The importance of GDPR compliance within the hotel industry

Andrew Guy


The importance of GDPR compliance within the hotel industry

This blog was previously published on LinkedIn on 25 October 2017.

An investigation by Verizon noted that the hotel industry is extraordinarily appealing to would be hackers, due to the type of valuable customer information the industry is able to capture during standard operating practice. Any organisation that processes a high number of financial transactions is a key target and with the GDPR regulations coming into place in May 2018 it is vital that they position themselves in an area of compliance to both adhere to the law and keep their guest’s data safe.

According to the Information Commissioners Office (ICO), failure to comply will result in fines of up to £17million or 4% of the annual turnover- whichever hits the hardest. This is the strictest approach ever taken to data protection, and although an EU legislation this will affect companies worldwide. It aims to protect the data that is collected and stored on your guests such as personal details, addresses, bank details, passport information, driver’s license etc.

What does this mean for the hotel sector?
Unlike banks, hotels don’t necessarily take the same approach to protecting and storing their data as they aren’t necessarily as obvious a target, but in recent years attacks on hotels have been growing with some of the largest chains being targeted including the InterContinental Group, Hyatt Hotels Corp, Hilton, Starwood and Trump. 

These attacks, though negative for the company involved, present the rest of the industry with an opportunity to become better educated on how to prepare and hopefully mitigate any potential leaks or compliance issues before they occur and before they can be held liable for any potential fines.

Firstly, one of the main changes will see both data processors and data controllers captured by the regulations. Meaning, that if you outsource the processing of personal data to a third party, and they don’t comply, your organisation as the data controller will also face penalties. This could be mitigated by bringing the data in-house where you can ensure its protection.

It provides your guest with more power to ask questions around what information you possess on them and what it’s being used for. All opt in requests must be written in plain English that are easy to understand and its vital that it is as easy to provide you with consent to store their data, as it is to withdraw. Bear in mind these individuals have the right to be forgotten and removed from your system instantaneously at their request, so it’s vital to have systems in place to automatically carry out these requests as and when they arise.

Unlike in the Intercontinental attack you will not be allowed to hold back information on a breach for a number of months, any breach must be reported instantly to all stakeholders and regulating bodies within 72 hours of its discovery. This could have disastrous effects on your reputation, which in the hospitality & leisure industry can be what separates you from your competitors.

By adhering to the legislation and taking action before the regulation goes live you can avoid any fines and any future stresses. Here at FD Cyber Control (part of French Duncan), we understand how important your reputation can be and we can help simplify and strengthen your knowledge surrounding the changes in legislation. Please contact us to learn more about how we can help.

Click here to see Andrew's profile and contact details.
Get in
Touch