When it comes to data security, there are few sectors as vulnerable to threats as the hotel industry. With the volume of processed personal and credit card information being handed over to hotels on a daily basis the hotel industry is currently one of the most vulnerable to data. All of this information can be used to carry out identity or credit card fraud.
With the enforcement deadline for the GDPR looming closer, it is imperative that hotels upgrade their data protection processes, or they face the risk of financial penalties.
Privacy and data protection is a serious issue for the hotel sector, as illustrated by a number of high profile data breaches reported in the press. If management and owners are not taking appropriate protective steps, a data breach is more than likely to occur at some point.
🏯 Growing numbers of security breaches in the hotel sector : http://www.hotelnewsnow.com/Articles/50937/Timeline-The-growing-number-of-hotel-data-breaches
🏯 Hilton Hotels : http://www.bbc.com/news/technology-41834679
🏯 Trump Hotels: https://www.reuters.com/article/us-trumphotels-cyber/trump-hotels-discloses-data-breach-at-14-properties-idUSKBN19X2G2
🏯 Hyatt Hotels : https://www.reuters.com/article/us-hyatt-hotels-cyber/hyatt-hotels-discovers-card-data-breach-at-41-properties-idUSKBN1CH2WP
The penalties for not complying with GDPR are large, at a financial cost of up to €20 million or 4 per cent of worldwide annual turnover (whichever is greater), but the potential reputational cost to a business in the hospitality industry could be even bigger.
However, these possible losses can be avoided if the hotel leaves enough time to efficiently adapt to the regulation.
The General Data Protection Regulations (GDPR) requires any business (including hospitality industry businesses) that handles personal data of a EU citizen to have adequate measures in place.
By « adequate measures » they mean data should be properly protected, and any theft or misuse of this data cannot occur.
Personal data must be collected for specified explicit and legitimate purposes. Data cannot be further processed in a conflicting manner with the purposes outlined initially – for example, taking an email address at the time of booking and then using it, without further consent for email marketing at a later stage. The hotel must ensure customers are aware of the particular uses of their data. Hotels must develop a strategy to obtain consent in appropriate form through communications that are legal prior to the new regulations taking effect.
Hotels accepting credit card payments must already be compliant with the Payment Card Industry Data Security Standard (PCI DSS). This outlines that if a company intends to accept card payment, and store, process and transmit cardholder data, they need to host their data securely with a PCI compliant hosting provider.
With the majority of hotels relying on emails as one of their main forms of marketing, the introduction of GDPR may have a significant impact on their marketing strategy. This regulation states that customers will now have to “opt-in” to an email marketing service, as opposed to the current widely-used “opt-out” system.
Hotels must be able to prove that their customers have given consent for their data to be used for marketing purposes, and must also specify which data they wish to be used. If a list of potential customers has been purchased, the hotelier must also receive documentation that proves that consent from these customers has been given for the data to be used.
The EU citizen (the guest) also has specific rights on the data that you are holding about him. It applies to data stored on EU citizens, wherever they are staying around the world. This impacts the entire hospitality sector, worldwide.
What if you need assistance?
GDPR is neither purely an IT project, nor is it purely a legal one. GDPR is a multi-disciplinary project, requiring the implementation of organisational, IT-technical and legal measures. That’s why it’s best to set up a multi-disciplinary working group, with representatives of all of these disciplines, as well as those departments managing the most, and the most critical, personal data.
Many companies do not have all of the resources internally that are necessary to manage GDPR compliance. Legal expertise and information security expertise, is of course key to ensure compliance.
If you are not already blessed with data protection experts in-house, you should find appropriate advisors as soon as possible.
ITaaSC (IT-as-a-Service Consulting) can help you in several ways to deliver your GDPR project. We can coach you, review deliverables or play a more active role taking the responsibilities to perform some of the activities (IT, legal, process, change management).
Examples of activities that we can perform on your behalf:
- Compile a comprehensive awareness campaign
- Set up a « data register » based on a tool selected to meet your specific requirements (on premise or in the cloud)
- Conduct detailed assessment and produce mapping of all data flows
- Making sure the necessary « consent » statements are included on all printed and electronic media where you collect guest data
- Design new processes on how to obtain consent from guests
- Ensure compliance with IT security framework (ISO27001, NIST,…)
- Design and implement a Data Privacy Impact Assessment (DPIA) Analysis
- Coach your DPO
- Offer you a DPO-as-a service in case you do not have somebody to perform that role
- Review contractual amendments, privacy clauses and consent notices
Contact us for more information: firstname.lastname@example.org or +32 2 318.12.71