What is GDPR?
If you haven’t heard about GDPR yet, it’s time to get up to speed. GDPR is an acronym for General Data Protection Regulation, and is a new EU legislation that introduces the biggest changes to data protection in the EU since 1995.
What was there before GDPR?
Prior to GDPR, there was the 1995 EU Data Protection Directive (95/46/EC), a piece of legislation that set an objective for all EU countries without defining the means to achieve this objective. Since then, the world has changed drastically and legislation was needed to establish the new rules for the new digital era.
What is the purpose of GDPR?
Indeed, the aim of the GDPR is to protect all EU citizens in terms of privacy and data breaches in an increasingly digital data-driven world, which differs greatly from the time when the 1995 directive was established. The objective is twofold:
- Empower individuals to control their personal data.
- Establish a single set of protection rules across the EU.
Does GDPR apply to hotels?
Whether GDPR applies to one’s business is the first question we ask ourselves, right? The answer is YES, as long as your hotel controls or processes personal data of EU citizens. That is, your hotel may not be physically located in the territory of the European Union, but if you have any relationship with the personal data of EU citizens, the new regulation will apply to you as well.
Consider this: if your hotel chain is headquartered in Latin America, but you sell to EU travel agents, you will have to comply with GDPR regulations. If you collect information about the behavior of EU citizens (analyzing tourism trends in Spain, for example), you must comply with GDPR requirements. These two questions will help you find the answer:
If your answer is yes to any of these questions, you need to know all about GDPR and take steps to adjust your processes for the new legislation. The increase in Territorial Scope is one of the biggest changes in the new regulation and greatly increases the impact of GDPR.
Why is the Hotel sector more sensitive to GDPR than many others?
Unlike most industries, the hospitality industry is extremely vulnerable to data security threats. The volume of sensitive personal data and credit card information, collected and processed, makes the hospitality industry one of the most vulnerable to data breaches (Verizon 2016 Data Breach Investigations). Online booking systems and multiple payment points make hotels an easy target for cyber-attacks. According to the report, the industry accounted for the largest number of cyber incidents in 2016.
GDPR legislation implies the highest levels of data security, which could be a challenge for the hotel industry. The risk of facing large financial penalties is high and hotels must update their data protection policies to avoid potential losses.
The penalties for not complying with GDPR are much larger compared to previous legislations. Violation of the rights of the subjects whose data has been collected can have a financial cost of up to €20 million or 4% of global annual revenues (whichever is greater), not to mention possible reputational costs.
What changes will the GDPR bring?
Don’t worry! We will continue to post to provide you with a detailed description of the legislation and its application in the hotel sector, but for now we want to give you some examples of what is about to change for hotels.
Total data management
The new legislation is strict. To ensure compliance with the new regulations, you must be in full control of your internal and external processes and know all the details related to the personal data you process. Policies and principles should be defined, along with a code of practice and self-regulatory audit questions. You must establish the purposes for data acquisition, making sure you know exactly how and where you collect this data. Where you store them, for how long, who has access to them, what your disposal policy is: the answers to these questions should not only be clear, but also fully documented.
2. Clear notification and explicit consent
Under GDPR, all that will change. Clear notification means that, when collecting personal data, hotels must explain in clear language exactly what data is being captured, for what purposes, how long it will be stored, who has access to it and what a customer’s rights are in this regard. The user must have a full understanding of these points and, in accordance with the GDPR, it is your responsibility to inform them.
As for explicit consent, it means that the user, once fully informed of everything, must give his or her unequivocal affirmative consent. Your personal data may be used for an exact period of time and only for the purposes for which you gave your consent.
Third parties and partners
We are who we hire’.
Hoteliers should take more precautions to ensure that their partners comply with the latest data protection regulations. A major change due to GDPR is that all entities involved in data processing are responsible for its security. That said, if a hotel is outsourcing data processing to a non-compliant third party, both the hotel and the third party may be held liable if a breach occurs.
What should you do now?
Now that you know why GDPR is important to the hospitality industry, it’s time to learn more about the legislation and take steps to prepare your hotel or chain for when the regulation goes into effect. In the following articles we will give you a more detailed explanation of the regulation and its principles. See you next time!