Customer data is held in high regard these days for those in the hospitality industry. But with all information and technology; great power brings great responsibility. The responsibility doesn’t always land on you as the hotel owner. First, before you can protect your guests’ data, it’s imperative that you know what kinds of data you’re collecting, how you’re storing the data, and how it is used to enhance the guest experience. There are three types of data collected by hotel owners; personal data, preferential data, and transaction data. Each form of data is necessary, but when it comes to hackers, they are more interested in personal and transaction data. The European Union’s General Data Protection Act or GDPR is the most comprehensive data privacy initiative of the past 20 years. Because GDPR is applied based on business activity, rather than physical location, even hotels outside of the EU are affected by GDPR. So, let’s look at what you should be doing to win with GDPR.
Train Your Staff: When front desk clerks are collecting guest information by phone to make or modify a reservation, the guest’s information is readily available to your staff. Front desk clerks may not have been property trained on data collection or data security. So as a hotel owner, you’ll need to be certain that your staff knows what is and is not acceptable to share with other staff members. While sharing guest information with other staff members via text messaging or instant messaging via tablet may seem harmless, you never know if a hacker has intercepted that information.
Choose Your Software Wisely: Property Management Software (PMS) companies are evolving into the cloud, just like many other businesses. While the probability of guest information being compromised is greatly reduced in a cloud environment, users of the software are accessing guest information from multiple devices which may not be as safe. When searching for a software vendor, be sure to ask if they house their guest data on a major hosting solution like AWS from Amazon, or if they host the data themselves. Enterprise hosting solutions like Amazon or Microsoft Azure, employ teams of people dedicated to the security of the hosting environment, using cutting edge technology to stay one step ahead of the hackers. Also, it would be a great practice to find out what encryption they are using both for in-transit and standing-still data. Software vendors should be practicing TLC 1.2 connectivity and encrypting data with unique keys even in protected cloud environments.
Clearly Define the Purpose of Data Collection: Personal data should only be captured for a specific purpose. If you don’t have a clearly defined purpose you shouldn’t be collecting data. To explain further, if you’re collecting a guest’s email address at the time of booking, under the GDPR regulation, you’re not permitted to use that email address for marketing purposes without the guest’s consent. Even if you go so far as to purchase potential guest lists you are not permitted to market to those guests without their consent and doing so could result in a violation of the GDPR regulation.
Consent and Access: The term consent is very well defined with the GDPR regulation. Gaining guest consent is non-negotiable! As a hotelier, you must be able to prove that you have consent to market to guests. In fact, you must also provide information on what data is going to be used for each guest. Under the GDPR regulation, your clients have a right to access the data that you have collected on them and the right to be forgotten or have their personal data removed from your database. Your PMS, in order to be GDPR compliant, must have features available to accommodate this.
Wrapping up: Your requirement to cooperate with the GDPR regulation may seem like a daunting task. However, when you win with GDPR the advantages outweigh the speed-bumps you encounter. Adhering to the GDPR regulation will add value to your property, and you will also further your guest relationships. By ensuring that all guest data is collected and maintained properly you can avoid hefty fines while satisfying your guests wishes for future marketing campaigns.