Hospitality sector (accommodation, restaurants & bars, travel & tourism and leisure) has one of the largest shares of personal data collected by sector. Therefore, necessary actions need to be taken in order to avoid the financial consequences that could result from a lack of compliance. Especially, since major breaches already affected many of the world’s most prominent hotel chains Radisson (read more about the data breach in Radisson Hotel in GDPR Register News), Hilton, Mandarin Oriental, Trump Hotels worldwide.
Often, personal information regarding customers goes through many channels receiving and providing personal data to this sector. Meaning, data is collected not only directly from customers, but also through channel managers or booking sites. Hotels, travel agencies and similar service providers possess customers credit card information. This information makes companies vulnerable to threats (as seen from previously mentioned examples). Therefore, GDPR cannot be ignored.
It is important to understand that GDPR applies to the handling of information of EU citizens. For example, if a hotel is located in the United States, there is a big chance that it has guests from the EU. Therefore, GDPR regulations and requirements apply.
How Hospitality sector should start preparation for GDPR?
Hospitality sector companies possess a lot of various information about their customers. Therefore, the first thing these companies should do is to review all data. Consent practices should exist in both present and existing records. If some are missing, an update must be done.
Information about customers is usually being kept on various platforms. The following are recommended to be reviewed:
- CRM systems
- Booking Engines
- Website Developers
- Payment Processors
- Email Marketing Tools
- Membership
- Social Media
- Customer Databases
- Website cookies
Acquiring personal data
There are six lawful bases for processing personal data. In most cases, the Hospitality sector should use contractual obligation for guests. However, whatever lawful ground is used, an individual must be informed information is being collected, what it is being used for and how long it will be retained. Therefore, only necessary data for specific purposes must be collected and it should be retained only for the period necessary to meet that purpose.
Data subjects have rights concerning their personal data. One of them – the right to access personal data. Companies have 30 days, after customers request, to provide a copy of any stored information about them. This data, upon customers request, can be changed. If there is no lawful ground for any or all the collected data, and the company can’t prove otherwise, the information must be erased.
Protection of personal data
There are many steps to take in order to protect personal data. That includes everything from reviewing security policies to encrypting and/or pseudonymizing data. However, it has to start at the adoption of privacy by design. It’s particularly important now that technology combines with personalization.
In the Hospitality industry, mobile technology is playing a big part –planning the visit, using it as a boarding pass, etc. Nowadays, separate apps are still needed for these purposes. However, the traveling experience gets smoother while improving collaboration. Meaning, thinking of privacy by design but also sharing data properly between travel companies or agencies. Though, GDPR requirements cannot be forgotten here. As, for example, having the right agreements in place between the different parties. Regardless of partners or solutions provider, company (who according to the GDPR would be considered the data controller) is ultimately responsible for using tools that follow the GDPR.
Companies, dealing with personal data in large-scale, should appoint a data protection officer (DPO) and carry out Data Protection Impact Assessment (DPIA). There are also additional requirements for data that is transferred outside the EU (read more about transferring personal data to third countries).
Organizations should not underestimate how important it is to adapt to GDPR regulations. Companies in the Hospitality industry, the same as in any other, need to address the policies, procedures, and technology that they use for handling personal data. Furthermore, they have to ensure that the staff is fully aware of the obligations. Basically, anything that contains personally identifiable information should be covered. In another case, failure to comply can grow up to 4% of annual global turnover or 20 million.