sarah-gotze-22372-unsplash

Hospitality Sector: How to Comply With GDPR?

Hospitality sector (accommodation, restaurants & bars, travel & tourism and leisure) has one of the largest shares of personal data collected by sector. Therefore, necessary actions need to be taken in order to avoid the financial consequences that could result from a lack of compliance. Especially, since major breaches already affected many of the world’s most prominent hotel chains Radisson (read more about the data breach in Radisson Hotel in GDPR Register News), Hilton, Mandarin Oriental, Trump Hotels worldwide.

Often, personal information regarding customers goes through many channels receiving and providing personal data to this sector. Meaning, data is collected not only directly from customers, but also through channel managers or booking sites. Hotels, travel agencies and similar service providers possess customers credit card information. This information makes companies vulnerable to threats (as seen from previously mentioned examples). Therefore, GDPR cannot be ignored.

It is important to understand that GDPR applies to the handling of information of EU citizens. For example, if a hotel is located in the United States, there is a big chance that it has guests from the EU. Therefore, GDPR regulations and requirements apply.

How Hospitality sector should start preparation for GDPR?

Hospitality sector companies possess a lot of various information about their customers. Therefore, the first thing these companies should do is to review all data.  Consent practices should exist in both present and existing records. If some are missing, an update must be done.

Information about customers is usually being kept on various platforms. The following are recommended to be reviewed:

  • CRM systems
  • Booking Engines
  • Website Developers
  • Payment Processors
  • Email Marketing Tools
  • Membership
  • Social Media
  • Customer Databases
  • Website cookies

Acquiring personal data

There are six lawful bases for processing personal data. In most cases, the Hospitality sector should use contractual obligation for guests. However, whatever lawful ground is used, an individual must be informed information is being collected, what it is being used for and how long it will be retained. Therefore, only necessary data for specific purposes must be collected and it should be retained only for the period necessary to meet that purpose.

Data subjects have rights concerning their personal data. One of them – the right to access personal data. Companies have 30 days, after customers request, to provide a copy of any stored information about them. This data, upon customers request, can be changed. If there is no lawful ground for any or all the collected data, and the company can’t prove otherwise, the information must be erased.

Protection of personal data

There are many steps to take in order to protect personal data. That includes everything from reviewing security policies to encrypting and/or pseudonymizing data. However, it has to start at the adoption of privacy by design. It’s particularly important now that technology combines with personalization.

In the Hospitality industry, mobile technology is playing a big part –planning the visit, using it as a boarding pass, etc. Nowadays, separate apps are still needed for these purposes. However, the traveling experience gets smoother while improving collaboration. Meaning, thinking of privacy by design but also sharing data properly between travel companies or agencies. Though, GDPR requirements cannot be forgotten here. As, for example, having the right agreements in place between the different parties. Regardless of partners or solutions provider, company (who according to the GDPR would be considered the data controller) is ultimately responsible for using tools that follow the GDPR.

Companies, dealing with personal data in large-scale, should appoint a data protection officer (DPO) and carry out Data Protection Impact Assessment (DPIA). There are also additional requirements for data that is transferred outside the EU (read more about transferring personal data to third countries).

Organizations should not underestimate how important it is to adapt to GDPR regulations. Companies in the Hospitality industry, the same as in any other, need to address the policies, procedures, and technology that they use for handling personal data. Furthermore, they have to ensure that the staff is fully aware of the obligations. Basically, anything that contains personally identifiable information should be covered. In another case, failure to comply can grow up to 4% of annual global turnover or 20 million.

Share on facebook
Share on linkedin
Share on twitter
Share on pinterest
Share on email

Get your compliance organized with proper GDPR tools.
Contact us for a demo and get access to 14-day trial.

Save time and be confident

Latest Posts
The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The European Commission concluded that the United States ensures adequate protection for personal data transferred from the EU to U.S....
A Comprehensive Guide to Personal Data Mapping

A Comprehensive Guide to Personal Data Mapping

Introduction Data privacy and security are of utmost concern in the digital era of today, especially when it comes to...
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

What is a Data Processing Agreement (DPA)? A Data Processing Agreement (DPA) is a legally binding document to be entered...
Direct marketing rules and exceptions under the GDPR

Direct marketing rules and exceptions under the GDPR

Direct marketing includes text messages (SMS) and emails that a customer receives from a product or service provider. But activities...
Transmitting personal data to third countries

Transmitting personal data to third countries

The GDPR has put strict rules in place, when it comes to data transfer to third countries or international organizations. Which...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What are the records of processing activities (ROPA)? Article 30 of the EU General Data Protection Regulation (GDPR) requires organisations...
10 Great GDPR Software Tools for Compliance in 2023 (Review + Pricing)

10 Great GDPR Software Tools for Compliance in 2023 (Review + Pricing)

In this article, we will introduce you to some useful GDPR software tools which may help you reach GDPR compliance...
Personal Data Breach Reporting Requirements Under the GDPR

Personal Data Breach Reporting Requirements Under the GDPR

What is Data Breach? According to General Data Protection Regulation (GDPR), a personal data breach is a security incident that...
Data Protection Authorities (DPA)

Data Protection Authorities (DPA)

Data Protection Authorities (DPA) Data Protection Authorities (DPA) are independent public authorities that supervise, through investigative and corrective powers, the...
GDPR compliance checklist for controllers

GDPR compliance checklist for controllers

This is a simple GDPR compliance checklist for data controllers that you can use to ensure you have considered most important...