The GDPR (General Data Protection Regulation) intends to create a homogenous data protection legal framework across the European Union States with the intent to give back control of personal data to individuals. The GDPR is a landmark law, which imposes strict rules on those hosting and processing personal data, anywhere in the world. The regulation seeks data protection and privacy for all individuals within the European Union. The central premise of the GDPR stipulates how companies manage, use, and share personal data.
The foundation of the GDPR is built upon rules established by earlier EU privacy measures such as the Privacy Shield and Data Protection Directive. This new comprehensive regulation expands on these privacy measures in two critical ways:
First, the definition of personal data has been expanded to include any information that can be traced back to identify the data subject. This scope not only limits direct data which is collected about the subject such as personal information, but also indirect data about the subject such as online identifiers like an IP address or geolocation coordinates, and psychographic, physical, financial, and economic data.
Secondarily, the GDPR creates a higher benchmark for collecting, storing, and disseminating the potential vast data array that might be harvested from individuals. Any time a company obtains data on a European Union resident, it will: need a legal basis for gathering that data, which may include explicit and at least informed consent from the individual subject. The spirit of the GDPR puts the individual in control of their data, so a user will require a way to revoke that consent of data collection. Individual users will be able to request all the data a company has collected on them, which in effect provides an assessment of the company’s adherence to the law.
Because of the fluidity of data online, and also the fact that many travelers also originate from the EU, these strong data regulations expressly extend its jurisprudence to all companies based outside of the European Union, and becomes global in nature, therefore ignorance of the GDPR is not a defense for hospitality businesses based outside of the EU.
The GDPR’s penalties are severe and have two tiers of burdensome fines. The maximum fines per violation are set at up to 4% of a company’s annual global revenue or 20 million Euros, whichever is larger. The lower level fines are up to 2% of a company’s annual global revenue or 10 million Euros, whichever is larger. These huge penalties signal how serious the EU is taking the scope of data privacy.
It is noteworthy that the EU’s GDPR is just the start to a global push to protect personal data online, and we are already seeing other governments follow suit with laws of the same ilk. In the United States, California, arguably the nation’s most progressive state, has followed the EU’s lead and passed its own analogue to the GDPR. The California State Assembly passed the California Consumer Privacy Act (CCPA) in 2018. This law, while not as expansive in scope as the EU’s GDPR, goes into effect in 2020 and will definitely set the tone for the rest of the United States to take the protection of personal data privacy and its security more seriously.
With this said, it is imperative that all hospitality businesses ensure that they are adhering to the GDPR and are even looking forward to compliance to the CCPA.
According to Article 5 of the GDPR, there are six main principles that drive compliance with the regulation:
The drive to personalize a guest’s experience traditionally has lent itself to the hospitality industry eagerly capturing as much information about the guest as possible. If you reckon the amount of guest data and preferences hotels capture, the hotel industry is exposed to potential pitfalls in the management of this personally identifiable data and preferential information.
It is now the responsibility of hotels to put the individual and their rights first. Some facts:
The GDPR affects hotels across the world: The GDPR applies to all properties that target EU residents as customers no matter where they are located. This means that the GDPR affects all hotels, not just in Europe.
Hotels are liable for the GDPR: Regardless of your partners or technology solutions provider, the hotel, which is defined as the data controller, is ultimately responsible for using tools that are in compliance with the GDPR.
No price discrimination in all of the EU: It is important to note that hotels cannot use profiling to set prices based on a EU visitor’s location.
Punishment can be crippling: An organization in breach of GDPR laws will be fined up to 4 percent of annual global revenue or 20 million euros, whichever is bigger.
INNsight has performed a full audit of its own systems and controls and begun taking the steps to ensure full compliance with GDPR Regulations with foresight on all similar laws such as the CCPA. Additionally, INNsight has created an internal 'GDPR Pathway' with steps to help us assist our clients to achieve readiness: Evaluate, Design, Transform, Manage, and Observe.
The goal of the pathway is to help hospitality clients manage security and privacy effectively and efficiently in order for them to reduce risks, and therefore incidents of data privacy violations. INNsight's services and products are designed to support you during each phase of your own GDPR compliance journey.
We have conducted GDPR risk and data privacy evaluations across our corporate governance, human resources, processes, data and infrastructure. This has led to the creation of a product and services roadmap to achieve compliance.
We have designed new data management standards for the business and our clients, developed product requirements and completed an implementation plan to ensure all processes and technical infrastructure is in compliance with GDPR.
INNsight has developed and implemented these procedures, processes and tools and conducted the necessary GDPR training to transform the business into a compliant data processor and controller.
We have executed the relevant business processes and developed the technical infrastructure to establish consent, access rights, and portability protocols for data subjects and created the appropriate framework to protect from a data breach.
We will continue ongoing monitoring, assessment, and develop reporting to evaluate adherence to GDPR standards and ensure compliance with any future changes in requirements or new laws from other governing authorities.
As a business owner, it is imperative that you audit your technologies and ensure that every technical and operational touch point where any personal data that is stored or transmitted follows the principles of the GDPR. Hospitality companies are required to implement appropriate technical and organizational processes in relation to the nature, scope, context, and purposes of their handling and processing of personal data.
Utilizing multiple third parties increase vulnerability. From reliance on OTAs for reservations to your business’ internal systems such as its Property Management System to your website developer, there exist many weak spots when it comes to the compliance to data protection laws. Data protection safeguards should be designed into products and services from the earliest stages of development. Look for all-in-one solutions like INNsight offers that minimize external data transfers. Hold your technology partners that are data processors and controllers accountable for their compliance.
With the sensitivity of personal data used for processing guest reservations, it is important that you question your software providers to ensure that they have taken the necessary measures to comply with GDPR. Basic governance calls for at least ensuring data is transmitted via Secure Socket Layer (SSL), is encrypted, and purged regularly. Question your software providers if they are insured and bonded with adequate coverage for cyber liability and whether they have the protocols in place to handle a personal data breach.
INNsight strives to ensure that we protect the personal data privacy rights of our community members, which include travelers, business owners, and other website visitors. INNsight works to ensure that its data subjects possess the:
Disclaimer: The content on this page should not be construed as legal advice nor does INNsight guarantee conformity to GDPR or such privacy laws. Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining the advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients' business and any actions the clients may need to take to comply with such laws and regulations.