Breach of trust: protection of guest data in hotels

It is too early to predict how the scandal over Facebook’s handling of user data for political gain will play out. At the time of writing, the social media giant is under mounting pressure to explain how the data of more than 50 million users fell into the hands of political consultancy Cambridge Analytica without their consent or knowledge.

The immediate fallout has been explosive. Some Facebook shareholders are reported to have placed their stakes under review, while others have launched class action lawsuits. Embattled founding chairman and CEO Mark Zuckerberg had appeared in front of the US Congress, while an online movement urging users to delete their Facebook accounts is gaining momentum. And with new EU legislation about to come into force, privacy breaches such as this one could have a much higher cost to brands than just negative publicity.

Whether the scandal turns out to be a watershed moment or not, it serves as an indisputable reminder not only of how today’s consumers are more wary than ever about how their data is mined and used, but also of the sheer amount of personal information that is out there in the digital ether.

How does this all relate back to the hotel sector, you might ask? Well, just like any other industry with digital operations, the transaction of data between guests and hotel operators is increasingly deployed to enable the latter to provide the former with a better, more personalised service.

“We have long held extensive profiles on guests who have visited our hotels or eaten in our restaurants,” explains Robert Holland, chief technology advisor to the British Hospitality Association.

“Some of this is relevant to ensuring that the guest has an enjoyable stay, such as knowing which pillow they prefer, if they have a particular room preference or if they have made a previous complaint.

“But we will need to decide whether it is important that we record, say, the name of their pet and whether this is really necessary to deliver our service standards.”

Data danger

Last year saw two high-profile data breaches come to light within the international hospitality sector. The most notable concerned Hilton, which was slapped with a $700,000 fine in November for two incidents dating back to 2015, in which the company was hacked and lost the credit card details of 350,000 customers. Hyatt, too, reported that it had suffered a second security breach in the space of a year regarding payment card information.

Barring a couple of headlines in the trade press, the revelation over Hilton and Hyatt were hardly earth-shattering. The breaches appear to have done little to damage financial performance either, with both groups reporting year on- year increases in RevPAR during the fourth quarter.

Yet, should operators fall victim to data violation after 25 May, the implications could be significantly more serious. The date, likely to be circled in the calendar by most CIOs, will mark the enforcement of General Data Protection Regulation (GDPR).

Having been approved by the EU Parliament, GDPR marks the most significant overhaul of European privacy laws since the bloc was first established. The legislation requires any company anywhere in the world in possession of data belonging to EU citizens to exercise the utmost transparency in how it collects, stores and processes it. GDPR also includes a ‘right to be forgotten’ subclause, in which consumers can ask for copies of their data to be deleted, if they so wish.

“GDPR is, in essence, ensuring that we only retain data that is essential to providing our services, and that we are fully aware about how we are collecting and storing this data,” says Holland.

“While hotels have had to comply with payment-card industry data security standards [PCI DSS) for some time now, tokenisation is likely to become a necessary standard in the not-too distant future, ensuring that credit card details are not stored in a way that [the] data may be breached.”

The penalties for a failure to comply with GDPR are unprecedented. Operators risk being fined up to 4% of their annual turnover for any reported data breaches. Financial punishment aside, Holland suggests that the implications from a brand perspective could be even more damaging.

“The reputational damage that may ensue after a breach could mean that your guests no longer wish to share their details with your hotel – not such a problem not knowing about those pillows, but definitely a problem if you do not have the credit card details in order to charge a deposit or no-show fee,” he says.

Ready for action

But how prepared are operators when it comes to getting their houses in order ahead of GDPR? According to Holland, “hoteliers are still somewhat confused with regard to what is consent”. For Nick Crawford, interim head of eCRM at Travelodge, some operators are paying more heed to the legislation than others.

“It’s pretty much divided into three camps,” he explains. “You’ve got your businesses that have been working on GDPR for a while, and see it as an opportunity to run some hygiene checks and some internal process improvement.

“Then there are those that know that they need to do something, but it feels like a bit of a mountain to climb. Many of them only just started looking at GDPR after Christmas, in terms of their communications. In the third camp are those that are not really worried about it at all and see it as all a bit Y2K.”

A large part of Crawford’s job remit at Travelodge has been helping the group prepare for the May deadline. Great efforts have been made to ensure compliance, he says, with the group adopting a business division-based approach.

“We divided the workload into departments – meaning you’ve got different stewards for marketing, customer service, sales, IT and law,” he explains. “Each of those areas has an owner and part of their role is actually helping with the audit and process tracking.

“So by listing all of those processes in terms of priority, you can start to understand how well those processes are working or not, and how compliant they are. We also asked lots of questions. What’s the legal basis on which we will be operating GDPR? Is it consent? Is it a legitimate business interest? Is it contractual?”

What should be clarified is that GDPR does not require explicit ‘opt-in’ consent if personal data is used to help the hotel provide the service it is obliged to deliver to the data subject – the guest – as part of a valid contract. However, if a hotel then takes that data and uses it for a specific additional purpose, such as remarketing, then it requires explicit consent.

“The hotel should, of course, ensure that the personal data is not retained beyond the period required to deliver the service, so once the guest has checked out, then the personal data should be purged,” says Holland.

Special teams

For Holland, the operators that have best prepared themselves for GDPR all have one thing in common: they all established new data protection officer (DPO) roles within their organisation.

“The DPO could be an IT manager or a financial controller, for example,” he says. “The DPO can then fully understand how data is collected and stored. Some insurers will offer secure data storage as part of their cover to minimise claims over breaches in data security. The DPO should then set out a code of conduct for the hotel and its staff that defines how this data is controlled, who has access to it and how long they plan to keep it.”

According to a recent report by PwC, hotel companies have fallen behind in payment card industry compliance. So while there may still be some confusion around the complexities of GDPR, it could ultimately serve as the much-needed shot in the arm that the industry needs when it comes to making the right improvements in the areas of consumer data and payment privacy.

“One of the biggest challenges for operators is the sheer number of data streams they have to look after across numerous sites and areas,” says Crawford.

“Travelodge, for example, has 530 hotels, so in terms of real estate, that’s a number of centres of operation that amplifies any situation for it. As a business, you need to ask yourself what data you have, why you are holding it, where it is coming from and how you are using it. That, in itself, is a major task for any business.”

As far as 25 May is concerned, Crawford accepts that many operators “aren’t going to be 100% GDPR-compliant”. There is also “no wrong or right way, necessarily”, when it comes to implementing guidelines.

“The one thing I would say is that an approach based around risk mitigation will always serve you well,” he says. “Due to the wide-ranging auditing of all those data processes that’s required, it’s a tall order for some operators to be completely ready for GDPR.

“But what they can do is have a priority based approach in place, which looks at which data areas are most likely to lead to a complaint, financial risk or brand damage. They need to be tackled first.”