The effects of the GDPR over the hotel industry are probably the most devastating of all. The hotel records hold nothing but personal data of guests. Indeed the way the hotels industry processed and store the personal data need to be in accordance with the GDPR, or they risk hefty fines.
When it comes to GDPR however, the hotel industry is the place where we could see in fullest the “extra-territorial effect.” It means that not only the hotel in the borders of the EU need to be compliant with the GDPR, but also practically every hotel on the planet Earth that at some moment has hosted European residents.
The story has another angle and it is in regards to the marketing/advertising campaigns that the hotels may create to attract more visitors. They also need to be in compliance with the GDPR. If hoteliers marketed to European Union citizens without the proper permission, then they were in violation and could be fined.
It turns out that the big hotels chains have this practice: capturing the email of an EU citizen using the Wi-Fi on property and afterwards sent an email to them without having the proper consent, they would be in violation.
“Some hoteliers were rightly concerned,” said Stephen Rosen, Partner at Tambourine. “Because they felt all of their existing data was at risk. Other hoteliers were concerned because they didn’t really understand what GDPR was or how to adhere to it operationally.”
It looks like that the hotel industry wants to take it seriously, but didn’t know how.
What can you do to start with?
- Removing EU citizen email addresses from existing marketing database of they haven’t consent properly.
- Updating website forms with proper consent.
- Changing data collection policies at the front desk.
One year later, the fallout of GDPR can be seen in hefty lawsuits with the EU targeting deep-pocketed tech giants like Google and Facebook, as well as mega-chain Marriott (recently slapped with a $123 million fine for its 2018 data breach).
So to clear out all of the misconceptions you may have:
- The GDPR affects hotels across the globe: The GDPR applies to all properties that target EU residents as customers no matter where they are located. This means that the GDPR affects all hotels in the US, Australia, Canada and locations around the world, not just Europe.
- Hotels are liable for the GDPR: Regardless of your partners or solutions provider, the hotel (who according to the GDPR would be considered the data controller) is ultimately responsible for using tools that are in compliance with the GDPR.
- One price point for all of the EU: Commonly overlooked regarding the GDPR, it’s important to note that hotels cannot use profiling to set prices based on an EU visitor’s location.
How to Prepare for GDPR
Hotels already have policies and procedures in place regarding the personal data. One of the first things hotels should do is to review the existing policies and procedures and update them in accordance with GDPR. What is more important of course is that those procedures are put in practice.
This is an exhaustive list of platforms and practices the hotels need to take care of in relation to GDPR:
- CRM systems
- Booking Engines
- Website Developers
- Payment Processors
- Email Marketing
- Social Media Marketing
- Customer Databases
- Website cookies
- Employee Management Systems
Basically, anything that contains personally identifiable information should be covered. Failure to comply will be very expensive – with fines of up to 4% of annual global turnover or 20 million, whichever is the greatest.
Respect for guest privacy plays a crucial part in the hospitality industry. Organisations should not underestimate how important it is to adapt to GDPR regulations.
How to Make Data Compliant with GDPR:
- Make customers/data subjects aware – As of the GDPR hotels are obliged to make individuals aware of their rights under GDPR as part of the data collection process. Many privacy policies or T&Cs will likely need to be updated.
- Know the purpose of data – Personal data must be captured for a specific purpose. If there is no purpose to collect specific data, then you probably shouldn’t. Another key principle of GDPR is not to retain personal data for longer than necessary. Furthermore, data cannot be further processed in a conflicting manner with the purposes outlined initially. For example, when taking an email address at the time of booking, their email cannot be used for email marketing at a later stage without their consent. Usually, drafting a data ﬂow map helps businesses understand what data comes into the company. It can also provide clarity on who manages the data, including where it ends up.
- Have consent – Consent is much harder to be obtained under GDPR. Hotels must be able to prove their customers have given consent for their data to be used for marketing purposes and only for the purposes of the hosting itself. Another important step will be reviewing consent given when data was collected. For example, if this was collected under “opt-out” or other mechanisms which are invalidated by GDPR, a business is automatically open to prosecution if they continue to use this data for any purpose where consent is legislated as necessary. Even if customer lists have been purchased from a third party, it is the hotel’s responsibility to ensure they receive documentation that proves consent from these customers.
- Audit and review current data processes – Hotels need to decide how information will be stored and handled. Whichever method is chosen needs to be secure. If it is stored electronically, then encryption is a must. Company-wide data security measures should also be in place to educate employees on how to keep data secure. The hotels who cannot afford this could think about anonymisation.
- Make sure payment processes are compliant – Hotels accept payments every day and must ensure they are already compliant with the Payment Card Industry Data Security Standard (PCI DSS). Meaning: if a company intends to accept card payments and store, process, and transmit cardholder data, they need to host their data.
- Train your employees – Employees should be trained and know what to do when a breach of personal data occurs. Ensure your employees understand what constitutes and can lead to a personal data breach. Build processes to pick up any red flags. Employees must also know the processes in the event of a breach and to report any mistakes immediately to the DPO or the person or team responsible for data protection compliance.
Complying with GDPR may seem a huge task. But in reality, it’s something that can be used to your advantage, adding value to your hotel and build meaningful relationships with your customers. Ensuring personal data is properly collected, managed, stored, and retained will require a considerable overhaul of current operations. If you have troubles, consider contacting us.