In 2018, member states of the European Union (EU) will be subject to one of the biggest changes to data protection laws in the past 20 years. The General Data Protection Regulation (GDPR) will come into effect on the 25th May, but many hoteliers are seemingly not ready for the new law.
Management consultants, Edgar, Dunn & Company (EDC) surveyed 300 hoteliers around the UK to gain a better understanding of the current status of their GDPR preparations.
The results show that alarmingly more than half of them have not started the process of GDPR implementation yet.
What is the GDPR?
The GDPR will replace the previous data protection directive of 1995 and be immediately enforceable in all member states, without the need to transpose it into national law.
It’s intended to strengthen and unify data protection for all individuals within the EU. It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business.
What will change for hotels?
Fundamental concepts such as the definitions around data ‘controllers’ and data ‘processors’ remain the same, but their obligations will change.
In our industry, a data controller would be the hotel and a data processor would be any other body that processes data on behalf of the hotel, such as a software or system provider. The data ‘subject’ is the guest who stays at the hotel and allows access to their personal data.
Typically a hotel database will hold some or all of the following information: guest names, addresses, date of birth, credit card details, passport details, dietary requirements, medical conditions etc. This is a lot of sensitive data that could be used fraudulently, meaning there is a close correspondence between the Payment Card Industry Data Security Standard (PCI DSS) and the GDPR.
Look at it as PCI DSS being the technology provider’s obligations for data security, and the GDPR is the people side of managing data securely.
Hotels must develop a detailed description of the processes that follow specific internal risk management policies.
All suppliers to the hotel which uses the guest’s personal data including caterers, cleaners, channel managers, property management system suppliers, online travel agencies, global distribution systems, must be reviewed.
Hotels, as data controllers, must place more emphasis on re-negotiating data agreements with these processors. To ensure that personal data is not kept longer than necessary, time limits should be established by the hotel for deletion or for a periodic review. Every reasonable step should be taken to certify that personal data items, which are inaccurate, are rectified or deleted.
In the event of a breach, the European Regulator must be notified within 72 hours where this is likely to result in a risk to the rights and freedoms of EU data subjects.
How are hotels preparing for the new regulation?
One concern raised in the report by EDC is that hotels are spending a long time understanding the legislation and not enough time implementing an ongoing plan for compliance, given its May 2018 inception.
More than a third of survey respondents stated that they did not understand where the GDPR would have an impact – while 35% of them indicated they lacked support from their suppliers.
When asked about putting a strategy in place, these were the findings:
- 20% of hotels surveyed have an ongoing GDPR project
- 23% stated they have started a plan
- 18% said they have a plan, but haven’t started working on it
- 39% of the responding hotels don’t have a plan at all
Compounding these statistics is the fact 67% of hoteliers believe the industry is more vulnerable to a breach than any other sector.
To ensure they aren’t caught out, hotels need to ensure they review their connections to data processors, their own security policies, and if they have the necessary qualified staff on hand to negotiate the new laws.