By Robert Holland, Chief Technology Adviser to the BHA
I cannot escape the discussion around the EU General Data Protection Regulation that comes into force on the 25th May 2018. Every seminar I attend seems to be touching on it.
To my knowledge, there have been a couple of high profile Hospitality companies that have had data breaches this year, one a leading luxury hotel company and the other, one of the largest GDS booking platforms, but could it really impact my hotel? Like many hoteliers, I am still a little confused, to say the least, at what changes we need to make to our current processes in order to comply. PCI compliance was addressed a while back and tokenization is already offered by a number of booking engine providers to add further security to the process of taking payment details, whereby the hotel and the booking engine share the necessary data to require both parties to combine their shares in order to make a transaction.
Whilst it is common practice to create a guest history profile of our regular guests in order to better recognise their needs on future stays, can we really argue that a guest that celebrated their 50th wedding anniversary at our hotel 6 years ago is likely to return anytime soon. Should we really be keeping details of their preference for a particular room on file now that the room has been refurbished twice since and no longer resembles the room that they last stayed in? Granted, those guests that frequently return to our hotels should be only too happy to agree to our recording their preferences and opt in to our data retention policy.
I contacted Guestline to ask for their advice to their clients. Jeremy Espley, General Counsel for Guestline commented: “Under the new GDPR legislation all personal data processing will be affected. This includes guests as well as employees and supplier data. The implications of any breaches both from a financial perspective as well as damage to a hotelier’s reputation are serious. However, there are a number of guiding principles that can help hoteliers achieve compliance. These can be applied to the retention of guest profiles as well as other areas of operations (employee records for example). We are advising our clients to undertake an assessment of their current data processing activities, prepare records and ensure that any vendor contracts they have in place, including those with their PMS suppliers, will meet the new legislation criteria. Any data processing system will need to be reviewed and in turn new data protection policies and breach response plans will need to be developed to ensure they are compliant before 25 May 2018.”
Simply put, GDPR will require us to set out our procedures for collecting personal information, remembering that this information belongs to the guest and not the hotel and make sure that all of our staff that have access to this information respect its’ privacy. We need to be able to tell anyone that asks why we need this data, how long we plan to keep it. There is still some confusion over consent and not requiring it if we need specific information to deliver on our service contract but we will almost certainly require consent if we wish to use this information for remarketing. We also need to have robust procedures in place to ensure that we remove any data that we no longer require and do not have the guests’ permission to keep. Surely this is not too much to ask?
If you still need help, the BHA together with Boyes Turner have developed a designated area on the website to help you navigate the impact of GDPR here.