The new Data Protection Act goes into effect May 25th. Many hotels have already started taking necessary actions to safeguard personal data to avoid the financial repercussions that could result from lack of compliance.
This brief guide will give you a quick summary of what GDPR is and how it will affect the hospitality sector.
What is GDPR?
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information. The aim is to give consumers more control of their own data.
GDPR will replace all data protection legislation in EU member states including the UK’s Data Protection Act 1998. Companies like Microsoft have teams dedicated to GDPR.
GDPR and Hotels
This is a serious change for hotels in Europe. But what if you’re a small hotel? Does this still apply to you? The answer is “yes!”
The regulation states organizations with 250+ employees should be required to appoint a DPO (Data Protection Officer). This may give the impression that many small businesses will be exempt. However, it’s not quite that simple. ALL businesses must comply if they are involved in regular processing of certain categories of personal data.
These categories include health data, information on individuals’ racial or ethnic origin, political affiliations, religious beliefs, genetic and biometric data, and sexual orientation.
Since hotels possess data including personal details and credit card information, this makes them more vulnerable to threats. This is why GDPR cannot be ignored.
What if my hotel doesn’t operate in the EU, will I still be affected?
It is important to understand GDPR applies to the handling of information of EU citizens, not just hotels operating in Europe. So even if you are a hotel in Asia, if you have guests who are from the EU, you need to be aware of the regulations and requirements. Any hotels that work with information relating to EU citizens have to comply with the requirements of GDPR.
This is the first global data protection law that impacts the entire hospitality sector.
How to Prepare for GDPR
Hotels should already have practices and processes in place for dealing with data. However, this is not always the case. Hotels, both large and small, often make mistakes when it comes to personal data. The penalties for doing so will now be far higher.
One of the first things hotels should do is to review all data. This includes past and present employees and suppliers as well as customers. Consent practices should exist in both present and existing records. If it doesn’t, refresh where necessary.
Below are examples of platforms hotels should review:
- CRM systems
- Booking Engines
- Website Developers
- Payment Processors
- Email Marketing
- Social Media Marketing
- Customer Databases
- Website cookies
- Employee Management Systems
Basically, anything that contains personally identifiable information should be covered. Failure to comply will be very expensive – with fines of up to 4% of annual global turnover or 20 million, whichever is the greatest.
Respect for guest privacy plays a crucial part in the hospitality industry. Organizations should not underestimate how important it is to adapt to GDPR regulations. If you haven’t started reviewing data, start ASAP as this could be a lengthy process.
How to Make Data Compliant with GDPR:
- Make customers aware – Hotels now have an obligation to make individuals aware of their rights under GDPR as part of the data collection process. Many privacy policies or T&Cs will likely need to be updated.
- Know the purpose of data? – Personal data must be captured for a specific purpose. What data are you going to capture and why are you capturing it? If there is no purpose to collect specific data, then you probably shouldn’t. One of the key principles of GDPR is not to retain personal data for longer than necessary. Furthermore, data cannot be further processed in a conflicting manner with the purposes outlined initially. For example, when taking an email address at the time of booking, their email cannot be used for email marketing at a later stage without their consent. Usually, drafting a data ﬂow map will help businesses understand what data comes into the company. It can also provide clarity on who manages the data, including where it ends up.
- Have consent – Consent is much tighter with the new GDPR regulation. This is crucial to get right. Hotels must be able to prove their customers have given consent for their data to be used for marketing purposes. They must also specify which data they wish to be used. Another important step will be reviewing consent given when data was collected. For example, if this was collected under “opt out” or other mechanisms which are invalidated by GDPR, a business is automatically open to prosecution if they continue to use this data for any purpose where consent is legislated as necessary. Even if customer lists have been purchased from a third party, it is the hotel’s responsibility to ensure they receive documentation that proves consent from these customers.
- Audit and review current data processes – Hotels need to decide how information will be stored and handled. Whichever method is chosen needs to be secure. If it is stored electronically, then encryption is a must. Company-wide data security measures should also be in place to educate employees on how to keep data secure.
- Make sure payment processes are compliant – Hotels accept payments every day and must ensure they are already compliant with the Payment Card Industry Data Security Standard (PCI DSS). Meaning: if a company intends to accept card payments and store, process, and transmit cardholder data, they need to host their data.
- Train your employees – Employees should be trained and know what to do when a breach of personal data occurs. Ensure your employees understand what constitutes and can lead to a personal data breach. Build processes to pick up any red flags. Employees must also know the processes in the event of a breach and to report any mistakes immediately to the DPO or the person or team responsible for data protection compliance.
These are only a few examples of ways to make your data compliant.
Complying with GDPR may seem a huge task. But in reality, it’s something that can be used to your advantage, adding value to your hotel and build meaningful relationships with your customers. Ensuring personal data is properly collected, managed, stored, and retained will require a considerable overhaul of current operations. Hotels should take action now now before the law goes into effect in May.
Author Bio: Victoria Ward of Nexon Hospitality enjoys digital marketing and is currently working as a digital marketing executive at Nexon Healthcare.