The introduction of General Data Protection Regulation (GDPR) in May this year will have a significant impact on hotel operations, says Paula Swain of Shoosmiths.
In recent years, the hotel industry has increasingly been making headlines for its relationship with its customers – whether that’s a scathing customer review on some of the most popular review aggregator websites, or the fierce rebuttal from an aggrieved owner.
This is how far the sector has come in terms of its customer/proprietor relationship, a world far removed from the face-to-face contact from yesteryear.
And from May of this year, this relationship is set to be challenged even further with the introduction of the GDPR – a massive challenge to a sector which handles such a vast amount of customer data on a day-to-day businesses. The ramifications, outside of some negative PR, cannot be underestimated.
However, it’s not all doom and gloom. There is no doubt that many people will be scratching their heads over what needs to be done to ensure their businesses are ready for the new legislation come May, but we believe there are many simple steps or changes to businesses’ thought that can be taken, regardless of what sector you are in.
One key factor to bear in mind is the introduction of new technology. Many hotels will already be firmly embedded in online technology, either through their own websites or through third-party ones. However, if you have any new websites being developed, make sure you have the right building blocks in place. Considerations should include embedded privacy by design and default features, contracts with the right third-party partners, or even marketing preferences and capture statements.
Do you advertise your hotel elsewhere? It’s hard to imagine you don’t, but this brings with it its own potential GDPR pitfalls, based around customer data sharing. Remember, if any of the parties in the supply chain fail to get this right and agree, everyone fails, as everyone risks the loss of consumer loyalty, potential data breaches, litigation and decline in brand reputation.
There’s no getting around the fact that it’s unlikely to be a cost-free step into a GDPR world. But throwing money at the problem is not going to be the absolute solution. This legislation requires a seismic change in culture, and understanding will be required across the board – from reception staff, cleaners, bar staff, marketeers, to managers, and many more.
And this is where training becomes paramount. It is essential that employees have thorough training, regularly refreshed, on what a business’ data handling process is. All employees should have an awareness of the GDPR processes and the impacts that breaches can have, while all employees who collect customer data should be given specific guidance based on their job role.
It’s also worth putting a contingency plan in place if there are any customer data breaches. It could still happen, even with the best plans in place, but a well-rehearsed disaster situation can go some way to getting the best outcome for your business if this worst happens. And if you can minimise a leak as soon as it happens, this can potentially impact the short and long-term impacts on the business.
There is no need to panic, though. At Shoosmiths, we’ve put together a free online hub that goes into much more detail – from simple guides for HR departments, to some immediate steps that all businesses can take to get ready for May.
Above all, I would urge everyone to use this new legislation as an opportunity for their business, from minimising the risks of any cyber-attacks, getting your data in order and, potentially, improving or streamlining your customer’s experience.
Shoosmiths’ GDPR top tips for hospitality
• Almost all of the guest data obtained by hotels where the individual is identifiable is “personal data” and will be very tightly regulated under GDPR from 25 May 2018
• Operators will in general be “data controllers” and have the responsibility for third parties processing their data
• Guests need to be informed in simple language about their rights – so putting together a so-called “privacy notice” will be a good idea
• Before guest data can be held, their explicit consent is required. Don’t forget though that in the case of children under 16, that consent needs to come from a responsible adult
• Data subjects – which includes guests – have the right to withdraw their consent to your holding their data at any time
• According to Verizon’s 2017 report, point of sales are the most commonly attacked, with 98% of all POS attacks resulting in data breach. This is an important factor to consider into your plan
• 71% of delegates at a Cybersecurity Panel Session at the Annual Hotel Conference in October 2017 said they had not or were unsure if their businesses had carried out a cyber security risk assessment. Make sure you do one
• Most business interruption and property insurance policies do not cover data breaches or cybercrime, although “stand alone” policies are available.
• The Internet of Things is also affected: Jesus Molina, a cybersecurity expert, during a stay at a hotel in China in 2014, was able to take control of every internet-enabled device in every room. A full inventory of all internet-enabled devices is essential
• Hotel operators and chains need to appoint a data protection officer