You’ve probably taken steps to tighten up your data processing since GDPR legislation came into play in May 2018 – but have you done enough? As we’ll see, 2019 looks set to be the year the GDPR starts to bite for hoteliers, with the possibility of crippling fines for companies falling foul of the regulation. In this article we will discuss how the GDPR could affect non-compliant hotel companies, what can be done to protect hotels and their customer data, and on a more positive note, how to turn GDPR compliance into a PR win.
What happens to companies found to have breached the GDPR?
Companies operating in the EU that breach the GDPR face fines of up €20 million or 4% of their annual worldwide turnover. Hotel giant Marriott could face just such a fine under the regulation, after its inadequate security measures exposed the personal data of 500 million hotel guests. Given Marriott generated global revenues of approximately $22.9bn in 2017, a GDPR penalty could cost the company as much as $900 million. The rules that the Marriott’s team should have taken better note of, are spelled out in Article 32 of the GDPR: “Security of Processing”. The gist of Article 32 – and we are paraphrasing here – is that data processors such as hotels must put technical and organisational measures in place to provide a level of security appropriate to the risks they face. This will encompass the encryption of personal data, implementation of orderly processes for data storage and access, and regular security audits of data processing methods and systems. We suggest you take a few minutes to absorb the full content and precise language of Article 32, here. The good news for hotels is that there are several steps they can quickly take to bring themselves in-line with the GDPR. We advise actioning these points in particular:
- Draft and implement company-wide information security policies, taking the GDPR as your starting point.
- Carry out due diligence on new stakeholders coming into contact with guest data, whether that means running background checks on new employees, or investigating the systems used by a new SaaS provider.
- Carry out relevant risk assessments, such as data protection impact assessments (DPIA) or cyber security assessments.
- Regularly patch your cyber security software, to ensure it protects against the latest threats.
- Make safe data processing a training priority for relevant team members.
Which types of customer data do hotels need to protect?
The GDPR applies to any data that is capable of identifying or re-identifying the natural person with whom it is associated. For hotels, this equates to all the data that can be termed “customer data.” In addition to basic details like name, DOB and nationality, customer data includes finer details like payment info, IP addresses and transaction histories. Even if a company’s policy is to hold different types of information in separate places – e.g. to securely store credit card information separately to a customer’s name – the data is still covered by the GDPR if it could feasibly be linked back to that data subject through cross-referencing with other data sources. Under GDPR, companies within the European Union may process customer data only if one of the following lawful bases is met:
- The customer has granted permission for processing;
- It is essential to the fulfilment of a contract;
- To comply with a legal obligation;
- To protect the data subject’s vital interests;
- Public Interest;
- To support legitimate interests.
According to the UK Information Commissioner’s Office, “The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.” Most of the ways hotels tend to use customer data are covered under this specification, from processing payments, which is essential to the fulfilment of the contract between hotel and guest, to targeting repeat customers with email marketing. To ensure all your data processing meets these criteria, compile a list of all the customer data your company handles. We recommend you do this by interviewing a senior person from each department about the data processing taking place under their remit. Once you have compiled a list covering the entire organisation, work through it to ensure each item matches one of the six conditions listed above. If you identify a customer data process that does not match one of the lawful bases, we would strongly advise implementing a measure for securing consent at the outset of that process, for example, by adding an explanation of the process (fair processing notice) with a consent checkbox to your hotel registration documentation.
How customer payments fit into the GDPR picture
While the GDPR does not place special importance on customer payment data, hotels should, because cyber criminals do. In the event of breaches of financial data, which can be seen to be a high risk to the rights and freedoms of the customer(s) affected, significant reputational damage to the company can ensue. Payment data is a key target for cybercriminals. Information such as card details can provide opportunities for fraudsters to pay for goods and services with other people’s money – which is something you’ll be familiar with if your company has ever had to pay expensive chargeback fees to facilitate refunds for fraud victims. Storing customer credit card information and other payment details is essential to how hotels and most other businesses operate. Therefore, the best route to GDPR compliance is to look at ways to store card information more safely. The European Payments Council flags up the following four actions as crucial to ensuring payment data is handled compliantly:
- Review all data processing activities and keep verifiable records of these activities;
- Ensure that you have implemented appropriate technical and organisational measures to adequately protect the security of the personal data of your clients (‘data protection by design and by default’);
- Ensure compliance with the ‘accountability principle’ and cooperate with the relevant supervisory authority where appropriate;
- Ensure that you have appropriate processes and templates in place for identifying, reviewing and promptly reporting data breaches to the relevant supervisory authority.
In our view, actions 1, 3 and 4 are relatively self-explanatory. Companies must review and record their data processing; they must accept responsibility for their data; and they need to look out for data breaches, reporting any that take place. Action 2 presents a greater challenge. Find out how to tackle it in our free whitepaper: Data Protection in the Hotel Sector.
The GDPR landmine goldmine: how compliance can benefit a hotel’s brand
GDPR has caused such concern for businesses in the last year, it’s easy to forget the regulators are the good guys. Many customers appreciate having their data handled in a secure and transparent manner. If you can say with confidence that your company is doing exactly that, you should take the opportunity to communicate this to customers.
