Approaching the 2nd anniversary of the European Union’s General Data Protection Regulation Organisations within the international hospitality sector are still struggling to come to terms with how they achieve and maintain compliance.
In a nutshell, the GDPR protects the personal information of people in the EU and its member states, giving them the right to decide how their personal information is collected, processed and managed.
- Right to Be Informed: Before data is collected, a data subject has the right to know how it will be collected, processed, and stored, and for what purposes
- Right to Access: After data is collected, a data subject has the right to know how it has been collected, processed, and stored, what data exists, and for what purposes.
- Right to Correction (“Rectification”): A data subject has the right to have incorrect or incomplete data corrected.
- Right to Erasure (Right to Be Forgotten): A data subject has the right to have personal data permanently deleted.
- Right to Restriction of Processing: A data subject has the right to block or suppress personal data being processed or used.
- Right to Data Portability: A data subject has the right to move, copy, or transfer personal data from one data controller to another, in a safe and secure way, in a commonly used and machine-readable format.
- Right to Object to Processing: A data subject has the right to object to being subject to public authorities or companies processing their data without explicit consent.
It is important to understand that with the GDPR organisations require a ‘purpose’ of why they process personal information and a ‘lawful basis whilst adhering to the 5 principles of the GDPR.
What this means for International hoteliers
Essentially, a hotel company outside of the EU that actively markets, sells products or services or monitors EU data subjects falls under the GDPR, The data subject doesn’t have to be a citizen of the EU, he said, just resident within the EU.
Accordingly, if a company as a data controller or as a data processer established in the EU, it applies to them as well, The consequence of that is it must protect all individual’s personal data regardless of where those people are located or their data is collected, he said. As a result, U.S. hoteliers who have a presence in the EU must protect their guests’ and their staff’s personal data as required by the GDPR.
It places many people within scope of the law,
The paper also states hoteliers need to be aware that using third-party vendors, such as booking sites and marketing services, could be viewed as offering goods and services to data subjects in the EU.
The penalty for noncompliance with the GDPR is €10 million or 2% of company turnover whichever is the greater or €20 million , or 4% of the company’s turnover whichever is the greater.
Let’s talk compliance
That hoteliers need to do to comply with the law depends on what their individual company operations cover.
Hoteliers will need to go through the process of determining how it acquires guest information, what type of guest information it acquires, categorizing it all and then analyzing how it uses the information. This is a complex task as there are multiple collection points, from conferences, hotel excursion vendors, taxi and limousine operators, WI-FI operators, and in-house entertainment systems etc.
It’s also necessary to compile a team of managers to help identify the highlighted issues, which meanings bringing in someone from IT, management, operations and marketing. If the situation triggers the requirement for a data protection officer, the company will need to make that appointment, which could be an individual or a third-party vendor.
Part of the complexity of the GDPR is that it recognizes no company is the same. No entity operates the same way, uses data the same way or collects it the same way.
The hoteliers must also prepare a response plan in case a data subject contacting the hotel invokes one of his or her rights under the GDPR, such as right of access by the data subject, right to rectification, right to erasure, right to restriction of processing, notification obligation regarding rectification or erasure of personal data or restriction of processing, right to data portability and/or right to object.
It’s also necessary to develop a GDPR awareness training program and “ensure all relevant staff members are trained and that training is refreshed as the regulations evolve.