The hotel industry is considered one of the most vulnerable to data threats, because hotels process, and in many cases store long term, a very high volume of guests’ personal information and payment card transactions daily. And there is truth to this statement! More than a dozen data breaches and data security attacks have been reported by hotels since 2010, affecting everything from major multinational corporations including Hyatt, Hilton, Kimpton, Omni etc. to single properties.
The hospitality industry seems to be a favorite for hackers; in 2016 Trustwave Global Security Report revealed the global hospitality industry has the second largest share of breach incidents! Knowing all that you would think that hoteliers would be cognizant of the issue and proactively ensure their data was secure! However, according to Hospitality Technology’s 2017 Lodging Technology Study, 74% of hotels do not have breach protection and less than half use end-to-end encryption for cardholder data (49%) or use tokenization at the card swipe (46%).
Hoteliers need to have their security in order. Why? GDPR. GDPR is an acronym for General Data Protection Regulation. It is an EU regulation that will come into effect on May 25, 2018, and generate the biggest changes in data protection in the EU since 1995. The GDPR was created to bring as much uniformity into data protection as possible, aiming to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business with a regulation that is far better suited to the challenges today’s digital world poses.
And before you say “EU?”, GDPR will also apply to non-EU countries. Despite the fact that this is an EU regulation, GDPR will apply to any organization that is processing or holding EU personal data, regardless of the location in which they are situated.
So with the imminent introduction of GDPR, are you aware how the laws will impact the way in which your hotel operates? And what should you do, or really what should you currently be doing to prepare?
How will hotels be impacted?
There are a number of items hotels will need to provide and prove when it comes to the use of personal data such as:
- A hotel must provide very detailed information on why it needs to process personal data, and how long it plans to keep it. This procedure involves organized retention policies so that a hotel always knows the status of such information.
- A hotel must keep technical and organizational records to prove it is protecting data.
- A hotel must outline its guidelines for collecting and managing PII.
- When it comes to digital marketing and collating of personal information, Hotels need a section on their website that permits “opting in,” thus allowing hotels to store PII data. Hotels also must be able to prove that their audience has given consent for their data to be used for marketing purposes, must also specify which data they wish to be used, and explain the process, enabling guests to access, modify and delete information. If a list of potential customers has been purchased, the hotelier must also receive documentation that proves that consent has been given for the data to be used.
How can hotels prepare and make data compliant with GDPR?
In order for hotels to comply effectively with the regulation, they need to ensure they review their connections to data processors, their own security policies, and if they have the necessary qualified staff on hand to negotiate the new laws.
- Data Mapping: Hotels receive personal data details through multiple channels and touchpoints including email, fax, phone, website, forms, etc., and this data is often stored on multiple platforms across several departments, so one of the first issues a hotel needs to tackle is to complete a full data map to become aware of what data is captured, where this information is stored, who manages the data, how it is used, including where it ends up, before beginning the process of how to protect and monitor it moving forward.
- Data Security Assessment: Once data mapping is completed hotels need to decide how information will be stored and handled, and then tested and documented on how to secure the data is and identify any weaknesses. Hardware and software applications should also be reviewed along with hard copy files. If the information is stored electronically, a series of encryption codes, passwords or limitations on access may need to be implemented to protect access to, and the integrity of the data.
- Implementation of new GDPR policies: One of the key principles of GDPR is not to retain personal data for longer than necessary. Although onerous, your current data records will need to be cleaned up – deleting what is not required and validating the data that is required.
- Ongoing compliance and monitoring: Maintaining GDPR will be an ongoing process. To ensure you continue to comply and reduce the risk of data breaches, hoteliers should:
- Invest in training of all relevant staff members to ensure they have a thorough understanding of the new procedures and the implications of the regulation.
- Provide regular refresher training for all staff to ensure an awareness culture exists and protect against possible breaches.
- Ensure employees know the processes in the event of a breach and to report any mistakes immediately to the DPO or the person or team responsible for data protection compliance.
Hotels, both large and small, often make mistakes when it comes to personal data but under the new GDPR, the penalties for doing so will now be far higher. A misuse or breach of personal data will carry the risk of administrative fines of up to 4% of total annual worldwide turnover (which is huge), not only that but you also run the risk of tarnishing your reputation and end up paying out for damage claims.
No matter what you decide to do to achieve GDPR compliance if you haven’t already started, it is vital that you begin preparing for GDPR now. Becoming GDPR compliant will not only take longer than you realize, but failure to comply and update your data protection processes to safeguard guest data means you run the risk of severe financial penalties.