GDPR for Hotels: Here's What You Should Know (2022)

By Hotel Tech Report

Last updated January 26, 2022

6 min read


image description

In the wake of COVID issues like GDPR compliance fell by the waistside.  While it's not as popular a topic - it's still important for every hotelier to understand the basic concepts around EU Privacy Law.

Is your hotel compliant with the the General Data Protection Regulation, more commonly known as GDPR? Perhaps you've undergone a major implementation to bring your hotel up to compliance. Or maybe you’ve balked at the cost of such a project and taken the “fingers crossed” approach that your smaller brand won’t be a target of compliance audits.

Wherever you land on that spectrum, the risk of non-GDPR compliance to your hotel is relatively high. There have been 281,000 cases submitted to regulators in GDPR’s first year, with companies risking a maximum fine of 20 million Euros or 4% of annual revenue, whichever is greater. And in July 2019, the risks of non-compliance for hotels was underscored by a record fine of USD 125 million charged to Marriott for a major data breach under the regulation. The PR damage alone is probably more costly than the fine!

For an industry that clusters and shares data across websites, channel managers and third-party booking engines, GDPR has been an enormous pain. It's also been incredibly expensive, with Forbes estimating the global cost of compliance at over 9 billion USD. And that’s just for the largest companies! Small-to-midsize businesses are sinking a massive amount of time and money into compliance.

Despite this investment, the regulation simply has not worked as designed. It's a well-intentioned initiative that’s been executed horribly. In this quick “GDPR for dummies” primer, we’ll explore how it started off strong and where it went wrong, and give you a complete GDPR checklist for hotels so you can comply without breaking the bank.

 

What is the Data Protection Act (GDPR)?

GDPR, which stands for the General Data Protection Regulation, came into force in the EU on May 25th, 2018. The passage of the Act was marked by a stark conflict, between those who believe in the government’s role in protecting consumers’ privacy through regulation and those who believe that a free-market must prevail.

GDPR provides “the protection of natural persons with regard to the processing of personal data and on the free movement of such data.” As a major overhaul of how businesses are expected to process, handle, and store data, GDPR also gave individuals more granular control over their data.

Under GDPR, data refers to both personal data, such as names, IP addresses, or anything that could be used to identify a person, and sensitive personal data, such as genetic material, political views, sexual orientation, and the like.

Any organization that acts as a controller or processor of personal data is covered by the GDPR. A data controller is the entity that determines how data is used for process to come on while the data processor is any entity that's not an employee of the data controller who processes data on behalf of the controller.

For hotels, this distinction is important, as they may act as the “controller” of data (i.e. direct bookings) while their vendors are seen as “processors” of the data (i.e. bookings made on third party platforms). Unless otherwise governed by a contract, the Data Controller is responsible for any GDPR compliance.

Facing potential fine of up to 25 million Euros or 4% of revenue, hotels must put the guest at the center of all data protection strategies. We’ll cover that more later in our hotel GDPR checklist.

 

Hotel GDPR Checklist

To bring your hotel into compliance, as well as maintain that compliance over time, it requires a thoughtful and holistic approach. You'll need to carefully think through how data is shared across internal systems, as well as how that data flows back and forth from third-party systems that are not directly in your control.

Since GDPR puts the responsibility on your hotel as a Data Controller, it’s critical that you understand how data flows at each juncture. Here's a GDR checklist for hotels:

  1. Audit. Undertake an analysis to review internal processes, contracts with vendors, existing databases and how data flows between systems. You need to understand what information you possess and who has access to it. This clarity should inform everything you do from this point forward.

  1. Communicate. Ask existing vendors for their data compliance policies. We must have a clear picture of how your hotel’s data interacts with their systems, and identify any vulnerabilities or poorly-informed vendors. After speaking to your existing vendors, it may be time to evaluate other options. When working with a GDPR-compliant vendor, like TravelClick’s GMS (CRM)iHotelier Booking Engine or a hotel website builder, you eliminate compliance stress without lifting a finger. The compliance is built into the product so you have more peace-of-mind.

  1. Plan. Once you have your audit and updated tech stack, the next step is to create a blueprint for governance. You want a framework for managing data, including policies and processes to eliminate potential gaps in how your hotel handles guest data. You’ll need clearly defined roles and responsibilities for staff, such as assigning responsibility for handling inbound data requests from consumers. You’ll also want to create a step-by-step data breach action plan to enact in the event of a data-related incident, hack or breach.

  1. Execute. Now it's time to work the plan! Things you want to be sure to include:

    1. Explicit consent: Ask visitors to your website to opt into cookies, rather than automatically installing cookies and making it opt out. You’ll also need to track when and where each person consented (or revoked that consent).

    2. Privacy policy: Update your privacy policy to include relevant GDPR compliance info, such as how you use data and how users can opt out.

    3. Front desk: Make sure that your data collection policies at the front desk are in compliance because anything you collect offline must also comply with GDPR.

    4. Existing data.  GDPR applies to all personal data, no matter when it was captured. Since data is also subject to new rules and regulation, you want to be sure it complies too!

  1. Train. Compliance is only as good as your weakest link. By training staff to adhere to these policies, you'll be less vulnerable to GDPR-related issues. Educate your staff on what may lead to a data breach and how they can help prevent it -- including monitoring for red flags.  play out a clear process for staff to report any mistakes or other complaints-related issues to management. There should be a no fear environment that prioritizes transparency over punishment.

  1. Maintain. Maintenance is far less burdensome than compliance. Revisit each aspect of your data protection program regularly to review for any unexpected changes or new compliance issues.

 

The Data Protection Act is a Well Intentioned Initiative...

The intentions behind the Data Protection Act were good: it was all about creating more controls for consumers in today's data-driven digital age. In most countries and regions, existing privacy laws were enacted before the internet took over. The regulation was intended to catch regulations up to commerce.

To achieve this objective of greater control in today's digital age, the regulation enshrined seven individual rights based on the core data protection principles:

  1. The right to be informed. Companies must specify what data is being collected, why it's been collected, what it will be used for, and how long it will be stored. Companies must also have clear reasons for storing data for that length of time.

  1. The right of access. Individuals can access the personal data upon request, in an easily readable format.

  2. The right to rectification.  Individuals can review, modify, and correct data companies have on them. 

  3. The right to be forgotten.  Individuals can request deletions of information about them and companies must balance individual interest with the public good when  granting deletion requests.

  4. The right to restrict processing. Individuals have the right to restrict the processing of their personal data where they have a particular reason for wanting the restriction.

  5. The right to data portability. Individuals have the right to transfer their personal data on request.

  6. The right to object. Companies must get consent from individuals explicitly and offer the option to withdraw that consent, while tracking that consent in a centralized location. Individuals also have the right to protest decisions made by automated algorithms.

Even with such strong benefits for individual control over their data and how its used, the initiative also had some unintended consequences.

 

...With Many Unintended Consequences

There were some significant unintended consequences of GDR; namely, how the realities of compliance trickled down into the economics of doing business in Europe and further entrenched the power of Big Tech:

  1. Big Tech is the biggest beneficiary. 

    1. The brands with the most widely used data trackers gained market share due to GDPR. As smaller companies adapted to the new law, they lost out to those with the most resources. A Ghostery study showed a 20% drop in website reach for the top 50 ad tech vendors there weren't Google or Facebook. GDPR appears to have put more power in the hands of the already-dominant. 

 

 

  1. Complexity breeds confusion -- and a windfall for lawyers. 

    1. The law itself is far too complicated for both individuals and businesses. With many companies spending at least 40% of their compliance budgets on legal advice, the lawyers are really the only ones with an across-the-board win. 

  2. Reduced European competitiveness -- and fewer jobs. 

    1. The law of complexity had a tremendous impact on the region’s startups, with one study finding “a $3.38 million decrease in the aggregate dollars raised by EU ventures per state per crude industry category per week, a 17.6% reduction in the number of weekly venture deals, and a 39.6% decrease in the amount raised in an average deal following the rollout of GDPR.” The loss of that investment resulted and somewhere between 3,604 to 29,819 jobs in Europe. 

  3. New merger risks. 

    1. As evidenced by the record Marriott fine related to practices of Starwood, hotels that acquire other hotels assume any GDR-related risks. As such, deals are falling apart, with 55% of a Merrill Corp survey saying they had worked on deals that fell apart because of concerns about a target company’s data protection policies and compliance with GDPR.

  4. Cost of compliance for hotels.

    1. The hospitality industry is especially affected by GDPR,  as hotels in even the most far-flung locations must consider compliance. The cost of retaining advice, and implementing systems, is steep. GDPR compliance requires collaboration across vendors and employees in IT, cybersecurity, digital forensics, and systems design. With so much to be done, the largest brands are at A major advantage as they can use their economies of scale to reduce the overall cost of implementation.

 

 

Despite these unintended consequences, GDPR is still a major issue for hotels. By balancing compliance requirements with a strategic approach, hotels of all sizes can build a framework that is affordable and effective.

As you look towards GDPR, keep in mind that hotels are responsible for how vendors collect and interact with data. Every touchpoint must be compliant or you risk fines. So you must verify that your vendors are informed and proactive about GDPR for hotels. Otherwise, no matter how much preparation you do on your end, you’ll leave your hotel open to vulnerabilities -- and the financial and PR consequences of being out of compliance and having something like a data breach occur.