The Impact of GDPR on the Hospitality Sector

Blog thumbnail , ,

The General Data Protection Regulation (GDPR) is sets guidelines for the collection and processing of personal information. Hotels should take necessary action to safeguard personal data to avoid the financial repercussions that could result from lack of compliance.

The new Data Protection Act goes into effect May 25th. Many hotels have already started taking necessary actions to safeguard personal data to avoid the financial repercussions that could result from a lack of compliance.

This brief guide will give you a quick summary of what GDPR is and how it will affect the hospitality sector.

What is GDPR?

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for collecting and processing personal information. The aim is to give consumers more control of their own data.

GDPR will replace all data protection legislation in EU member states, including the UK’s Data Protection Act 1998. Companies like Microsoft have teams dedicated to GDPR.

GDPR and Hotels

This is a serious change for hotels in Europe. But what if you’re a small hotel? Does this still apply to you? The answer is “yes!”

The regulation states organizations with 250+ employees must appoint a DPO (Data Protection Officer). This may give the impression that many small businesses will be exempt. However, it’s not quite that simple. ALL businesses must comply if they are involved in the regular processing of certain categories of personal data.

These categories include health data, information on individuals’ racial or ethnic origin, political affiliations, religious beliefs, genetic and biometric data, and sexual orientation.

Since hotels possess data, including personal details and credit card information, they are more vulnerable to threats. This is why GDPR cannot be ignored.

If my hotel doesn’t operate in the EU, will I still be affected?

It is essential to understand GDPR applies to the handling of information of EU citizens, not just hotels operating in Europe. So, even if you are a hotel in Asia, and you have guests from the EU, you need to be aware of the regulations and requirements. Any hotel that works with information about EU citizens must comply with the GDPR requirements.

This is the first global data protection law that impacts the entire hospitality sector.

How to Prepare for GDPR

Hotels should already have practices and processes in place for dealing with data. However, this is not always the case. Hotels, both large and small, often make mistakes when it comes to personal data. The penalties for doing so will now be far higher.

One of the first things hotels should do is review all data. This includes past and present employees, suppliers, and customers. Consent practices should exist in both present and existing records. If they don’t, refresh where necessary.

Below are examples of platforms hotels should review:

  • CRM systems
  • Booking Engines
  • Website Developers
  • Payment Processors
  • Email Marketing
  • Membership
  • Social Media Marketing
  • Customer Databases
  • Website cookies
  • Employee Management Systems

Basically, anything that contains personally identifiable information should be covered. Failure to comply will be very expensive – with fines of up to 4% of annual global turnover or 20 million, whichever is the greatest.

Respect for guest privacy is crucial in the hospitality industry. Organizations should not underestimate the importance of adapting to GDPR regulations. If you haven’t started reviewing data, start ASAP, as this could be lengthy.

How to Make Data Compliant with GDPR:

  1. Make customers aware—Hotels now have an obligation to inform individuals of their rights under GDPR as part of the data collection process. Many privacy policies or T&Cs will likely need to be updated.
  2. Know the purpose of data? – Personal data must be captured for a specific purpose. What data will you capture, and why are you capturing it? You probably shouldn’t if there is no purpose in collecting specific data. One of the fundamental principles of GDPR is not to retain personal data for longer than necessary. Furthermore, data cannot be further processed in conflict with the intended purposes. For example, when taking an email address at the time of booking, their email cannot be used for email marketing at a later stage without their consent. Usually, drafting a data flow map will help businesses understand what data comes into the company. It can also clarify who manages the data, including where it ends up.
  3. Have consent – Consent is much tighter with the new GDPR. This is crucial to get right. Hotels must prove their customers have given consent for their data to be used for marketing purposes. They must also specify which data they wish to be used. Another important step will be reviewing consent given when data was collected. For example, if this was collected under “opt-out” or other mechanisms that GDPR invalidates, a business is automatically open to prosecution if it continues to use this data for any purpose where consent is legislated as necessary. Even if customer lists have been purchased from a third party, it is the hotel’s responsibility to ensure they receive documentation that proves consent from these customers.
  4. Audit and review current data processes—Hotels need to decide how information will be stored and handled. Whichever method is chosen needs to be secure. If it is stored electronically, encryption is a must. Company-wide data security measures should also be in place to educate employees on how to keep data secure.
  5. Make sure payment processes are compliant—Hotels accept payments every day and must ensure they are already compliant with the Payment Card Industry Data Security Standard (PCI DSS). This means that if a company intends to accept card payments and store, process, and transmit cardholder data, it needs to host its data.
  6. Train your employees—Employees should be trained and know what to do when a personal data breach occurs. Ensure your employees understand what constitutes and can lead to a personal data breach. Build processes to pick up any red flags. Employees must also know the processes in the event of a breach and report any mistakes immediately to the DPO or the person or team responsible for data protection compliance.

These are only a few examples of ways to make your data compliant.

In Conclusion

Complying with GDPR may seem like a huge task. But in reality, it can be used to your advantage, adding value to your hotel and building meaningful customer relationships. Ensuring personal data is appropriately collected, managed, stored, and retained will require a considerable overhaul of current operations. Hotels should take action now before the law goes into effect in May.

Author Bio: Victoria Ward of Nexon Hospitality enjoys digital marketing and is a digital marketing executive at Nexon Healthcare.


© 2024 Social Hospitality, LLC. All rights reserved.
Hit Enter to search or Esc key to close
Share via
Copy link