11 steps to hotel GDPR Compliance – Are you ready?
From 25 may 2018 GDPR (General Data Protection Regulations) will be implemented in the European Union. GDPR is in place to strengthen the rights of all EU citizens and residents concerning the collection, storing and processing of their personal data by companies and organizations. Personal data includes an extensive list of details like a person's name, passport number, bank account number, email address, IP address etc. Considering your property is linked to multiple sources that handle guest data like (online) travel agencies, distribution systems and loyalty programs that might be integrated with your PMS and/or CRS, GDPR is something you need to be especially aware of.
With a few steps, you can check if your hotel meets some of the requirements of becoming GDPR compliance. We do suggest to get in touch with a specialized office in helping you with your hotel security.
1. Inform your staff and provide trust towards your guests
Perhaps all of this information is redundant and you already have a great system in place to adhere to the safety of guest data and their privacy. But are all employees aware of PCI and GDPR regulations?
Practice what you preach. Make sure that the entire team is involved, from management to front office. Share your security procedures, create quick cheat sheets for the desks and inform them of the consequences.
2. Build trust towards your guests
Build trust towards your guests by showing that you follow strict security and privacy rules. You can do this by adding the once certified PCI logo to your website or a poster at the check-in desk. Also, let your guests feel safe during check-in by informing them about the safeguarding of all information.
3. Review, record policies and procedures
All the information that flows through the hotel should be documented. Don’t worry, we are not talking about a huge log of every single activity. GDPR is talking about guest formation, everything that can conflict with the privacy of your guests. A creation of a log that holds information of:
- What data is stored,
- Where is it stored,
- Where does the data come from,
- Who has access to this data
- And which external parties are involved (like distribution channels and other data providers)
- And most important, if the guest agreed to the terms of collecting his or her data.
All these processes should be recorded.
4. Inform your guests and ask consent about your rules and regulations
Ask for the guests' approval of handling all required data. It’s important that this approval is documented in the process. Modern online check-ins already have this implemented in the process. Make sure that your legal statements and customer agreements are reviewed and amended to these new legislations. Inform your guests about the reasons you collect the data and how long you will be storing it.
5. Guest rights
The European guest has several rights, and you need to ensure he can exercise his rights, which include:
- The right of access to his data
- The right to rectification
- The right to erase
- The right to restrict processing
- The right to transfer his data to another party
- The right to object
- The right not to be included in automated marketing initiatives or profiling
6. Handling guest requests regarding privacy rights
When you are informing guests about your privacy policies and security rules, you can expect questions will be asked about their rights. You will need to be ready to handle these questions. You have a maximum of 1 month to provide an answer. If you refuse a request, you must inform the guests about your reasons, and provide any details about the Privacy Commission and the name and contact details of your main security contact, so that the guest understands how to file a complaint.
7. Be aware of what you are asking
All information that you are asking from your guests should be with a lawful reason. Be aware of what you are asking. Review all data gathering moments and determine if all information requested is legitimate. Check out date is required, but social details are harder to substantiate.
8. “Opt-in / Opt-out”
Storing guest data and using it for any valid reason is never agreed on by default. A guest will always have to agree (“opt-in”) to your terms before you are allowed to handle his or her data. Also have a process in place when a guest does not agree, or partially agree.
For all the above you should have actions in place. Next to that, you need to know how and when guests will be asked to agree on these terms. Agreeing to the terms of a booking site where the guest booked the stay is not a valid opt-in for all your internal Hotel procedures.
There is an additional consideration for children under 16. Authorization to process a minor’s data should be obtained from their parents or responsible adult.
10. Data Breaches
The hotel should be ready to detect and handle any data breaches. The data register should be able to provide insight into which pieces of data are affected. Make sure your network and storage systems are up-to-date with the latest intrusion detection programs.
11. The Data Protection Officer
Within your hotel or company, someone should be tasked to become the Data Protection
Officer (DPO). Make sure this is someone who knows and understands the importance of credit card and personal data processing. This can very well be an additional task for an existing employee or manager.
Large amounts of credit card details are processed in a hotel, so it is eminently sensible to have a DPO in place. The DPO should always understand and be aware of all data flows in the hotel, and he should ensure that there is an updated data register at all times, in case any queries arise.
The name of the DPO should be mentioned in all privacy statements on any media. When filing a complaint, the guest will reference the DPO by name.
International, Brand and Chain Hotels
If you are an independent hotel, this point does not apply.
For hotels with multiple properties and/or located in multiple EU countries, it is important to align the procedures and to identify who is taking the lead (presumably the country or regional office) for the coordinated PCI/GDPR efforts. If you are present in multiple EU countries, it is required to identify a “main establishment”, and also the country lead supervisory authority.
Other useful links:
- An introduction to PCI and GDPR compliance
- 8 steps to PCI compliance
- Information about Hotel Data Security
SmartHOTEL specializes in Oracle integrations with the main focus on integrated distribution solutions to Oracle Hospitality Distribution Cloud Services, OPERA and Suite8 systems and is the technology provider behind Oracle’s Channel Manager. Our knowledge of support, consultancy and technology meet the highest expectations of the hospitality market. For any questions regarding our solutions or anything else, feel free to contact us on +31 (0)182 75 11 18, or mail to firstname.lastname@example.org