There is a storm over GDPR (General Data Protection Regulation). A lot of misconception surrounds the applicability and adjudication of GDPR, especially in the hospitality business. In this article, we’ll uncover the most common misconceptions and debunk the myths shrouding this strict directive.
Firstly, it is a commonly held belief that GDPR only envelopes the hotels, motels or resorts occurring in the European countries. On inquiring with multiple hotel professionals, we found that this misunderstanding was partly because of GDPR’s origin in EU.
However, after taking a closer look at what the policy entails, it is apparent that EU is only the tip of the iceberg. GDPR has its grip on hotels across the globe. EU citizens who frequent a hotel in New Zealand immediately trigger the compliance narrative of GDPR for that target hotel.
Another case in point is the onus of compliance in case of a third-party data security solution. If a hotel has outsourced its data recording, storing and processing to a third-party, then as per the explicit mandate of GDPR the hotel is unquestionably liable as well. Speaking from a legal perspective, such concerned hotels are still ‘data controllers’.
Lastly, it is imperative to note that with the introduction of GDRP, no hotel or lodging can charge different price by profiling guests from EU. Doing so will attract financial catastrophe because the penalties for discriminatory pricing are gigantic.
Six ways GDPR’s directive will affect the hotel’s online data policy :
- Explicit purpose-driven consent – This is a pivotal pointer of GDPR and the central intent behinds its introduction. As per the regulation, every hotel must inform the guest abundantly and to his/her satisfaction on exactly how their personal data will be used. Personal data for even marketing and promotions must be approved by the guest before it can be made.
- Only authorized access to data – A significant portion of the directive spells in black and white about access to data. Care must be taken to ensure that only authorized staff has access. Rights of those who are authorized but do not operationally require access must be revoked to prevent the data breach.
- Data accountability – As stated at the beginning of this article, data controllers are fully and absolutely responsible for the data. Even in those cases where external service providers manage the data, the liability occurring due to breaches are solely of the data controllers (known as data owners). To avoid a soup, it is best hotels conduct an external audit to proof the business against losses.
- Maintenance of data accuracy – Every bit of guest personal data must be recent and accurate. Reasonable steps must be taken by concerned hotel staff to ensure that guest’s data is reconciled, revised and updated.
- Minimization of data – Whenever it is possible, the least amount of information must be collected from the guests. A principle “Storage limitation principle” has been introduced which establishes personal data must be erased after its usage and the guests from whom it is taken must be adequately educated on its consumption.
- The easy portability of data – What this means is that the guest has the right to obtain a readable format of this personal data from the data owners. Also, there is an imperative where guests can enforce his “Right to be forgotten”, which empowers the guests to have their data deleted from the database.
This calls for urgent actions on part of the hotel to be able to inoculate their business from accidental breaches that can cause financial ruins. So better be safe than sorry by putting together an in-house compliance policy to conduct your business smoothly.
Look further at this page to know more about how you can securely operate your business in a GDPR compliant manner and prosper.