GDPR is coming…are you prepared?

Just how secure is your hotel? Today, this goes beyond traditional locks and keys with the hospitality industry now extremely vulnerable to data breaches. Every day, a hotel processes masses of sensitive credit card information making them an attractive target for data theft. It is no surprise then that the Verizon 2016 Data Breach Investigation found that the industry suffered the second largest share of the years’ security breaches.

The sobering fact is that along with all its benefits, technology brings new challenges and responsibilities - chief among them being the hotel owner’s responsibility to protect their customer’s personal information, to ask themselves how secure their hotel really is. Names, addresses, birth dates and, crucially, credit card details are all things that can be used to carry out identity or credit card fraud.

On the 25th of May, the EU General Data Protection Regulation (GDPR) will come into effect. The GDPR will standardise data privacy laws across Europe to better protect personal data and establish a united front against data theft and misuse. What this means for you is that every business or organisation must now comply with the GDPR or face a heavy fine of either 4% of annual turnover or 20 million euro – whichever is greater.

Compliance is not always straightforward, but Concept are ready to give you some ideas on how to make sure you make the right decisions moving forward. It is also worth noting that even if your property is not based in the EU, should you deal with European clients you may still need to make some changes. The UK government, for instance, has already announced that, despite the Brexit, all UK organizations must comply with the GDPR.

So, let’s begin! According to the GDPR’s 15th article, “The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing if the personal data contained or are intended to be contained in a filling system.” This means your first step should be to identify all the kinds of data you handle - email marketing, clients and website visitors…even your employee's data.

Following the 25th of May, personal data must only be collected for specified explicit and legitimate purposes and may no longer be further processed in a manner conflicting with this initial outline. With emails a primary form of hospitality marketing, the GDPR will have an impact on strategy, since customers will now have to “opt-in” to an email marketing service, as opposed to the “opt-out” system currently widely-used (33rd of the GDPR). For example, you can’t take an email address at the time of booking then use it, without further consent, for email marketing later. To make sure you are doing things correctly, it’s better to obtain consent before the new regulations taking effect. This consent must be explicit, which means first explaining to the customer what data you have, why you need it and who else will have access to it.

Almost every hotel and resort will accept credit cards payments which means that they must already be operating in line with the Payment Card Industry Data Security Standard (PCI DSS). This requires that when a company takes a card payment and so storing, processing and transmitting cardholder data, they must do so with a secure, PCI compliant hosting server. Concept is currently being certified to the latest Data Security Standard from PCI, this will allow us to help our customers comply with the new regulations. Another consideration is that your third-party partners may prove to be a weak link in terms of data protection – with the GDPR, data processors are bound by stronger regulations as well as data controllers.

There will also be some aspects of your website that will need to be reviewed. Your Privacy Policy and Terms Conditions may require to be rewritten in line with the GDPR – it must now be easy to understand and free of jargon. You will also need to make sure that your website is secured by an SSL (Secure Sockets Layer) Certificate that ensures all data processed by the website is adequately secure. EU visitors will be required to give consent before your website enables the cookies used to identify them. Finally, any forms inviting users to subscribe to newsletters or indicate contact preferences must default to “no” or be an un-checked opt-in box. Basically, you need to ensure that visitors to your website give you informed consent for any way your hotel intends to use their personal information.

As we can see, preparing for the GDPR will not be easy, but you can simplify the task by asking yourself the following questions…What data do you currently hold, and where? Are your current processes able to deal with subject access and deletion requests?  Do you have privacy notices, and are they current? Have you obtained consent for all the data you hold? Which processes are in place to report and investigate data breaches?