GDPR Compliance: What Now? What is the Impact on the Hotel Industry?
What is GDPR?
The GDPR (General Data Protection Regulation) is a new EU new data protection law which came into effect on the 25th of May 2018. This regulation gives citizens more control over their personal data.
Any organization operating in the EU has to stick to GDPR’s rule. By not adhering to the new GDPR, businesses risk being hit with penalties.
How is GDPR Affecting Your Hotel?
In recent years, the hotel industry has been regarded as one of the most endangered sectors to data threats. The industry has one of the highest numbers of breaches in each sector, as hackers are attracted to the wealth of personal information that hotels are storing. Hackers target any organization that processes a large number of financial transactions. Due to the many violations committed by hackers, a new set of rules has been imposed that hoteliers must comply with:
- Hoteliers must provide their guests with detailed information about why they need to process personal data and how long they want to keep this data.
- Hoteliers must keep technical and organizational records to prove they are protecting the data.
- Hoteliers must set up a dedicated section on their website that permits “opting in” and therefore, allowing them to store their guests’ personal data. In addition, hotels must explain the data storing process so that guests can change and delete their personal data.
Hoteliers all over the world must comply with the new regulations. The new guidelines are designed to ensure that data is managed in a way that minimizes the risk of a breach.
Train Your Teams
The new data protection regulation will disrupt the way companies use and process personal data. Staff training will be one of the most important elements in the implementation of GDPR, as human error is cited as the most common cause of data breach. GDPR should be considered a journey and not just a destination. That means that the 25th May is not the cut off for implementation. There will still be a lot of work to be done after May 2018 and hotels need to demonstrate that they continue to actively comply with the rules and introduce a data protection culture in their hotels.
The new regulation brings with it a new sense of responsibility for employees. It is the responsibility of everyone to ensure the security of personal data. Staff training is the best way of demonstrating compliance and facilitating enforcement. By training employees on GDPR, they will understand what is required of them and why it is important for everyone in the hotel to protect personal data. Staff training makes sure that employees at all levels have the knowledge, understanding and practical tools to implement and maintain GDPR-compliant processes.
Impact on Bookings, Tracking and Online Marketing
Identify Your Data Controller and Processor
GDPR data laws regulate which data you store during the booking process, how your guests can access this data and how they can delete it. This means that your hotel needs to review its website and booking details, check which information you really need to save during bookings and take additional steps to be compliant with GDPR data laws. First of all, you have to identify your data controller and data processors. A data controller is any organization that stores personal data about EU citizens, such as the names of your guests. A data processor is an organization involved in the processing and storage of this information on behalf of the controller. According to GDPR, both controllers and processors can be held liable if there is a data breach and both must comply with the regulation.
Explicit & Active Opt-Ins
According to GDPR regulations, customers must explicitly decide that their data is stored and understand what the data is being used for. Under the new rule, consent is now also defined as requiring an obvious and positive action to opt-in. Enquiry forms, for example, with a checkbox for receiving a newsletter should be unticked by default. However, there are some exceptions - if it is necessary for a customer to provide information to perform an action, then his consent is implicit (for example, it is a matter of course that you must save the hotel guest's data from the booking so that you have it at check-in).
When advertising via Google AdWords, most data is anonymized, so no changes are required to be compliant with the new regulations. An exception is customer match advertising (for example ads that target a defined list of e-mail or postal addresses); if you want to use this form of advertising, (potential) guests must have expressly consented to the use of their personal data.
Recommendations to Avoid Fines
Ensuring that the personal data you have stored will be securely stored by trained individuals should help ensure that your hotel does not violate the new regulations.