The hotel industry is considered to be one of the most targeted industries for data threats, as a result of hotels processing , and in almost all cases store long term, a very high volume of guests’ personal information and payment card transactions daily.
And there are numerous examples to back up this statement! Hotel groups and single venue hotels have reported more than twelve data breaches and data security attacks since 2010, including leading brands such as Hyatt, Hilton, Kimpton, Omni etc.
Such high volumes of personal data attract the attention of highly skilled hackers and criminal organisations as data is the new gold for such organisations.
The GDPR was created to bring as much uniformity into data protection as possible, giving control back to citizens and residents over their personal data and to simplify the regulatory environment for international business with a regulation that is far better suited to the challenges today’s digital world poses.
And before you say “EU?”, GDPR will also apply to non-EU countries. Despite the fact that this is an EU regulation, GDPR will apply to any organization that is processing or holding EU personal data, regardless of the location in which they are situated.
How will hotels be impacted?
There are a number of requirements that hotels will need to provide and prove when it comes to the use of personal data such as:
- A hotel must provide very detailed information on why it needs to process personal data, and how long it plans to keep it. This procedure involves organized retention policies so that a hotel always knows the status of such information.
- A hotel must keep technical and organizational records to prove it is protecting data.
- A hotel must outline its guidelines for collecting and managing PII.
- When it comes to digital marketing and collating of personal information, Hotels need a section on their website that permits “opting in,” thus allowing hotels to store PII data. Hotels also must be able to prove that their audience has given consent for their data to be used for marketing purposes, must also specify which data they wish to be used, and explain the process, enabling guests to access, modify and delete information. If a list of potential customers has been purchased, the hotelier must also receive documentation that proves that consent has been given for the data to be used.
What are the Main Requirements For Compliance with GDPR
In order for hotels to comply effectively with the GDPR they need to ensure they review their connections to data processors, their own security policies, and if they have the necessary qualified staff on hand to negotiate the new laws. This includes all departments including CCTV.
- Data Mapping: Hotels receive personal data details through multiple channels and touchpoints including email, fax, phone, website, forms, etc., and this data is often stored on multiple platforms across several departments, so one of the first issues a hotel needs to tackle is to complete a full data map to become aware of what data is captured, where this information is stored, who manages the data, how it is used, including where it ends up, before beginning the process of how to protect and monitor it moving forward.
- Data Security Assessment: Once data mapping is completed hotels need to decide how information will be stored and handled, and then tested and documented on how to secure the data is and identify any weaknesses. Hardware and software applications should also be reviewed along with hard copy files. If the information is stored electronically, a series of encryption codes, passwords or limitations on access may need to be implemented to protect access to, and the integrity of the data.
- Implementation of new GDPR policies: One of the key principles of GDPR is not to retain personal data for longer than necessary. Although onerous, your current data records will need to be cleaned up – deleting what is not required and validating the data that is required.
- Ongoing compliance and monitoring: Maintaining GDPR will be an ongoing process. To ensure you continue to comply and reduce the risk of data breaches, hoteliers should:
- Invest in training of all relevant staff members to ensure they have a thorough understanding of the new procedures and the implications of the regulation.
- Provide regular refresher training for all staff to ensure an awareness culture exists and protect against possible breaches.
- Ensure employees know the processes in the event of a breach and to report any mistakes immediately to the DPO or the person or team responsible for data protection compliance.
Hotels, both large and small, often make mistakes when it comes to personal data but under the new GDPR, the penalties for doing so will now be far higher. A misuse or breach of personal data will carry the risk of administrative fines of up to 4% of total annual worldwide turnover (which is huge), not only that but you also run the risk of tarnishing your reputation and end up paying out for damage claims.
No matter what you decide to do to achieve GDPR compliance if you haven’t already started, it is vital that you begin preparing for GDPR now. Becoming GDPR compliant will not only take longer than you realize, but failure to comply and update your data protection processes to safeguard guest data means you run the risk of severe financial penalties.
Good News is on the way Launching on 29th April 2019 the Relentless GDPR 24/7 platform goes live. All the above GDPR requirements can be implemented and maintained in one place.