The age of consent: European GDPR29 October 2018
The European General Data Protection Regulation (GDPR) compliance deadline has passed, requiring every hotel in the world to have guidelines in place that protect EU residents’ personally identifiable information against security breaches. Six months down the line, however, reports are coming through of some operators managing the scale of these demands better than others. Robert Holland, chief technology adviser to the British Hospitality Association, and GDPR expert Nick Crawford discuss the challenges with Patrick Kingsland.
Failure to comply with GDPR requirements is a major security risk. Anecdotal evidence of companies, inundated with correspondence about their use of personal information, having difficulty keeping up with the volume of requests, has been seen throughout the industry. In July, the world’s largest operator, Marriott International, was forced to request extensions to the onemonth response period.
The commitment to getting GDPR right is understandable. 2017 saw two highprofile data breaches come to light within the international hospitality sector. The most notable concerned Hilton, which was slapped with a $700,000 fine in November for two incidents dating back to 2015, in which the company was hacked and lost the credit card details of 350,000 customers. Hyatt, too, reported that it had suffered a second security breach in the space of a year regarding payment card information.
Barring a couple of headlines in the trade press, the revelations over Hilton and Hyatt were hardly earth-shattering. The breaches appear to have done little to damage financial performance either, with both groups reporting year-on-year increases in RevPAR during the fourth quarter.
Yet, following the implementation of GDPR in May, the implications have become significantly more serious should operators fall victim to data violation. The legislation marks the most significant overhaul of European privacy laws since the bloc was first established, requiring any company anywhere in the world in possession of data belonging to EU citizens to exercise the utmost transparency in how it collects, stores and processes it. GDPR also includes a ‘right to be forgotten’ subclause, in which consumers can ask for copies of their data to be deleted, if they so wish.
“GDPR is, in essence, ensuring that we only retain data that is essential to providing our services, and that we are fully aware about how we are collecting and storing this data,” says Robert Holland, chief technology adviser to the British Hospitality Association.
“While hotels have had to comply with payment-card industry data security standards [PCI DSS) for some time now, tokenisation is likely to become a necessary standard, ensuring that credit card details are not stored in a way that their data may be breached.”
Data, so long viewed as a great opportunity for hoteliers, is now also looked upon as a threat.
“We have long held extensive profiles on guests who have visited our hotels or eaten in our restaurants,” explains Holland. “Some of this is relevant to ensuring that the guest has an enjoyable stay, such as knowing which pillow they prefer, if they have a particular room preference or if they have made a previous complaint.
“But we now need to decide whether it is important that we record, say, the name of their pet and whether this is really necessary to deliver our service standards.”
The penalties for failuring to comply with GDPR are unprecedented. Operators risk being fined up to 4% of their annual turnover for any reported data breaches. Financial punishment aside, Holland suggests that the implications of GDPR from a brand perspective could be even more damaging.
“The reputational damage that may ensue after a breach could mean that your guests no longer wish to share their details with your hotel – not such a problem not knowing about those pillows, but definitely a problem if you do not have the credit card details in order to charge a deposit or no-show fee.”
Are you ready?
But how prepared are operators when it comes to getting their houses in order ahead of GDPR? According to Holland, “Hoteliers are still confused with regard to what is consent.” For Nick Crawford, who served as head of eCRM at Travelodge during the transition period into GDPR, some operators are paying more heed to the legislation than others.
“It’s pretty much divided into three camps,” he explains. “You’ve got your businesses that have been working on GDPR for a while, and see it as an opportunity to run some hygiene checks and internal process improvement.
“Then there are those that know that they need to do something, but it feels like a bit of a mountain to climb. Many of them only started looking at GDPR after Christmas, in terms of their communications. In the third camp are those that are not really worried about it at all and see it as all a bit Y2K.”
A large part of Crawford’s remit at Travelodge was helping the group prepare for the May deadline. Great efforts were made to ensure compliance, he says, with the group adopting a business division-based approach.
“We divided the workload into departments – meaning you’ve got different stewards for marketing, customer service, sales, IT and law,” he explains. “Each of those areas had an owner, and part of their role was actually helping with the audit and process tracking.
“So by listing all of those processes in terms of priority, you can start to understand how well those processes are working or not, and how compliant they are. We also asked lots of questions. What’s the legal basis on which we will be operating GDPR? Is it consent? Is it a legitimate business interest? Is it contractual?”
In or out
What should be clarified is that GDPR does not require explicit ‘opt-in’ consent if personal data is used to help the hotel provide the service it is obliged to deliver to the data subject – the guest – as part of a valid contract. However, if a hotel then takes that data and uses it for a specific additional purpose, such as remarketing, then it requires explicit consent.
“The hotel should, of course, ensure that the personal data is not retained beyond the period required to deliver the service, so once the guest has checked out, then the personal data should be purged,” says Holland.
For Holland, the operators that have best prepared themselves for GDPR all have one thing in common: they all established new data protection officer (DPO) roles within their organisation.
“The DPO could be an IT manager or a financial controller, for example,” he says. “The DPO can then fully understand how data is collected and stored. Some insurers will offer secure data storage as part of their cover to minimise claims over breaches in data security. The DPO should then set out a code of conduct for the hotel and its staff that defines how this data is controlled, who has access to it and how long they plan to keep it.”
According to a recent report by PwC, hotel companies have fallen behind in payment card industry compliance. So while there may still be some confusion around the complexities of GDPR, it could ultimately serve as the much-needed shot in the arm when it comes to making the right improvements in the areas of consumer data and payment privacy.
“One of the biggest challenges for operators is the sheer number of data streams they have to maintain and look after across numerous sites and areas,” says Crawford.
“Travelodge, for example, has more than 530 hotels. So, in terms of real estate, that’s a number of centres of operation which amplifies any situation for it. As a business, you need to ask yourself what data you have, why you are holding it, where it is coming from, and how you are using it. That, in itself, is a major task for any business.”
Even six months down the line, Crawford accepts that many operators “aren’t going to be 100% GDPRcompliant”. There is also “no wrong or right way, necessarily”, when it comes to implementing guidelines.
“The one thing I would say is that an approach based around risk mitigation will always serve you well,” he says. “Due to the wide-ranging auditing of all those data processes that’s required, it’s a tall order for some operators to be completely ready for GDPR.
“But what they can do is have a priority-based approach in place, which looks at which data areas are most likely to lead to a complaint, financial risk or brand damage. They need to be tackled first.”
Six ways GDPR affects the hospitality trade
1. Getting consent from your customers: every person who visits your hotel’s website needs to know the exact ways in which their personal data will be used in the future. That is why such an explanation needs to be included in the “terms of service” section of your website.
2. Data access: your customers need to know who will have access to their personal data. In addition, when this data is no longer needed, it needs to be deleted from the system.
3. The accuracy of the data: all personal data needs to be up to date at all times and updated on a regular basis.
4. Data accountability: your hotel is fully responsible for using GDPR-compliant tools.
5. Data portability: every customer needs to be allowed to ask for you to provide them with a readable format that will include all the personal data they have previously shared with your business.
6. Data minimisation: your website needs to gather only the minimum amount of an individual’s personal data needed to make arrangements.
Source: mycloud Hospitality