5 Recommendations for Conforming to GDPR Regulations by the May 25th Deadline
It looks like 2018 will be the year of meeting deadlines for updating hotel websites. Up next on the docket: the GDPR, aka the General Data Protection Regulations. There is an assortment of regulations and updates that hotels have to comply with to avoid facing any penalties, mostly relating to data protection for users visiting a website. For those who have been in a cave for the last four months, data protection has become quite a problem for most entities from Facebook on down. These new regulations will become law for anyone either in the European Union (EU) or who has guests visiting from the EU, which necessarily applies to all hotels. Here are the salient points of this new set of rules. Time is running short to meet the May 25th, 2018 deadline.
What Is the GDPR?
The GDPR is the latest set of rules created to replace the Data Protection Directive. To sum it up, they are regulations to protect users’ privacy rights and personal data on the internet. The EU decided in 2016 to convert from the DPD to the GDPR, more strictly focusing on the protection of users’ data, and prevent the exposure of personal data due to hacking or marketing. Since this will become law officially on May 25th, 2018 for the EU, and anyone who does business with the EU, all hotel operators should become acquainted with and follow the GDPR to avoid any unforeseen consequences like lawsuits, nasty reviews, etc.
The GDPR/Hotel Relationship
Knowingly or not, hotels gather significant quantities of data about their guests. According to Hospitality Tech, hotels may be more likely to be subject to security breaches within their systems because of the high volume data obtained. The thought of someone swiping information from a hotel is pretty scary; imagine how it would affect guest opinions and the hotel’s reputation. Unfortunately, once a company has been hacked, there’s at least a slight pull-back initially when the news comes out. Remember the fallout to Target and J.P. Morgan? People want to think their information is safe, which means awareness of the GDPR regulations can be quite an advantage to those who implement changes sooner than later.
What are some things hotels will have to account for with the implementation of GDPR regulations?
- Location of a guest’s personal identification within the system for safe-keeping
- Properly disposing of guest’s personal data upon request, also known as the Right to Be Forgotten
- Encrypting cardholder data so as to prevent any guest information from being exposed if there are security breaches
- Creating security systems for information, e.g., firewalls or antivirus software
- Providing active proof of consent for personal data input requirements (pre-checked boxes or inactivity will not suffice)
What Is the Result for Failure to Comply?
This is where it gets tricky operating in the US under an EU law. Under the penalties for non-compliant companies regarding GDPR regulations, fines can be as high as 4% of global earnings, or 20 million euros, whichever is greater. But, there are differences in the way the US and the EU define PII (personally identifying information). In the EU, an IP address is considered to be PII, while thankfully, here it isn’t. These penalties are categorized by different levels based on a hotel’s involvement with the EU:
- If the physical location of any hotel is within the EU, full compliance with the GDPR is mandatory, subject to the EU’s laws.
- Anyone who knowingly does a lot of business with the EU may be subject to stricter penalties under international law.
- Hotels that occasionally book guests from the EU with little data collection causing little to no security harm are likely to be forgiven (keeping in mind that Germany is much stricter about their security dealings with the US).
Here are five recommended steps that all US hotels should take to manage compliance:
- Access all sources of data regardless of whether it is at rest or in motion. The regulation demands that everyone can prove they know where all personal data is located.
- Then, inspect those sources and be able to categorize different levels of data quality. Essential elements to segregate include names, Social Security numbers, and email addresses.
- GDPR compliance demands that your privacy rules are documented and available throughout the organization, but only to those with the proper rights. This further involves defining roles within the company.
- Once governance is established and a data inventory has been quantified, protect it through encryption, use of pseudonyms, and using anonymization. Delete everything other than what is necessary for analysis, forecasting, etc.
- Be able to produce reports to demonstrate to regulators that the company is aware of personal data that it stores and has active consent from anyone who has supplied information. Be able to show how data is used and for what purpose.
All hotels should research the regulations and their applicability to stay on the safe side. The punishments are still uncertain for those who break these laws regardless of intent. It may be best to designate one person or hire a company to overlook all web security features and privacy regulations. There are going to be new implementations of rules on security and compliance issues, and it’s best to get in front of them. Check out a previous post on ADA compliance to learn more about this related topic.
For further information on GDPR regulations or any other hotel-related compliance standard, contact us and we will do our best to assist.