With the GDPR (General Data Protection Regulation) regulations now firmly in place, it is imperative that hotels have taken practical steps to upgrade their data protection processes, or they face the risk of severe financial penalties. As a reminder, the penalties for non-compliance are up to a cost of €20 million or 4 per cent of worldwide annual turnover (whichever is greater), not to mention the potential reputational cost to a business.
Over the last number of months we have worked with a number of hotels on their GDPR journey to help them implement best practice. The following article highlights some of the practicalities of the implementation of the GDPR.
Implementing GDPR-compliant policies
Many hotels will have started their GDPR journey by setting out a full implementation plan including the allocation of both internal and external resources. We recommend that while individual team members may take responsibility for the implementation and ongoing training within their specific department, there should be an overall data protection liaison who takes the responsibility for the hotel and ensures consistency across the property.
As in our previous article on GDPR compliance for hotels, you will have reviewed your policies and procedures and should have updated your privacy notices, retention policies, subject access request and breach management procedures. These statements will apply to the business as a whole and the data protection liaison should ensure they are being complied with.
The Eight Principles of Data Protection
In completing the GDPR implementation it is important to consider the eight principles of data protection. Some of these principles overlap, however each of these should be considered when completing a data mapping process and can highlight areas of non-compliance.
- Obtain and process information fairly: A hotel typically obtains a guest’s personal data in a fair way as guests give their information in booking a hotel room. However, if a hotel purchases a potential customer listing, then the hotelier must also receive documentation to show that consent has been given for the data to be shared.
- Keep data only for the specified and lawful purposes: The hotel’s privacy notice will advise a consumer of what their information is being used for. In analysing the personal data that a hotel has on file for guests and employees, it is worth asking why the hotel has and is holding this information? CCTV footage, for example, is kept for crime prevention and public safety. The hotel’s privacy notice will state why and how long this is being held for.
- Use and disclose data only in ways compatible with these purposes: A guest’s or employee’s personal data should only be used for how it was intended. Taking CCTV footage as the example, it may be necessary to share this information with the insurance company, Gardaí or other relevant company as stated in the privacy notice.
- Keep data safe and secure: All information, on soft or hard copy, should be secure. Hotels need to check with their IT departments to ensure the safety of their systems. Hard copy data needs to be secure. For example, can other guests see the list of names of overnight guests on the ‘breakfast listing’ at the front of the restaurant or is this information secure? Front desks should be kept clean and personal data on registration cards or other lists should not be visible to other guests. Overnight, when the reception desk is not manned, are the registration cards and guest listing secure?
- Keep data accurate, complete and up-to-date: Ensure that the data you hold is accurate and up-to-date. When repeat guests stay are they asked to confirm personal details, the hotel may have on file, such as contact information? It is important that within spas and leisure centres, guest information is kept up to date, particularly in relation to health and safety. Employees should be asked if there have been changes to their personal data, on an annual or bi-annual basis.
- Ensure that information is adequate, relevant and not excessive: Hotels are in the business of hospitality. Additional information that can be requested is to help make the guests stay more enjoyable. For example, it is excessive to ask guests for their month of birth? It is if the hotel doesn’t do anything with this data, however if the hotel states that the reason for asking guests for their month of birth is because the guest receives a complimentary room upgrade if they stay during the month of their birthday, then that is not necessarily excessive, as long as the hotel gives the guest the complimentary upgrade.
- Keep information for no longer than necessary: There are several legal requirements for maintaining certain pieces of information. Revenue requires books and records to be held for six years and the current year and there are other legal requirements for HR and registration information. Other data, however, should only be held for the length of time as stipulated within the privacy notice and within what is deemed necessary for the proper functioning of the business.
- Give a copy of personal data on request: A consumer has the ‘right to seek’ their personal data from a hotel. The regulation now requires that a subject access request (SAR, as it is commonly referred to) is completed within 30 days and free of charge. We would recommend that all SARs are processed in the same format, with ID or otherwise required to confirm the identity of the consumer. Hotels should also be aware that a consumer can refer to a guest, employee or future employee, i.e. a candidate who has applied/interviewed for a job at the hotel.
One of the main steps within the GDPR journey should be data mapping. In completing a data mapping exercise for functions within each department a hotel will discover what personal data they are holding, how long they are holding it for, where they are storing it and why they are holding it.
In applying each of the principles above to each data map, a hotel will be able to discover any areas of non-compliance.
The room reservation process, for example, highlights several areas where the GDPR come into effect. A reservation by a guest requires personal data transfer through a reservation platform onto the hotel’s property management system.
Where did the booking originate?
If the booking came through an online travel agent (OTA) then one of the requirements of GDPR is for data processors to also comply with the regulations. The hotel would need to contact the OTA to ask for confirmation of their compliance also.
What personal information does the hotel request from the guest?
As hotels are in the hospitality business they may request additional information relevant to the guest’s stay. Review all of the information that is requested and determine if it is relevant for the guest experience, the day-to-day running of the business, billing, health and safety or other legal application. It is important to ask why this data is needed as some data may have been collected on a “just in case” basis and this is not acceptable anymore.
The correct contact information is important, as this will be required to communicate with the guest in advance of their booking, if necessary, and for future marketing – informing the guest of special offers and updates on the hotel. According to GDPR personal data must be collected for specified explicit and legitimate purposes. The personal information requested from guests should be for reasonable purposes. For example, what is the reason for asking guests for their car registration? If it is for security purposes what does the hotel do with this information?
Who has access to this data?
There are several departments who will have access to a guest’s data and not just the front desk. Accounts will have access for billing; food and beverage will need to know if guests are on certain packages, room numbers for posting cheques and room service; the spa will need to know for posting to guest rooms; and housekeeping to know when a guest is checking out of a room or if there are any special requests. Each of these departments will have access to certain areas within the PMS. Ensure that only those employees who require access for the day-to-day operation of the hotel have access to the required information and passwords or other security procedures are adhered to.
Is this data accurate?
Is a guest asked if the information the hotel has on file is accurate during the check-in process or in advance of the guest’s stay by email/other correspondence? In holding personal data for too long, the hotel runs the risk of having information that is inaccurate and/or out-of-date.
The GDPR team at Crowe can help hoteliers with their GDPR compliance. If you would like to find out more about how we can help you contact our risk consulting team or our specialist hotel, tourism and leisure department.