General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR) for hospitality

The European Union’s new General Data Protection Legislation, called GDPR, requires businesses to capture and manage customer data in entirely new and intricate ways. It requires that they socialize with clients based on very specific and time-consuming requirements and therefore respect their privacy rights and freedom. Despite where they’re headquartered, organizations with EU-based customers or prospects need to comply. Additionally, they have to appoint a representative within the company to assume whole responsibility for fulfilling GDPR’s many requirements.

Does this apply to my hotel business located outside the EU?

GDPR applies to information collected and stored on EU citizens, wherever they are in the world. It will have an impact on the whole, global hospitality industry.

The huge impact on the hospitality sector

The hotel market is very vulnerable to information threats, on account of the numerous factors of payment, email, and internet booking systems and files comprising card information. (Read here how to protect your data.) A rather large quantity of charge card transactions occur daily, every single guest information may frequently be saved long term. Ordinarily, a hotel database may hold guests’ names, addresses, and dates of birth, credit card information, passport information, etc. This is a good deal of sensitive information that may be utilized fraudulently. Couple that with information that’s obtained from several resources, for example, point of sale programs, third party reservations, emails, own website inquiries and walk-ins, hoteliers are a simple target for cyber offenders.

A person’s rights and hotel response

It is a hotelier’s duty to recognize that information belongs to the guest and specify a core data security policy with this in mind. Here are some individual rights under the GDPR and what actions you can take to guarantee compliance:

The right to be informed 

Clearly describe what data you are collecting, why, and for how long.

The right to access and modify data

Give access to personal data promptly, in a simple format, and edit on request.

The right for data deletion

Respect the individual’s rights against public interest when receiving a deletion request and delete where relevant.

Hotelier’s steps to action 

 Hoteliers need to initiate action immediately to support data security and avoid the risk of breaches.

 1. Be Clear and Transparent

-All data collection must meet GDPR conditions.

-Collect the minimum amount of data demanded for that purpose.

-The user must be notified of the purpose of data collection and the time period of processing.

-Only use the data for that allowed purpose. 

-Store data for a restricted period and then delete it.

-Data must be kept in appropriate security, which includes protection against illegal processing or accidental loss.

-Confirm your compliance with GDPR – Companies must be able to show documents that prove their compliance with GDPR.

2. Report Keeping

-Build a clear guideline for how PII is collected and handled. A hotel must follow technical and organizational reports to prove it is protecting data and have that ready to show.

-Mark on your website – to enable your hotel to store PII data. Describe the process and allow access and modification or deletion.

-Know the location of all PII held and guarantee strict guidelines in accordance with the hotel data protection policy.

  • Ensure effective security systems are in place for the highest data protection.

3. Regular Training

Every staff member in your organization who deals with Personal Guest Information should be informed of GDPR. Hotel staff must be informed of how to collect, access, use, and disclose personal information. Additionally, how to limit access to cardholder data. Employees must also be notified on how to create solid passwords, and know-how to accurately dispose of records containing payment card data.

PCI Compliance and GDPR

If you’re already PCI compliant, then this accreditation places the basis for GDPR compliance. To be PCI DSS compliant, a hotel must have taken proper steps when processing payments. Secure Stay can consistently help to deal with this.

We’ll teach you how to repel cyberattacks.