Hospitality: Unprepared for GDPR
What is GDPR?
After May 25, 2018, every organization the world over that processes EU residents’ personally identifiable information (PII) -- in plain English, any data that could identify an individual -- will be affected by the GDPR. These regulations aim to unify and strengthen existing data protection rules and ease the flow of personal data across the EU member states. When the GDPR comes into force, any organization that processes PII will have to conform to a number of regulations, or risk facing significant penalties. For example, it will be mandatory to notify GDPR representatives of any security breaches within 72 hours and, for the most serious breaches, fines of up to 4% of an organization’s turnover may be imposed.
An unprepared industry
With a little over a year until the GDPR regulations come into effect, there is considerable work to be done and it may be easy to underestimate what’s involved on the road to compliance.
The hotel industry is considered one of the most vulnerable to data threats, because hotels process, and in many cases store long term, a very high volume of guests’ personal information and payment card transactions daily. They also receive this information from many sources, such as third-party booking systems, point of sales systems, concessions, their own site, emails, faxes, phones and walk-ins. Furthermore, hotels tend to store this payment card data in several places.
Policy and Progress
To ensure compliance with the new regulations, hotels will need to undertake some seemingly obvious, but rather intensive actions, to safeguard guest data and avoid the financial repercussions that could result from lack of compliance:
- A hotel must define its core principles regarding guest data as it relates to GDPR, and recognize that data belongs to the guest, not to the hotel.
- A hotel must outline its guidelines for collecting and managing PII.
- It must establish a code of conduct for the hotel and its staff.
- The hotel must define self-regulatory audit questions.
Actual implementation requires:
- Internal processing. A hotel must provide very detailed information on why it needs to process personal data, and how long it plans to keep it. This procedure involves organized retention policies, so that a hotel always knows the status of such information.
- A hotel must keep technical and organisational records to prove it is protecting data. It will also need to show the supervisory authority that it has these mechanisms in place.
- Hotels need a section on their website that permits “opting in,” thus allowing hotels to store PII data. Furthermore, they must explain the process, enabling guests to access, modify and delete information. This in itself poses significant issues when data is held in different locations.
It is essential that hotels know the location of all the PII data they hold. This data could be found in a number of places; for instance, in folders, in old email archive files -- even in scribbled notes left on the front desk or left in folders in the back office. Once all the data is accounted for, decisions must be made about how it should be handled, taking into consideration the hotel’s principles and code of practice. Actions can include deletion, redaction, encryption, quarantine or storage in an accredited, cloud-based storage solution, where it can be accessed by staff easily, using very strong access controls and auditing. It is also key to ensure IT systems are set up and updated for maximum data protection. Unfortunately, many companies still use outdated security systems and data protection software; considering that new threats appear daily, investing in up-to-date security is essential.
Hoteliers should ensure their staff training is both up to speed, especially when it comes to GDPR compliance. Hotel staff must be aware of how to collect, access, use and disclose personal information as well as how to restrict access to cardholder data. Employees must also be advised on how to create strong passwords, and know how to properly dispose of documents containing payment card data.
PCI Compliance and GDPR
If the hotel is already PCI compliant, then this accreditation lays the foundation for GDPR compliance.
To be PCI DSS compliant, a hotel must have taken appropriate steps such as:
- maintaining an information security policy and establishing who is accountable for protecting data;
- placing and maintaining secure systems to prevent data breaches – including a firewall and continually updated anti-virus software, access controls and other systems designed to prevent data breaches;
- encrypting cardholder and other sensitive data; ensuring that IT systems are set up adequately; and
- investing continually in security technologies.
It is vital that hotels begin preparing for GDPR now, so that come May 2018, they can be sure to avoid data breaches -- as well as hefty financial penalties.
May 2018 might seem a long way off, but for some hotels, becoming GDPR compliant will take longer than they realise. No matter what hotels decide to do to achieve GDPR compliance, it is essential that they act, and even more importantly, that they act now.