As of May 25th 2018, the European Union (EU) will enact The General Data Protection Regulation (GDPR), one of the biggest changes to personal data legislation during recent memory. What exactly is the GDPR and how does it apply to hotel businesses based in North America? If your business stores personal data that relates in any way to EU citizens or businesses, then you must comply or risk some very heavy fines.
The GDPR is a collection of laws designed to bring consistency to how personal data is collected, stored and processed. It is a very timely topic, considering the recent high-profile data issues at Facebook. It relates specifically to data protection within the EU, but if you do business or plan to do so across the EU and in North America, then you’ll also be expected to comply. Any hotel in North America that welcome guests who are EU nationals, must pay close attention to these new laws. This applies to any person with or without a physical presence at your hotel; therefore, even if you simply collect his or her details for newsletter purposes, then the rules still apply.
What’s the truth about the GDPR?
The GDPR’s definition of personal data is rather broad, but it relates to any information that can be used to identify an individual, which could be his or her name, address, medical records or passport number. While this data is rather obvious, there’s been a considerable amount of misinformation, scaremongering and incorrect advice about the GDPR.
For that reason, we thought we’d take this opportunity to list and bust five myths about the GDPR to ease your mind a little.
Myth 1: “My hotel is based in North America. I don’t need to worry about the GDPR!”
Unless your guests are exclusively US citizens and business partners and only obtain, store and process data from US nationals, the GDPR applies to your business. A recent Forbes article did a good job summarizing and confirming some facts, such as U.S. companies that have no direct business operations in any of the 28 member states of the European Union have no concerns, right? Not true. It’s important to engage with a GDPR expert who understands your needs in relation to a hotel, to ensure your business approaches the new legislation in the correct manner.
Myth 2: The GDPR only applies to personal data.
Although we noted a few obvious examples of the type of personal data the law aims to protect, it goes deeper. The legislation also applies to other information, such as IP addresses, and it even takes into account cookie tracking, due to the fact the advertising industry now uses such data to identify individuals.
Myth 3: “We only need to apply GDPR rules to the new data we collect.”
The new laws will apply to all personal data you store and process – there are no exceptions. This applies to a database of guests you’ve been collecting and storing during the past five years, or any paper records you have that can identify individuals; it’ll all closely be scrutinized once the new laws are enacted.
Myth 4: “My Hotel Management System will help us become compliant.”
Your hotel property management system (PMS) solution provider plays a significant role in helping you achieve compliance, but there’s much you must do, too. Your hotel will collect data in a variety of ways, and not necessarily always through your hotel PMS. You must account for every touchpoint, and if you’re storing any personal data in hard copy form, then you are still considered a data “controller,” a key definition within the GDPR’s rules.
Myth 5: The fines are the biggest worry.
Overlook or apply the GDPR rules incorrectly, and you’ll be subject to fines of as much as $24 million, or 4% of annual turnover. For most hotels, that could be a business-killer, but fines are not the only threat. The Information Commissioner’s Office (ICO) is keen to highlight that it prefers the “carrot to the stick,” and will be more inclined to focus on businesses that flout the laws or fail to report any breach. That’s reassuring, but there’s no escaping the potential PR consequences that could also result from a data breach or public failing of the rules at your hotel. A parallel example is the negative PR impact credit card data breaches have had on our industry.
May is fast approaching, and while countries within the EU have been exposed to news and advice relating to the GDPR for quite some time, it’s only just starting to filter through to North America. Despite this, there’s no need to panic. We recommend speaking to a hospitality solutions expert, and keeping a close eye on this blog as we’ll be reporting more news and advice during the coming months, or you can schedule a demo of roomMaster here.