ALICE has been working hard to fully understand the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and its obligations on us and our customers. We’d like to share what we’ve learned in order to help hoteliers and anyone else who has to figure out what is going on.
1. What’s the GDPR and why should I care?
In essence, the GDPR was brought into effect to strengthen and unify data protection for all individuals within the European Union (EU). Building upon the 1995 Data Protection Directive (Directive 95/46/EC), the GDPR was approved by the European Parliament, the Council of the European Union, and the European Commission on April 14, 2016. After a two-year transition period it will become enforceable across the 28 member states on May 25, 2018.
The GDPR gives power back to the consumers by forcing companies to become transparent in how they are collecting, storing, and sharing their customers’ personal data information. Although the GDPR applies to any organization or business collecting data on EU citizens, the nature of hotels and the various data holding sources such as OTA bookings and PMS systems escalate the regulation for travel and hospitality industries.
As ALICE grows and expands to new markets, we are complying with the GDPR to ensure our privacy settings are being adequately integrated, allowing our partners to adapt at every stage of the life cycle of customer personal information data.
2. Which hotel staff need to know about the GDPR?
Decision makers and key people in EU and EEA-based hotels should be aware that the law is changing to the GDPR. This would include at least the following roles, if they exist: General Manager, Head of Marketing, and the Revenue Manager. Each of these roles deals with a significant amount customer and employee data. These leaders should read this FAQ and look further into how to comply within the areas they are presiding over.
3. What kind of information should a hotel be cautious with?
All data about persons in the EU are covered under the GDPR. This includes both guests and employees. Hotels should document what personal data they hold, where it came from and with whom it is shared. Hotels may need to organise an information audit.
“Personal data” is any data about an identifiable person. A person can be identified by their name, phone number, email address, reservation number, IP address, or any information that allows them to be uniquely identified.
The GDPR grants extra protections for “sensitive data.” This includes personal data that reveals any of the following:
- trade union membership, which may be revealed by event attendance
- biometrics for the purpose of uniquely identifying someone, such as a fingerprint stored for opening doors
- health status, which may be disclosed in guest requests
- sex life or sexual orientation, which may also be disclosed in some guest requests
The following are less likely to show up in hotel systems, but should still be understood to be sensitive in case they do show up:
- genetic data
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
All of the above types of sensitive data can only be handled with explicit consent. If this kind of data is collected incidentally, it should be removed immediately to avoid undertaking new obligations for the protection of that data.
4. How does GDPR affect the software hotels can use?
All rules that hotels must follow also apply to the software they use. If a hotel uses a product to process its data, that product must adhere to all the same obligations that the hotelier has. Every single vendor who receives personal data from a hotel must share a Data Processing Agreement (DPA) with the hotelier to confirm that the vendor is compliant with the rules of the GDPR. The DPA must dictate the purposes for which the processor is processing the data.
If a hotel is using a software given to it by its brand or flag, it may not be in complete control of how the gathered information will be used. In that case, as joint controllers of the data, the hotel and its brand would need to draw up a contract that explicitly states their relationship with regards to managing data. Both parties would need to communicate the relationship to both guests and employees.
5. Can EU hotels use software vendors or software on servers based outside the EU?
Yes, but there are limits to how data can be transferred outside of the EU/EEA. Most major cloud service providers and many other companies, such as ALICE, have systems in place to address these rules. To confirm that a cloud service is compliant with the GDPR, hoteliers need to make sure:
- They have a Data Processing Agreement in place. These agreements are required for all data processors, not just international ones (GDPR Art.28).
- There is a lawful basis for transfering the data (GDPR Rec.39, 40, 41; GDPR Art.6), which can be through the service provider’s membership in the Privacy Shield, signed standard contractual clauses, or other mechanisms allowed under the GDPR. Most companies will be relying on the GDPR’s standard contractual clauses.
6. What do hotels need to do about their vendors?
For each vendor that processes guests’ personal information, a hotel needs to do the following:
- Determine the type of data the vendor processes.
- Determine the purpose for which the processing is happening.
- Obtain a Data Processing Agreement.
- If the vendor is outside the EU, sign the standard contractual clauses (usually part of the Data Processing Agreement mentioned above), or confirm that the vendor is a member of the Privacy Shield.
- Confirm that the vendor can handle data rights requests with a SLA under one month (e.g. 25 days).
7. How should a hotel communicate privacy notices to guests?
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. You should review how you seek, record, and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
Hoteliers may need to speak with customers at check-in if explicit consent is required for any forms of data collection that require it, such as consent to marketing communications. All loyalty programs need to be examined for similar requirements if data is used in a way that requires consent.
8. Do hoteliers or vendors need to encrypt their databases?
It depends. The GDPR recommends that companies take steps to protect all personal data, but it does not specify what those steps have to be. Instead, companies are asked to identify the risks to personal data and do what is appropriate for those risks. Encryption is one of many options available to protect data, but it is not specifically required by the GDPR.
Article 32 of the GDPR gives the following options, none of which are strict requirements, but which should be considered for their benefits to your guests’ data privacy:
- the pseudonymisation [obscuring the identities] and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
9. How can hoteliers make sure they are able to honor requests for data portability, correction, or erasure, a.k.a. “the right to be forgotten”?
Customers, employees, or anyone whose personal data is stored at a hotel may request that their data be erased. They can also ask for a copy of all of their data (right to data portability) or for their data to be corrected. There are cases in which this does not need to be honored, for example if there is an ongoing contractual or legal requirement to retain the data. But in most cases, the request will need to be honored. Recital 59 of the GDPR requires these requests be answered within one month. This period can be extended under exceptional circumstances, by requesting for another month.
In order to be able to handle these requests in time, hotels need to plan in advance how requests can be honored. Each location where data is stored should be mapped out with a plan on how to address the rights request for data in that location. Each vendor also needs to be vetted to confirm they have a similar plan in place. Vendors should have an SLA that is less than a month (e.g. 25 days), in order to give time for communication between you and the vendor on each end of the process when a request happens.
For data portability requests, the law requires the data be given to the customer in a standardized format for transfer to other companies. Since at the moment there is no industry standard for this kind of data to be transferred from a hotel, you must use a generic but easily transferable format, such as text files with headers and comma-separated values.
10. How should hotels handle children’s data?
Within the EU/EEC, a “child” is defined as someone younger than a country-defined age between 13 and 16. For most cases, hotels will not need to rely on children’s’ or parent’s consent to process guest information, since the primary basis for data processing is handling reservations. However, in cases where consent is the basis for data processing, for example, for marketing purposes, children’s data needs to be handled with extra care.
You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity. Children’s data can only be handled with explicit consent when consent is required.
Best practice is to avoid collecting and storing data about children unless it is legally required or absolutely essential for handling a reservation.
11. Do hotels need to hire Data Protection Officers (DPOs)?
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements, even if you are not formally required to have a DPO. You should consider whether you are required to formally designate a Data Protection Officer, and this designation depends on the volume and sensitivity of the information. At the chain and large group level, a DPO is almost certainly required, but for individual hotels, the law is not yet clear and you should seek guidance from your local counsel as to whether it is required.
12. Do hotels outside the EU/EEA have to do anything to comply with the GDPR?
According to Article 3 of the GDPR, the regulations cover activity happening within the EU or data processing by organizations based in the EU. When an EU citizen travels outside the EU, their activities outside the EU are no longer protected by the GDPR unless the organization processing the data is based in the EU.
However, a booking process that happens between a person in the EU and a hotel outside the EU is considered covered by the GDPR. Data that is collected in the EU during that process is an activity happening within the EU. So hotels outside the EU do collect data that is covered by the GDPR as part of the online reservation process. This data needs to be protected with the appropriate safeguards dictated above.
13. What are the consequences for not complying with GDPR?
Businesses can have fines of up to 4% of annual global turnover or $24.6 million (€20 million), whichever is higher for not complying with the GDPR rules.