New data rules stress privacy by design

The European Union General Data Protection Regulation went into effect May 25. Getty Images/lucado

HOUSTON — Data security just got a lot more complicated. After four years of discussion, the European Union has signed the General Data Protection Regulation on May 25. The regulation consists of 99 articles that replace the EU Data Protection directive, as well as new penalties for non-compliance. The GDPR was founded to protect the privacy of individuals located in the European Union, and its implementation impacts any business that collects data from EU citizens. This includes international businesses, and most hotel companies.

If you think this sounds like a privacy, security and liability minefield, you are not alone. Daniel Johnson, partner and co-founder of hospitality data security firm Venza, spoke at HITEC on the impact of GDPR, what hoteliers can expect from the regulations and how rules in the EU could impact your hotel business in North America.

The core principle of GDPR, Johnson said, is that data collection should be minimized across the board. This can be a tough pill to swallow in an age where every business, hotels included, relies on data to succeed. Furthermore, the concept of “minimizing” data is vague, so Johnson suggested a parameter: Only process data that has a purpose your organization has clearly outlined ahead of time.

“Gone are the days where you could ask your guests a ton of questions and put all the answers on a database somewhere for you to choose whether you use it or not,” Johnson said. “That world is gone, so are the days of collecting data and providing it to a third party who wishes to purchase that data. In a world of accountability-based privacy laws, you are looking to ensure privacy from the start to everything you do.”

Photo credit: Sphere Data Protection

The distinction between a “controller” and “processor” of guest data are an important one to determine in the near future, Johnson said. His firm often finds hotels are controllers of guest data because they determine the purpose and means for which these data are processed. As a result, guests are suspending their rights to you, the hotelier, which processors—often third parties—have specific duties to hotels to ensure guest data are protected.

How important is this to iron out? Under GDPR, guest privacy violations at the hand of a third-party processor can lead to liability at the hands of a controller.

“If you have a third-party vendor processing data for you and they operate beyond the agreement, such as marketing to data subjects, they must disclose that and guests must consent for it,” Johnson said. “If they do that and it a supervising authority becomes aware of it, you as a controller would be implicated in a breach of the GDPR requirements.”

What to Expect

For the near future, Johnson said hotels should expect inquiries from outside parties for hotels to demonstrate privacy by design, including the “right to be forgotten,” even when these guests are not based in Europe.

“Have policies in place to respond, leadership statements to point to and logs to demonstrate processes,” Johnson said, adding that hotels can expect some pushback from vendors for a time. After all, their businesses are based on data and there may even be internal conflicts of interest regarding its collection. He said the best advice is to clearly identify accountability during the collection process, create a detailed methodology for your data collection and define a stance to stick to.

“It’s super important for hospitality companies to determine if they have a legitimate business interest in the data that is being collected,” Johnson said. “You want to internally help your organization get its head around data flow. The greatest GDPR challenge is coordination across many different departments, and properly attacking privacy-based regulation like this will involve human resources, marketing, legal, IT and operations.”

Understanding the relationship between data controllers and data processors is key. Photo credit: Edelman

Above and Beyond

According to Johnson, navigating the GDPR will test a company’s ability to regain consumer trust. Establishing a social contract between hotels and guests is part of the hospitality business, but when dealing with data, Johnson said it’s necessary sometimes to remind businesses of the human factor. 

Hotels can build trust over time by offering multiple options for data consent going forward, as well as a free opt-out policy at any time.

“Think about your reputation and see this as a way to be more competitive in the marketplace,” Johnson said. “Expect conversations about trust, and don’t be a robot. Create crafted and skilled communications, present your business in the best possible light, and be a good data steward.”  

Here are some key questions to ask of your data collection processes:

  • Where are your data stored?
  • Who is your guest’s data shared with?
  • How are your guest’s data collected?
  • How are your guest’s data used?
  • Are your guest’s data being used based on the purpose for which it was originally processed?
  • Is there a legal basis for collecting your guest’s data?
  • Are you able to confidently respond to data subject requests, such as the right to be forgotten?
  • Do you have a flowchart detailing where your data are going?
  • What is your data retention policy?
  • Are your customers aware of your data policies?