Organisations within the hotel sector globally will have until May 2018 to comply with the EU General Data Protection Regulation (GDPR) or potentially face fines of up to 4% of annual turnover or €20 million – the greater of. Organisations need to ensure that their Data Protection Officers, IT directors or managers are fully up to speed so that their operations are compliant.
New technology continues to drive change within the hotel sector. It affects the customer experience in multiple ways, from the process for making hotel reservations, through to check-in.
Alongside the efficiency benefits for customers and hotel owners alike, technology also brings new challenges, one of them being that hotel owners must make sure they address their customers’ privacy rights and hold their data securely.
Privacy and data protection
Privacy and data protection is a serious issue for the hotel sector, as illustrated by a number of high profile data breaches reported in the press. Organisations recently affected include the Hilton, Trump and Hyatt hotel groups and whilst incidents involving large hotel groups are most likely to reach the press, data breaches can happen in any hotel, regardless of size. If management and owners are not taking appropriate protective steps, a data breach is more than likely to occur at some point.
So why are hotels targeted? This is largely due to the types of information they hold about their customers. A standard data set within a hotel database typically contains names, addresses, dates of birth and credit card details. All of this information can be used to carry out identity or credit card fraud.
General Data Protection Regulation (GDPR)
Organisations within the hotel sector need to be aware of this regulation and need to ensure they are starting to put plans in action to ensure that they are in full compliance by May 2018. Hotel owners operate all over the globe and under the new GDPR regulations it is vital that policies and procedures are put in place to ensure that the amount of data held and processed is carefully managed to mitigate the risk of any adverse events materialising in the future around data.
To put the potential penalties into perspective, let’s take a recent example in Yahoo who recently reported a significant data breach, one of the biggest of all time. If Yahoo were to suffer a maximum penalty on their $5 billion turnover, this would equate to a penalty of $200 million.
The EU General Data Protection Regulation (‘GDPR’) was four years in the making and after significant discussions was finally approved by the European Union in April 2016.
Widely dubbed as the “biggest shake up of data protection laws for 20 years” hotel owners around the globe have until 25 May 2018 to fully comply with the regulations or face those significant penalties.
The key thing that all organisations must take into consideration is that despite this being an EU regulation, it will apply to anyone if your hotel is holding or processing any EU personal data regardless of where your hotel is located around the globe.
From a UK perspective, and if your organisation does not have overseas operations or hold EU data, the UK Government recently announced in December 2016 that despite the uncertainty surrounding Brexit, that all UK organisations will need to comply with the GDPR regulations regardless of the UK leaving the EU.
Under GDPR and outside of the significant penalties and the increased territorial scope there are a number of significant changes that hotel owners must consider when working towards meeting the requirements of GDPR.
One of the main changes is that data processors as well as data controllers are now captured by the regulations and therefore any data controller that outsources the processing of personal data to a third party have to consider the implications of this on their organisation. If the data processor is getting it wrong your organisation as the data controller will still be liable to penalties!
The key principle behind GDPR is it has been designed to provide the data subject with more power on what information organisations hold on them and what it is being used for. Under GDPR, all consent requests sent to data subjects must now be easy to understand, so no detailed legalese and be written in plain English. Consent must be just as easy to withdraw as it is to give it and data subjects now also have the right to be forgotten instantly without delay.
If your organisation is unfortunate enough to experience a data breach, then under GDPR you would need to ensure that this breach is reported to all stakeholders and regulatory authorities within 72 hours of the breach being discovered.
There is a new legal requirement for ‘privacy by design’, which states that during the design stage of any new system being implemented that data protection should be considered as part of this.
In addition to this, data subjects now have the right to ask for a copy of all of their data that is held and what it is used for. This must be provided in a machine readable format so as to provide the data subject with the option of transferring it to fellow data controllers as part of the new data portability requirement.
Under GDPR unless you process large quantities of data on a day to day basis or process highly sensitive data there is no requirement any longer for a Data Protection Officer, however organisations will still need to ensure internal record keeping requirements are met.
What to do now?
It is vital that your organisation does not ignore GDPR. The implications of doing nothing will result in your organisation being hit financially, a potential loss of reputation which within the hotel sector is considered to be so important or even a ban from trading in certain jurisdictions around the globe. Under GDPR you are also much more likely to receive an external review to ensure that your organisation has the necessary internal procedures in place to ensure compliance.
Key individuals within your organisation need to understand the implications of GDPR and how this will affect your business and what is needed to ensure compliance by the enforcement date in May 2018.
What data do you currently hold? What procedures are there in place to deal with subject access requests and deletion requests? Are your privacy notices up to date? Are your consents up to date? What processes have you in place to report and investigate data breaches? These are all questions that organisations need to consider sooner rather than later.
To comply with GDPR is no small job. Your organisation needs to start now to ensure that they give themselves the best chance possible of not being hit with large penalties subsequent to May 2018.
Please do get in touch with Chris Beveridge if you would like a free of charge introductory call or follow up meeting to find out more about GDPR or how our expert Technology Regulation team can support you.