What is GDPR?
At its core, GDPR is an all new set of guidelines and rules which are aptly designed to give EU citizens more an a better control over their personal data. The new GDPR aims to simplify the regulatory environment for all businesses (including hotels) so both the citizens and businesses in the European Union can fully benefit from the digital economy. These revised reforms are designed to reflect the world we're living in now, and brings laws and obligations - including those around consent, privacy, and personal data - across Europe to speed for the netizens which stays in the internet-connected age. Essentially, almost every aspect of our lives revolves around data, which we all know about! Now, from social media companies, to banks, hoteliers, retailers, and governments -- every service we use involve the collection and analysis of our personal data. It consists of your name, address, credit card number and more all collected, analysed and, perhaps most importantly, stored by organisations.
Now, let’s know about the GDPR compliance. We all know that somehow, directly or indirectly data breaches inevitably happens almost on a daily basis. Few information gets lost, stolen or otherwise released into the hands of people who aren’t intended to see it -- and those people might have malicious intent. They can sell it to a third party or use it for their own good. Now, under the terms of GDPR, not only will organisations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it will be obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners - or face penalties for not doing so.
How will GDPR affect hotels?
In hotels, all the elementary concepts like as the definitions which revolves around data ‘controllers’ and data ‘processors’ will remain the same, but their obligations will change for sure. In the hospitality industry, a data controller would be a hotel and the data processor could be any other body or party that processes all data on behalf of the hotel, such as a software or system provider for the same. The data ‘subject’ is the guest who stays in the hotel and allows access to their personal data. Typically, a hotel’s database will hold some or all of the following information which can include: guest names, addresses, date of birth, credit card details, passport details, dietary requirements, medical conditions, and more. These data comes under sensitive details that could be used fraudulently, meaning there is a close correspondence between the Payment Card Industry Data Security Standard (PCI DSS) and the GDPR. You can look at it as an PCI DSS being the technology provider’s obligations for data security, and the GDPR is the people side of managing data securely. Now, all the hotels must give rise to a detailed description of the processes that follow specific internal risk management policies.
Also, all suppliers to the hotel which uses the guest’s personal data including cleaners, caterers,channel managers, property management system suppliers, online travel agencies, global distribution systems, must be reviewed. Hotels, as data controllers, must place more emphasis on re-negotiating data agreements with these processors. For the administrators to ensure that personal data is not kept longer than necessary, time limits should be established by the hotel for deletion or maybe for a periodic review. To ensure security, every reasonable step should be taken to certify that personal data items, which are inaccurate, are rectified or deleted. In the case of a breach, the European Regulator must be notified within 72 hours where this is likely to result in a risk to the rights and freedoms of EU data subjects.
How hotels are getting ready for the GDPR?
It is essential that hotels create awareness to all the hotel management team. There may be changes in procedures or systems, so all managers should be aware of GDPR, fully understand it, and be able to understand the impact on their department. Adequate resources should be set aside to update existing policies and procedures to ensure compliance and staff should have appropriate training for the ongoing maintenance of GDPR compliance. Hotels should also ensure they have an up-to-date PCI certificate at all cost.
A specific and usual concern raised in the report by EDC is that hotels are spending a long time understanding the legislation and not enough time implementing an ongoing plan for compliance, given its May 2018 inception. More than a fourth of the survey respondents stated that they did not understand where the GDPR would have an impact – while 35% of them indicated mentioning that they lacked support from their suppliers. When it was asked about putting a strategy in place, these were the facts that came out conspicuously:
- 20% of hotels surveyed have an ongoing GDPR project
- 23% stated they have started a plan
- 18% said they have a plan, but haven’t started working on it
- 39% of the responding hotels don’t have a plan at all
Accumulating these statistics shows the fact 67% of hoteliers believe the industry is more vulnerable to a breach than any other sector (which is enormous!). To ensure they aren’t caught out, hotels need to ensure they review their connections to data processors, their own security policies, and if they have the necessary qualified staff on hand to negotiate the new laws.
Who should know about GDPR inside the hotel?
The decision makers and key people in EU and EEA-based hotels should be aware that the law is changing to the GDPR. This would include at least one of the following roles, if they exist: General Manager, Head of Marketing, and the Revenue Manager. The aforementioned persons should everything about GDPR because in hotel industry, all of these roles directly/indirectly deals with a significant amount of customer and employee data.
What hotels must do about their vendors?
For each vendor who processes guests’ personal information for any purpose, a hotel needs to do and check the following things without any fail:
- Determine the type of data the vendor processes.
- Determine the purpose for which the processing is happening.
- Obtain a Data Processing Agreement.
- If the vendor is outside the EU, sign the standard contractual clauses (usually part of the Data Processing Agreement mentioned above), or confirm that the vendor is a member of the Privacy Shield.
- Confirm that the vendor can handle data rights requests with a SLA under one month (e.g. 25 days).
GDPR for non-EU hotels:
Let’s understand this with an example: If you are a Hong Kong-based hotel but selling to EU travel agents and third-party wholesalers who’re based in Europe, you will fall under GDPR (you read it correct). Even more confusingly, what about if you are US hotel company not directly selling through partnerships with EU based companies, but do collect analytics data on EU located visitors? It is true that non-EU based hoteliers process personal data according to their local data protection regulations.
However, there are specific situations in which non-EU companies will have to comply with GDPR requirements. From a hotel digital marketing perspective, if you are monitoring the behaviour of users that takes place within the EU, such as booking trends out of Germany, you have to comply with the requirements of GDPR. This affects the use of different types of web analytics tools, as well as tracking for personalisation and retargeting purposes. It applies to website visits from users that are in the EU, regardless of whether they are EU citizens or not.
So, now you know almost everything about GDPR which you should have known earlier. It’s never too late! Apply the aforementioned points in your hotel & be GDPR-compliant. Trilyo is renowned for being a leader in the hotel industry and by taking a proactive approach, we have educated our clientele about GDPR. Schedule a demo with us and we will tell you more about GDPR.