Hospitality is full of acronyms. ADR, PMS, GOPPAR, MICEÉ the list seems endless. But at the moment, there are few more important thanÊGDPR.
With the compliance deadline fromÊMay 25, 2018,Êit’s now under 40 daysÊuntil GDPR, or theÊGeneral Data Protection Regulation, comes into force. And though it’s a European Union law, its likely that hotels around the world will be touched by it.
Here is some insight into readying your hotel for the biggest change to data protection in the EU for over two decades.
GDPR: a recap
First off, let’s revisit what GDPR is and why it matters for hotels. In a nutshell, it’s new legislation designed to align data protection rules across Europe and fit with today’s digital world. It will mean businesses have to beÊmuch clearer about what data they collect and why.
Hotels are likely to be considered aÊÔdata controller’Êunder GDPR, which means you determine the purposes and means of processing personal data. That comes with obligations as to contracts withÊÔdata processors’, which are responsible for processing personal data on behalf of a controller.
Though an EU law, GDPR mayÊapply to businesses outside the EUÊif they offer goods or services to individuals in the region. Failure to comply risks aÊpenalty of up to 4% of worldwide turnover.
The first step on our GDPR journey was to conduct a full audit of the data we collect during the course of our work. Through aÊdata mapping exercise, we determined the following:
- What data we collect
- Why we collect it
- What our intention is for that data
- The retention policy toward that data
We won’t lie, it’s a time-consuming and complicated process that requires involvement from teams across your organization. But it’s through this that you can understand exactly how GDPR will touch your business and adapt accordingly. Company-wide buy-in to your GDPR preparations is crucial.
“In order to operationalize the GDPR we need to incorporate it into how the organization does business in general,” says Samantha Simms, information law attorney and founder ofÊThe Information Collective. “GDPR compliance must not be standalone; it’s a living piece of law that must form part of the DNA of the company.”
Contact third parties
Hospitality is exceptionally interlinked as an industry. Hotels work with numerous third parties, such as OTAs and booking engines, many of whomÊcould come into contact with its data.
Following the data mapping exercise you should have a list of these third parties and what data they might encounter. Find out how they plan to address GDPR so you have the complete picture of your obligations. It isÊyour responsibilityÊto ensure that the third parties you work with are GDPR-compliant.
You also need to ensure that customers are aware when you’re collecting their data via a third-party site.
ÒIt must describe where you are using data under consent, or using it for legitimate business purposes, or to perform a contract with a data subject (i.e. customer), or in other ways such as to carry out legal and regulatory obligations,Ó Samantha says.
Once complete, ensure the updated version is published on your website.
One of the core principles of GDPR is that consumers will be much more aware of how their information is being used. It’s essential therefore that youÊcommunicate any changes you expect to make under GDPR to your client base. Perhaps you’ll email your guests or use your loyalty scheme to post a notice.
Much like the data mapping exercise, consider all the ways in which you speak with your customers and what might be the most appropriate method of explaining your GDPR plans, for example in an email asking existing contacts to confirm their subscription, or posting a notice to loyalty scheme members.
Setting this out in a comprehensive communications strategy is strongly advised to ensure you’re covering all your bases.
Incident response plan
Under GDPR, we must all be prepared to deal with any potentialÊpersonal data breaches. The rules state that if you use a Ôdata processor’, for example an OTA or channel manager, and it suffers a breach, you’re required to take steps to address it.
Samantha’s advice is to have anÊincident response planÊin place. In some cases, there is a 72-hour time limit to notify authorities of a breach and provide information, so the plan must be tested to ensure it can meet that deadline.
Check out theÊICO’s checklistÊfor an idea of what a plan might entail.
What is compliance?
Given the sweeping nature of the changes coming under GDPR, it’s no surprise that there is a feeling of mild panic in some circles about the ability to be compliant by May.
But listening to experts, it seems there is a recognition among authorities that readying a business for GDPR is a sizeable task and there will be leeway if you canÊdemonstrate to both authorities and customers that you are doing your utmost to comply. What won’t be tolerated however is flagrant and wilful breaches of the law.
Data protection outside the EU
Of course, GDPR is not the only data protection regime around. Countries around the world have their own rules and in an ideal world hotels would have aÊprivacy frameworkÊthat takes into account all the relevant regulations.
The good news for anyone getting to grips with GDPR is that the EU legislation has some of the highest standards when it comes to privacy regulations. As Samantha says: ÒYou need to have a robust yet flexible privacy program to handle any changes, but if you put GDPR at its core you can’t go too wrong.Ó
About the author
Lily McIlwain is the Content Manager at Triptease.ÊInterested in finding out more about Triptease and GDPR? Get in touch via the website.