GDPR Hotel Challenges Hospitality Unprepared for GDPR The

GDPR – Hotel Challenges

Hospitality: Unprepared for GDPR The hotel industry is considered one of the most vulnerable to data threats. According to Verizon’s 2016 Data Breach Investigations Report 1, the hotel industry accounts for one of the highest number of breaches in any sector and has the highest volume, when it comes to lost cards following a breach. This comes as no surprise; hotels process information that’s highly desirable to financially motivated criminals. An unprepared industry With a little over a year until the GDPR regulations come into effect, there is considerable work to be done and it may be easy to underestimate what’s involved on the road to compliance. The hotel industry is considered one of the most vulnerable to data threats, because hotels process, and in many cases store long term, a very high volume of guests’ personal information and payment card transactions daily. They also receive this information from many sources, such as third-party booking systems, point of sales systems, concessions, their own site, emails, faxes, phones and walk-ins. Furthermore, hotels tend to store this payment card data in several places.

Hospitality: Collecting Data / Marketing Currently, the rules around collecting guest (or potential guest) data are somewhat flexible. Hoteliers can be smart with wording and use “opt-outs” and implicit consent to swiftly enrol customers up to various newsletters and email campaigns. Generalised consent requests can be used to sign people up to any number of subscriber lists, resulting in multiple ways that a hotel group can reach potential guests. That is all changing under the GDPR. Explicit consent means that hotels must: explain to the customer what data you are capturing (the nature of the data), explain to the customer why you are capturing that data (the purpose of the data) and explain to the customer who is requesting that data (the identity of the Data Controller) and who else will have access to this data. The end result is that the person you are seeking to collect data from completely understands what data you want and what you plan on doing with it. The customer can then give you unambiguous consent. However, the tricky part for hoteliers is that the consent someone gives you only applies to the purpose you have explicitly declared. In the past, hotel marketers could source the email address once and then reuse it across campaigns and newsletters alike. However, with the new GDPR laws coming into place, this is no longer the case. If you have captured the email for a newsletter, then you have to ask for explicit consent again for the email campaign, and so on. All of which makes marketing to EU residents, or people in the EU more challenging which could restrict the number of guests you get through the door. However, on the positive side, those who do give consent are likely to be more engaged guests.

Hospitality: Policy and Progress To ensure compliance with the new regulations, hotels will need to undertake some seemingly obvious, but rather intensive actions, to safeguard guest data and avoid the financial repercussions that could result from lack of compliance: A hotel must define its core principles regarding guest data as it relates to GDPR, and recognize that data belongs to the guest, not to the hotel. A hotel must outline its guidelines for collecting and managing PII. It must establish a code of conduct for the hotel and its staff. The hotel must define self-regulatory audit questions. Actual implementation requires: Internal processing. A hotel must provide very detailed information on why it needs to process personal data, and how long it plans to keep it. This procedure involves organized retention policies, so that a hotel always knows the status of such information. A hotel must keep technical and organisational records to prove it is protecting data. It will also need to show the supervisory authority that it has these mechanisms in place. Hotels need a section on their website that permits “opting in, ” thus allowing hotels to store PII data. Furthermore, they must explain the process, enabling guests to access, modify and delete information. This in itself poses significant issues when data is held in different locations.

Hospitality: Location of Data It is essential that hotels know the location of all the PII data they hold. This data could be found in a number of places; for instance, in folders, in old email archive files - even in scribbled notes left on the front desk or left in folders in the back office. Once all the data is accounted for, decisions must be made about how it should be handled, taking into consideration the hotel’s principles and code of practice. Actions can include deletion, redaction, encryption, quarantine or storage in an accredited, cloud-based storage solution, where it can be accessed by staff easily, using very strong access controls and auditing. It is also key to ensure IT systems are set up and updated for maximum data protection. Unfortunately, many companies still use outdated security systems and data protection software; considering that new threats appear daily, investing in up-to-date security is essential.

Hospitality: Training Hoteliers should ensure their staff training is both up to speed, especially when it comes to GDPR compliance. Hotel staff must be aware of how to collect, access, use and disclose personal information as well as how to restrict access to cardholder data. Employees must also be advised on how to create strong passwords, and know how to properly dispose of documents containing payment card data.

Hospitality: PCI Compliance and GDPR If the hotel is already PCI compliant, then this accreditation lays the foundation for GDPR compliance. To be PCI DSS compliant, a hotel must have taken appropriate steps such as: maintaining an information security policy and establishing who is accountable for protecting data; placing and maintaining secure systems to prevent data breaches – including a firewall and continually updated anti-virus software, access controls and other systems designed to prevent data breaches; encrypting cardholder and other sensitive data; ensuring that IT systems are set up adequately; and investing continually in security technologies. It is vital that hotels begin preparing for GDPR now, so that come May 2018, they can be sure to avoid data breaches -- as well as hefty financial penalties.

Hospitality: What happens if I’m not compliant Non-compliance results in fines of up to 4% of global revenue. This can include violations of basic principles related to data security — especially Privacy by Design principles. A company can be fined up to 2% of global revenue for not having their records in order (article 28), notifying the supervising authority and data subject about a breach (articles 31, 32), or not conducting impact assessments (article 33). And keep in mind – the GDRP breach notification requires more than just saying you have had an incident. You’ll have to include categories of data, records touched, and approximate number of data subjects affected. And this means you’ll need some detailed intelligence on what the hackers and insiders were doing. More serious infringements merit up to a 4% fine. This includes violations of basic principles related to data security (article 5) and conditions for consumer consent (article 7) — these are essentially violations of the core Privacy by Design concepts of the law. One way the GDPR is hoping to keep everything in line? By requiring companies to have a Data Protection Officer (DPO). The DPO is supposed to be responsible for creating access controls, reducing risk, ensuring compliance, responding to requests, reporting breaches within 72 hours, and even creating a good data security policy.

Hospitality: HOW TO PREPARE in 13 STEPS 1) Create awareness in the hotel. Buy-in of the hotel management team is also essential. There may be changes in procedures or systems, so all managers should be aware of GDPR, fully understand it, and be able to understand the impact on their department. 2) Create a "data-register" You should be documenting which information you are holding, where it is stored, where it comes from, whom you are sharing it with, and if the guest has given his consent to you collecting all this data. This "data-register" will map all your data streams. All processing steps should be recorded, and this may require the compilation or review of existing policies and procedures. 3) Communicate to your guests about your new privacy rules Make sure you ask the guest for his agreement on giving you all required data, and document that agreement. This could be easily done on the registration card, or when checking-in on line. Adapt your legal statements and customer agreements to the new legislation. You will need to disclose for which purpose(s) you intend to collect data, and how long you will be keeping it. 4) Guests rights The European guest has several rights, and you need to ensure he can exercise his rights, which include: The right of access to his data The right to rectification The right to erase The right to restrict processing The right to transfer his data to another party The right to object The right not to be included in automated marketing initiatives or profiling Many of those rights may already be in existence today. 5) Guest access requests You will need to be ready to handle a guest request coming in about his rights. You are not allowed to charge for this service, and you have a maximum of 1 month to provide an answer. If you refuse a request, you must inform the guests about your reasons, and provide any details about the Privacy Commission and the name and contact details of your DPO (Data Protection Officer, more on this below), so that the guest understands how to file a complaint. 6) Lawful basis for processing guest data While the hotel is collecting data, it can only do so if there is a lawful reason. You need to review and ensure all questions you are asking (on registration cards, online forms etc…) are absolutely required for you to process the guest. As an example, the departure date of a guest is a required piece of data. However, asking for the guest's birthday may be more difficult to justify. 7) Guest consent It is important to review how you are obtaining, and recording the guest consent. He may be arriving via a travel agent, via a telephone reservation, or it may be a walk-in. All these cases need to be considered. At all times, there must be a clear "opt-in" given by the guests. There cannot be any pre-ticked boxes where the guest agrees to give his data; opting in is never by default. Also consider how you will handle the case of a guest who withdraws his consent.

Hospitality: HOW TO PREPARE in 13 STEPS 8) Children There's an additional consideration for children under 16. Authorisation to process a minor's data should be obtained from their parents or responsible adult. The hotel needs to prepare for this scenario. 9) Data breaches or theft The hotel should be ready to detect, and remedy any data theft concerning personal data. The data register should be able to provide insight into which pieces of data are concerned. Any incident should be reported within 72 hrs to the Privacy Commission, for all cases where there is a risk that guest data may have been compromised. By extension, this implies your network and storage systems should be up-to-date with the latest intrusion detection programs and should have successfully passed penetration testing. 10) Data protection by design, and Data Protection Impact assessments For any new systems or major changes, it would be wise to keep the "Data protection by Design" in mind. Indeed, when discussing requirements for a new tool or procedure, you can already include the data protection principles, right from the design stage. An Impact Assessment is required when major new technology is introduced, or significant upgrades are taking place on systems which contain personal data. 11) The Data Protection Officer Within your hotel or company someone should be tasked to become the Data Protection Officer (DPO). Make sure this is someone who knows and understands the importance of personal data processing. This can very well be an additional task for an existing employee or manager. It is mandatory to appoint a DPO when you are handling large volumes of personal data records, such as medical or criminal records. In a hotel, large amounts of credit card details are processed, so it is eminently sensible to have a DPO in place. The DPO should always understand be aware of all data flows in the hotel, and he should ensure that he has an updated data register at all times, in case any queries arise. The name of the DPO should be mentioned on all privacy statements on any media. When filing a complaint, the guest will reference the DPO by name. 12) International and Group Hotels If you are an independent hotel, this point does not apply. For hotels with multiple properties, or in multiple EU countries, it is important to align the procedures, and to identify who is taking the lead (presumably the country or regional office) for the coordinated GDPR efforts. If you are present in multiple EU countries, it is required to identify a "main establishment", and also the country lead supervisory authority. 13) Existing Contracts It is likely that for the processing of your data you are assisted by third parties or subcontractors. Make sure you are aware of who they are, and what your current contractual obligations are. It would also be an excellent opportunity to review these contracts to include any GDPR related aspects and ensuring the contractor is aware of his obligations under GDPR and that services or systems help you meet your GDR requirements.