of “best efforts”, a coherent GDPR implementation plan, justification for policy decisions and documentation of the steps taken so far. With that in mind, some key considerations are set out below regarding GDPR compliance for hotels:
- Seek out professional advice on GDPR
- Carry out a gap analysis to identify any compliance shortcomings
- Educate and train staff on GDPR
- Rewrite your privacy notice taking account of Articles 13 and 14
- Update contracts with data processors, joint controllers, in line with Articles 26&28
- Set up a processing register as per Article 30
- Review IT and cybersecurity, in line with Article 32
- Create or update a breach response procedure
- Review processes for dealing with data subjects’ rights