Is your hotel ready to implement GDPR guidelines?Those of us who are in the hotel industry are familiar with the plethora of acronyms, ADR, REVPAR, CRM, MICE…the list goes on and on. The latest entrant to this long list is GDPR – or the General Data Protection Regulation – a regulation implemented by the European Union that came into effect from 25th May 2018, and, one that will replace the Data Protection Act of 1998.
Technology advances since 1998 and a series of data breaches (including LinkedIn, Yahoo and Facebook’s Cambridge Analytical scandal has pushed legislators to prevent ‘data hijacking’ and safeguard consumers from having their collected data distributed without their knowledge or consent.
What business in the world today houses the highest concentration of tourists? Hotels, yes absolutely. Hence they are the ones most likely or liable to be influenced by the new privacy laws. If your hotel holds personally identifiable information of an EU citizen it is then obligated to comply with GDPR requirements. In other words hotels that actively seek European guests are the most destined to be affected by the GDPR…for now. (Other countries such as Japan, South Korea, Singapore and Canada are considering introducing similar regulations).
What constitutes personal data? Personal data is any information that is related to a person (or ‘Data Subject’), that could be used to directly or indirectly identify the person. For example, a name, a photo, an email address, credit card information, bank account details, their posts on social networks, etc. This also includes requesting for ID cards and passports from foreign guests.
Hotels will have to clearly explain to guests what data they are capturing, why they need it, and who will have access to it. In this frame of reference included are bookings systems and revenue management software. Conversely, if you collect the data, then you need to manage it, monitor it and protect it.
What is significantly new in GDPR is that ‘Data subjects’ (the individuals whose data is gathered), now have sweeping rights. They include; the right to have data completely removed (and they are not required to tell you why), from all storage – otherwise termed as ‘the right to be forgotten’; specifically, your hotel must erase all their personal data wherever it exists – in files, databases, replicated, backup and archived copies. Furthermore, you must be in a position to tangibly prove that you have done so.
Going beyond, if you shared this person’s data with another company, it is your responsibility to contact them and convey the person’s demand to erase. Other requirements include the right to move data from one entity to another, the right to correction of inaccurate data and the right to file class-action or civil lawsuits, plus more…
GDPR stipulates that customers must explicitly consent for their personal information to be processed and used by third party sites. As an industry, the Hospitality sector is intrinsically interlinked. Hotels work with numerous third parties such as OTAs, booking engines, travel agencies, car rental firms, loyalty programmes, etc - many of whom may be connected to the hotel’s Property Management and/or Central Reservations systems. Thus they too can have access with its data.
Hotels that collect data via a third-party site need to ensure that customers are aware of it. For example, say a customer books a room thru Expedia, he/she feeds details, some of which are automatically received by the hotel. In this scenario, the traveller has no contact whatsoever with the hotel until they arrive to check-in. It behoves the hotel to make certain that at the time of Expedia collecting that data on its behalf, it has been made clear to the customer that the data will reach the hotel and be governed by the hotel’s privacy policy.
Insofar as the hotel’s email marketing campaigns, the new requirement is to ensure that users ‘opt-in’ and give consent to be contacted rather than adding them to your email list and wait for them to ‘opt-out’. The good news is that you do not need to obtain the consent or use data of your followers or connections on social media or platforms such as Facebook, LinkedIn, Twitter, Google, WhatsApp, Snapchat or Instagram, since, effectively you will be covered by the terms and conditions and privacy notices of each of these social networks.
To summarise; very little has actually changed between the new legal framework and the data protection act that existed since 1998.The previous Eight Rules of Data Protection have been revised and condensed with amendments, to Seven Principles. The ‘rights’ of the individuals have been expanded including the right to be forgotten,, the conditions requiring ‘consent’ have been strengthened (with opt-in replacing opt-out) and changes have been made regarding breach notification.
SHAFEEK WAHAB- Editor Hospitality Sri Lanka
|
|
|
|
