Our GRC Solutions Director, Alex Hollis, was recently approached by Click. to provide commentary for a headline article, “Protecting Your Business Against Data Breaches.”
The article looked into ‘Hospitality Technology’s 2017 Lodging Technology Study,’ which showed that 74% of hotels don’t have proper data protection measures in place. Click. wanted some expert knowledge into what properties can do to protect their guest’s data.
Here Alex outlines the amount of data that can be taken during a guest’s stay and the importance of it being protected:
Hotels share much of the same data handling issues as the broader hospitality sector. They must take reservations including name, phone numbers, addresses, card details, and even IP address information when booking online. This is further compounded by the nature of booking agents (hotels.com, booking.com, etc.) who may process the data on behalf of the hotel passing on the reservation details. The view of whether these agents and the hotels are controllers or processes under GDPR is a minefield.
International hotels could argue they are exempt from GDPR as the hotel is based outside of the EU, however, with the nature of booking sites, etc, the transaction capturing the personal data can occur targeted at an EU citizen and therefore would fall under GDPR.
When the guest arrives, after passing under the CCTV cameras and potential ANPR cameras on the car-park, there is often the checking-in process whereby additional personal information is captured and cards swiped for incidentals. There may also be the disclosure of medical conditions and disabilities as part of the special requests, which would be deemed sensitive information. Documents are printed and signed. This creates a number of articles laden with personal data both in electronic and paper formats, that must be shown to be protected.
During your stay
During the stay, there may be additional purchases associated with the room, some of which may be considered private to the individual.
When the guest leaves, there is then the question of how long the guest records are retained. My experience is that hotels legacy front desk software will keep guest information, under the purpose of improving future guest experience which would need explicit consent from the guest in order to be lawful.
Most of the cases that are being brought forward around GDPR are from unhappy customers or ex-employees, and as such, the hospitality industry is not going to be at the forefront of GDPR case law as it comes through the courts.
The steps properties can take to protect their guest’s data:
1. Understanding what data you have, and the processes involved. This is a huge step which involves understanding fully what you are doing.
2. Treat personal data with more respect for its value, more like money, reduce the places that you’re storing it and then protect those places.
3. Reducing the number of systems where the data is duplicated (paper copies etc.)
4. Ensure that the critical areas are secure with encryption and good IT security best practices.
5. Make sure that you’re covered from a legal compliance standpoint that you are lawful to continue processing the data under the recent GDPR changes, hanging on to personal data because it might be useful is not OK anymore and could land you in hot water.