What is the GDPR?
If you still haven’t heard of the GDPR, it’s time for you to catch up. The GDPR is an acronym for General Data Protection Regulation, and it is a new EU legislation that introduces the biggest changes in data protection in the EU since 1995.
What was before the GDPR?
Before the GDPR, there was 1995 EU Data Protection Directive (95/46/EC), a legislative act that set out a goal for all EU countries without defining the means to achieve this goal. Since then, the world has changed dramatically, and the new legislation was needed that would establish the new rules for the new digital era.
What is the goal of the GDPR?
Sure enough, the goal of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established. The goal is twofold:
- Empower individuals to control their personal data
- Establish single set of protection rules across EU
Does the GDPR apply to Hotels?
Whether the GDPR applies to one’s business is the first question anyone would ask. The answer is YES if you control or process any personal data of EU citizens, and yes, it includes hotels. Your hotel might not be physically located on the EU territory, or you might not be collecting data yourself, but if you have any relation to the personal data of EU citizens, the new regulation will apply to you.
Consider this: if you are a Latin America-based hotel but selling to EU travel agents, you will fall under GDPR. If you collect any analytics on the behavior of EU citizens (monitor tourism trends in Spain, for example), you will have to comply with the requirements of the GDPR. These two questions will help you find the answer:
 |
- Do you market services to EU citizens?
- Do you monitor the behaviour of EU citizens?
|
If your answer is yes to any of the questions you need to know everything about the GDPR and take actions to adjust your processes for the new legislation. The increased Territorial Scope is one of the biggest changes of the new regulation and it increases the impact of the GDPR greatly.
Why is the Hotel sector more sensitive to the GDPR then many others?
Unlike the majority of sectors, the Hotel industry is extremely vulnerable to data security threats. The volume of sensitive personal data and credit card information, collected and processed makes the Hospitality industry one of the most vulnerable to data breaches (Verizon 2016 Data Breach Investigations). Online booking systems and multiple points of payment make the hotels an easy target for cyber attacks. According to the report, the industry accounted for the largest number of cyber incidents in 2016.
 |
- Hotel industry is extremely vulnerable to data security threats
|
The GDPR legislation implies the highest levels of data security, which might be challenging for the hotel industry. The risk of facing large financial penalties is high and the hotels must upgrade their data protection policies in order to avoid possible losses.
The penalties for not complying with the GDPR are much larger comparing with previous legislations. Violating data subject’s rights can come at the financial cost of up to €20 million or 4% of global annual revenue (whichever is greater), not to mention potential reputation costs.
 |
- Violating data subject’s rights can come at the financial cost of up to €20 million or 4% of global annual revenue (whichever is greater)
|
What changes will the GDPR bring?
The detailed description of the legislation and its application to the hotel sector will follow in our next posts, but for now we want to give you some examples as to what exactly is about to change for the hotels in light of the GDPR.
1. Total data management
The new legislation is strict. To ensure compliance with new regulations, you need to be in complete control of your internal and external processes and know every detail regarding the personal data you process. Policies and principles should be defined, along with a code of practice and self-regulatory audit questions. You need to set the purposes for data acquisition, make sure to know how exactly and where you collect the data. Where you store it, for how long, who has access to it, your deletion policy – the answers to these questions should not only be clear, but also fully documented.
 |
- Define the purposes for data acquisition, how and where you collect the data, where you store it, for how long, who has access to it, your deletion policy
|
2. Clear notice and explicit consent
Currently, the rules around collecting personal data are somewhat flexible. The wording can be smart and have double meaning, “opt-outs” are commonly used, and you have the chance to smoothly enroll your potential and current guests to various newsletters, adding their contact details to any number of subscriber lists. Legal notice and privacy policy are written in language that is hard to understand by a common user and a very small percentage of customers actually read the whole text, which give advantage to the company.
Under the GDPR, all that will change. Clear notice means that when collecting personal data, the hotels must explain in a clear language what data exactly is being captured, for what purposes, for how long it will be stored, who has access to it and what the rights of a customer in this story are. The user must have full understanding on these points and, according to the GDPR, it is your responsibility to inform him.
As for explicit consent, it means that the affirmative unambiguous consent has to be received from a fully informed user. His personal data can then be used for exact period of time and only for the purposes to which the consent was given.
 |
- Tell your customer what their rights are, what data is being captured, for what purposes, for how long it will be stored, who has access to data.
- An affirmative unambiguous consent has to be received from a fully informed user
|
3. Third parties and partners
‘We are who we hire’
Hoteliers should take more precautions to assure that their partners are compliant with the latest data protection regulations. A major change due to the GDPR is that all entities that participate in processing of data are responsible for its security. That being said, if a hotel is outsourcing data processing to a not compliant third party, both the hotel and the third party can be held responsible if a breach occurs.
 |
- All entities that participate in data processing are responsible for its security
|
What to do now?
Now that you know why the GDPR is important for the Hospitality industry, it’s time to educate yourself more about the legislation and take action to prepare your hotel for when the regulation comes into force. In the following posts we will give you a detailed explanation of the regulation and its principles. Stay tuned!
