In recent years, the use of big data has been touted as a way to establish customer profiles in the hospitality industry, which can be used to create personalised offers and services for guests.
Applying algorithms to extraneous data about an individual so as to create a profile is recognised as a primary tool for extracting value from data.
However, the storage and use of customer data is about to be restricted in important ways by EU regulation that will come into force on 25 May 2018.
After that date, every organisation worldwide that processes EU residents’ personally identifiable information (PII) will be subject to the EU's GDPR (General Data Protection Regulation).
Any information that can serve to identify a person is considered to be personal data and can include: name, address, picture, credit card details, medical records, computer IP address, posts on social media, etc.
Name, address, and credit card details are, of course, basic information that hoteliers require from a guest when checking in.
The purpose of GDPR is to unify and strengthen existing data protection rules, while at the same time facilitating the flow of personal data within EU member states.
This new regulation replaces the current European 1995 Data Protection Directive and can be considered to be the most important change in data privacy regulations in 20 years.
Furthermore, hoteliers should be aware that GDPR applies to businesses located in the EU, as well to those located outside of the EU to the extent that they offer goods or services to, or collect data about EU residents.
Heavy fines for non-compliance
Once GDPR is in force, any organisation that processes PII will have to conform to a number of regulations, or risk facing some stiff penalties.
For example, it will be mandatory to notify GDPR representatives of any security breaches within 72 hours and, for the most serious breaches, fines of up to €20mn or 4% of a business' turnover may be imposed.
Preparing for GDPR
GDPR creates a “fundamental right” for EU residents to control how their data is collected, processed or stored.
Hotels have the right to collect or retain personal data if they obtain prior consent, require the information to fulfill a contract with the person in question or need the information to comply with a legal obligation (such as reporting for tax or regulatory purposes).
In order to ensure compliance with the new regulations, hotels are obliged to take some measures regarding guest data so as to avoid the hefty financial penalties that could result from lack of compliance.
First of all, hotels need to recognise that data belongs to the guest, not to them.
A hotel must provide detailed justification as to why it needs to process personal data and how long it intends to keep it.
This procedure requires well-structured retention policies, so that a hotel always knows the status and whereabouts of such information.
Thus, it is essential that hotels can quickly access all PII data in their possession.
This data could be scattered in a number of places: for instance, in folders, in old email archive files - even on scribbled notes left on the front desk or left in folders in the back office. Once all data is accounted for, decisions must be made about how it should be handled.
For example, it could be deleted, redacted, encrypted, or stored in a cloud-based solution, where it can be easily accessed by staff, but protected by strict access controls.
Hotels vulnerable to data breaches
It is also crucial to ensure that hotel IT systems provide maximum data protection.
Unfortunately, over the years hotels have proved to be particularly vulnerable to data breaches.
Given the cost pressures in the industry, hotels have often been tempted to go for cheap inadequate solutions regarding data protection.
In addition, the growing use of apps for on-property access and payments has opened up a Pandora's Box of risks from cyber-attacks.
In recent years, there have been a series of notable cyber-attacks on hotels, including those managed by Hyatt, Hilton and the Trump Hotel Collection.
The point is that now these data breaches could result in heavy fines.
'Opting out' function essential
Hotels also need to show a message on their website that permits “opting in”, which allows hotels to store customer data.
For instance, just stating on a website that continuing to use the website implies consent is not sufficient.
In fact, people must take some affirmative action to indicate their consent after being informed that a hotel is collecting their data, how it will be used, with whom it will be shared and how long it will be kept.
This can be in the form of an unchecked consent box (note: it should not be pre-checked for them) or a text field where they can “digitally sign” or enter the words “I consent.”
All consent must be verifiable; so it is important to maintain records (date, time, IP address, etc.) and keep in mind that consent can be withdrawn.
Furthermore, hotels must explain the process, enabling guests to access, modify and delete information.