Cookies on HFTP Bytes

This site uses cookies to store information on your computer. Some are essential to make our site work; others help us give you the best possible user experience.
By using the site, you consent to the placement of these cookies. However, you can change your cookie settings at any time. Read our Privacy Notice to learn more.

I understand
  • HITEC Special: Does EU GDPR Affect U.S. Hospitality Companies?

    By Alvaro Hidalgo. The EU General Data Protection Regulation has set a path towards protecting personal data which many other countries will follow. In a global industry such as hospitality, it should be a primary objective to take the steps towards compliance.

  • What to Expect at HITEC Houston 2018: Elite Education, Exhibits, E20X and More

    HOUSTON: A booming cosmopolitan city that is home to more than 2 million Texans, NASA’s famous Johnson Space Center, and — in just two short months — the world’s largest hospitality exhibition HITEC®.

  • HFTP Report: Hospitality Data Security — Strategy for Data Protection and Regulation Compliance

    This guide from Hospitality Financial and Technology Professionals (HFTP(R)) covers safeguards that can be implemented in hospitality businesses today, tips on how to continuously improve security and data regulation compliance.

  • HFTP GDPR Guidelines: Privacy Policies for Hotels

    This document offers points to consider in the development of a hotel’s privacy policy. In view of the multiple organisational and legal structures under which hotels operate, as well as the complexity of the third party landscape that may be part of the complete guest experience, this document serves as a guideline only.

commercial

Is GDPR Legislation Coming to U.S. Hotels?

Hotel Online·10 July 2018
Privacy legislation is dominating the news cycle these days-and it's unlikely to slow down. Now, as U.S. companies are adjusting to the requirements of the European Union's General Data Protection Regulation, the State of California has introduced new laws that will apply to California companies or companies doing business in California.
Article by Michael Toedt

GDPR complaints are on the rise. Are you prepared?

Toedt, Dr. Selk & Coll. GmbH · 9 July 2018
As an indicator of what is to come, let's look at what's been happening outside of the hospitality industry. Regulators in the UK, France, Austria, and across Europe are reporting a sharp increase in data protection complaints and breach notifications since the GDPR came into effect. The majority of these complaints were filed against tech giants like Google and Facebook.Isabelle Falque-Pierrotin, the head of French data protection regulator, CNIL, told Politico: "The general public is interested about all the transparency obligations, consent and all the new rights."What does this mean for the hospitality industry? Should hotels be concerned? Only time will tell, however, with maximum fines up to EUR20m or 4% of a company's global turnover - whichever is higher, hotels must be prepared if complaints come their way.So how can hotels prepare? First, they must have a proper way to manage all guest data. Since most hotels use multiple different systems that all store guest data in different formats, this can quickly become a burden. One way to simplify the storage of data is to centrally manage all guest data in one system. In this scenario, if a guest requests that his or her data is retrieved, edited, or removed, the hotel can simply fulfill the request at the click of a button.Centralized data management has further benefits for hotels. It allows them to truly understand their guests and use their data in meaningful ways. Imagine the possibilities when data from a hotel's PMS, POS, WLAN, newsletter system, Outlook, booking engine, channel manager, questionnaires, website etc. are all in one place. The possibilities to personalize marketing, upsell communications and guest services are limitless. Centralized data management transforms data into revenue.Learn more about how to leverage your hotel's data in the post-GDPR landscape in an all new webinar hosted by Michael Toedt, Managing Partner and CEO at dailypointTM. The webinar will cover:What the new GDPR regulations areWhat the implications are for hotelsBest practices for hotels to handle the requirementsHow to simplify compliance with all your data in one, centrally managed sourceFurther operational benefits of central data managementThe webinar will take place on July 13th at 10am CEST in German and at 11:30am CEST in English. Register now, as space is limited.

Personal data protection and the hospitality industry in France

In Extenso Avocats, a subsidiary of the DELOITTE Group · 3 July 2018
France has just adopted the modifications to the Data Protection Act ndeg78-17, integrating the new General Data Protection Regulation (GDPR) measures. As a reminder, the GDPR - ndeg2016/679 of the European Parliament and of the Council, voted the 27 April 2016 - is a regulation in EU law on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The act came into effect in all EU member states on the 25 May 2018.The CNIL has already indicated that it will take into account the "efforts undertaken" by companies in their compliance process, and that no sanctions will be applied until the end of 2018 regarding provisions directly resulting from the regulation. This does not, however, exclude the pronouncement of sanctions in case of breach of the provisions already in force under the Data Protection Act (far from being complied with everywhere).It is clearly not too late to look at how the regulation can be applied in your own company.There are a number of ways of implementing GDPR in hotels and restaurants, and the regulation can be viewed as yet another administrative constraint or as an inevitability and an opportunity. Indeed, it should be remembered that its very name embraces personal data protection issues, yet it also covers the free movement of such data. Given this, the regulation not only seeks to protect the personal data of businesses and their clients, prospects or employees, it also allows for the free movement of these data. This free movement merely has to be controlled and regulated to avoid misuse, errors or accidents in data processing - the like of which has been seen several times over the past few years (Google, Facebook, Darty, Hertz, Direct Energie and so many others)[i].Top of the list of the sectors concerned is the hospitality industry...The regulation provides for thresholds to take into account the situation and business activity of SMEs or intermediate-size companies. Not all hotel and restaurant businesses are necessarily affected, but if they automatically store and conserve customer data - on preferences, for example (in order to send promotional offers or improve satisfaction during a later visit) - then they are directly concerned. Likewise, if customers can make a reservation through the company website, then the regulation also applies, since the question of the use and compliance of booking platforms (e.g. La Fourchette, Booking.com) evidently arises, as does that of holding records for inspection by the police or maintaining Cardex files.In the same way, the processing, use and safeguarding of payment methods must be carefully examined. In addition, if hotels and restaurants use video surveillance, they must also examine how such systems could impact on the privacy of their customers and employees.What measures can hotel operators - and to a lesser extent, restaurant operators - take to serenely anticipate these regulatory obligations after the 25 May 2018?Beyond implementing a unified legal framework at the European level, the objectives of the GDPR include:A strengthening of the individual rights of natural persons, already instigated by a number of decisions such as the Google Spain judgment sanctifying the right to erasure, or Darty's recent fine further to a security breach in the confidentiality of customer loyalty card data[ii]Compliance based on transparency and accountability;Shared and specified responsibilities (the outsourced service provider becomes accountable, just as the contracting party);The strict supervision of data transmission outside the European Union;Regulated, incremental and stricter financial penalties.Hotel and restaurant operators should take particular note, since they will move from a reporting regime with an a posteriori penalty to a new regime based on anticipation and accountability. The consequences are multitude, as we will see later. Although this change means fewer reporting obligations, it also reflects the strengthening, or even the creation, of a number of obligations for all hospitality operators (and companies, in general) that process their customers' personal data.These obligations mainly focus on anticipation, information, transparency and security and documentation. HOTEL AND RESTAURANT OPERATORS MUST ANTICIPATE: In case of complaints, security breaches or CNIL controls, business must generally be able to justify their having applied the universal "privacy by design" principle, meaning that they have integrated respect for the privacy of natural persons into data processing right from the start. This principle requires considering the lawfulness of the data processing, conducting preliminary impact studies when necessary, and potentially obtaining the consent of individuals whose data have been collected and informing them of their rights.HOTEL AND RESTAURANT OPERATORS MUST INFORM: Henceforth, an obligation of transparency is imposed on hospitality operators who manage, store, host, process or sell personal data. Take, for example, hotel and restaurant customers who are natural persons, and whose data are collected - these individuals must be notified as to the purpose of the data processing and informed of their rights in terms of data access, rectification, erasure and portability.HOTEL AND RESTAURANT OPERATORS MUST PROTECT:Everything must be done to protect the data held by a company, in accordance with the "security by default" principle. Going beyond the required and optimal protection, businesses must allow data to be traced, and any security breach has to be declared to the CNIL within a very short time frame (72 hours, as stipulated by the regulation). Penalties for breach of these obligations will be reinforced (up to either 4% of annual global turnover or 20 million euro), although there is an emphasis on making the sanction proportional.AND LASTLY, HOTEL AND RESTAURANT OPERATORS MUST DOCUMENT: In certain cases, maintaining a Record of Data Processing Activities is obligatory.Hotel and restaurant operators are directly concerned by GDPR if:They employ 250 employees or more.And/ or they processes personal data en masse or automatically.And/ or this processing concerns sensitive data and/ or could infringe individual rights and freedoms. Each of these criteria must be assessed separately, and in certain cases, hospitality operators are required to maintain a Record of Data Processing Activities. Indeed, the sector is especially impacted by GDPR, given its various business activities: organisation and information systems, HR management, sales and marketing (prospection, promotion, customer record management, etc.), supplier management and, of course, hospitality IT management.The hospitality sector is specifically targeted, whether or not data are conserved in the company's computer server and/ or stored and/ or hosted and/or reprocessed by a subcontracting party. Hotel and restaurant customer records can no longer contain any old data and must respect certain conditions. These personal data, already considered by some as the new "black gold", can be coveted by malevolent competitors or by hackers for resale or ransom (WannaCry ransomware, for instance). At a time when cyberattacks are on the rise, the sector must ensure the protection of its customers' personal data, as well as those of its employees (who are also covered by the new directive). There is no doubt that a hotel or restaurant's e-reputation also depends on whether or not it complies with the regulations.In concrete terms, an audit is necessary to evaluate a business's practices and to pinpoint the risks. Further to the audit, an action plan must be instigated to potentially maintain a Record of Data Processing Activities that groups and describes the business's personal data processing practices, or if the maintenance of such a record is not mandatory, to implement minimal GDPR compliance procedures. This requires the assistance of a multidisciplinary technical and legal advisory structure - one that is well-established and specialised in the hospitality sector - so that the process can be correctly handled at the best possible cost.It is, of course, never too late to comply.[i] CJUE, gde ch., 13 May 2014, aff. C-131/12, Google Spain SL and Google Inc./ Agencia Espanola de Proteccion de Datos and Gonzales,CNIL Resolution ndegSAN - 2017-006 of the 27 April 2017 imposing a fine on FACEBOOK INC. and FACEBOOK IRELANDCNIL Resolution ndegSAN-2018-001 of the 8 January 2018 imposing a fine on ETABLISSEMENTS DARTY ET FILSCNIL Resolution ndegSAN-2017-010 of the 18 July 2017- HERTZCNIL Decision MED ndeg 2018- 007 of the 5 March 2018 serving notice on DIRECT ENERGIE and CNIL Resolution ndeg 2018-082 of the 22 March 2018 and decision issued to make public the formal notice to DIRECT ENERGIE[ii] CJUE, gde ch., 13 May 2014, aff. C-131/12, aforementioned Google SpainCNIL Resolution ndegSAN-2018-001 of the 8 January 2018, aforementioned DARTY ET FILS

Alexa for Hotels - The Good, The Bad and The Creepy

Puzzle Partner Ltd. ·28 June 2018
This past week marked another successful HITEC, the culmination of which left hospitality experts with a lot to think about as it relates to industry-wide innovations positioned to make major waves in 2018. One of the more notable discussion points is the mainstream integration of voice-powered assistants (AI technology) into hotels. In fact, Amazon.com Inc recently announced that it has partnered with Marriott International Inc to help increase guest access to amenities with Alexa, through its voice-controlled device Echo, in an attempt to expand its presence in the hospitality industry. This is an exciting prospect for hotels, as implementing Alexa in a hospitality setting could assist in a personalizing room settings, ordering room service, housekeeping, calling the concierge and so much more. Of course, in the same excited breath that we speak to the potential conveniences which Alexa (and other voice-activated tech) can provide, we have to consider the on-going concern of data security. Especially with the recent implementation of GDPR, the protection of guest data and the proper attainment of documented consent for all data collection should be paramount. However, voice-activated devices are admittedly trudging into uncharted waters, as their ability to gain uninhibited access into user's conversations and preferences comes into question.With this in mind, we've delved into the good, the bad (and even the creepy) that is in store for hoteliers eager to branch into the world of Alexa for hotels. The Good Alexa for hotels offers a wide range of exciting possibilities, including room temperature regulation, turning on lights, sending emails, ordering room service or housekeeping, asking for local recommendations and so much more. Alexa will offer 24-7, efficient and hands-free customer service for every guest, tapping into the desire for increased personalization without over-extending hotel staff. Ideally, Alexa should help hoteliers provide a seamless guest experience as part of the myriad of programs and devices in place to improve hotel operations, and better connect with and serve guests. According to Marriott International, consumer feedback has been overwhelmingly positive thus far. And as far as guests readily engaging with the device? That's been promising as well. According to Volara, for every 1,000 occupied room nights, it is automating an average of 240 item/service requests and 700 guest questions about the hotel and surrounding area. Throughout these pilot programs with Alexa, guests requesting for the device to be removed from their rooms has also been very low. Volara CEO David Berger assures, "We are not capturing transcripts or recordings, and we don't know guests' identity. Just their room number. Meanwhile, Amazon, which does capture recordings once a person says "Alexa," to improve the devices' natural language processing capabilities, does not have access to the guest's identity or room number, ensuring that the information is always anonymous.The Bad Speech-recognition software is by no means new, with the likes of Siri often being used as our iPhone-enabled personal assistant while on the go. However, as the capabilities of speech-recognition and AI evolve within technology such as Alexa, Google Home, smart refrigerators and hotel rooms, the technology continuously becomes smarter. Using real-time experiences (machine learning) to identify and respond to user needs more accurately, these devices are continually collecting and analyzing data. Essentially, in order to serve us, these devices must learn about us -- a concept which may leave some users feeling unsettled or subject to invasive data collection.The concern here is that it's not always clear when Alexa is listening, although it's noted that"Amazon and Google insist their smart speakers do not record voices until someone directly addresses the device with a 'wake word' such as 'Alexa' or 'okay, Google. However, It is possible to accidentally 'wake' such devices, which means it is not always clear when they are listening."Further to suspicions of idle data collection, it's also unclear who should have access to what data, since multiple individuals will typically use the device at different times, which makes for complex privacy boundaries. We also have to consider the fact that the evolving capabilities of voice-powered assistants on such a public scale leaves room for error -- there are bound to be some initial learning curves that leave users feeling vulnerable. An example of such a privacy mishap recently unfolded in Portland, Oregon, when a local woman had private conversations secretly recorded by the voice-controlled Amazon virtual devices in her home. Those conversations were then sent to a random contact in Seattle. While cases like these are a rarity, the user-friendly simplicity of the device which makes it so popular to the general public, also means the security protocol may mirror that simplicity when it should be more complicated. As we'll delve into more later in this article, Alexa is triggered into action by a 'wake word', an exchange which could easily be misinterpreted and mis-triggered. For those of us particularly concerned about Alexa accidentally "listening in," an easy fix is to unplug or mute the device in moments you know you won't need its service. So the question becomes, can we trust Alexa?As the technology continues to improve, we can only hope that these virtual assistants become better equipped to identify different types of information with varying layers of security to prevent private information from being mistakenly shared. As mentioned above, user concerns regarding the misuse of their private information should (mostly) be put to rest, as any information collected is anonymous aside from room number.The CreepyAs Alexa's popularity has picked up momentum, so have the odd-ball stories circulating the web claiming witness to strange or otherwise unexplainable reactions from the device. These include, but aren't limited to, sudden laughter, unsolicited and seemingly random replies, or Alexa speaking without being woken up by a wake word.On one forum, a married couple described the time in which Alexa interjected into their dispute."My wife and I were arguing about something. No clue what it was, but it was getting a little heated. I don't know what Alexa thought she heard, but she suddenly interjected with, "Why don't we change the subject?" It was just unexpected and relevant enough to be creepy. We both heard it, and we both still talk about it years later. There was nothing in the app logs." Another woman detailed that her Mother's Alexa suddenly turned on one day (started glowing) and her Mom asked, "Alexa, what are you doing?" to which Alexa replied, "I'm trying to learn new things." Her Mom replied, "No one told you to do that" and Alexa replied "okay" before turning back off. Of course, while we may love to assume Alexa has an ulterior motive aligned with some sort of Sci-Fi horror movie, there is a reasonable explanation for these occurrences. ZDNetnotes that the most likely cause of an Alexa spontaneous reaction is a misinterpretation of sound. Given how sensitive Alexa has to be to process wake words, sometimes Alexa will react to a sound (even one we might not hear or notice) and interpret that as a wake word or command of some sort. After all, Alexa's sound processing system has to be able to take the sound waves and do its best to interpret what the humans speaking are asking for.AI technology and voice-powered assistants are undeniably one of the hottest topics following the close of HITEC 2018, and there's no doubt they will continue to be a prominent focal point moving forward. Love it or hate it, Alexa is likely coming to a hotel room near you -- and I don't know about you, but I'm interested to see the way in which this technology evolves within our industry.
Article by Michael Toedt

GDPR - a blessing in disguise for the hotel industry!

Toedt, Dr. Selk & Coll. GmbH ·27 June 2018
For me, however, the GDPR is not a monster at all, as it is so often described. I see it as an opportunity for the hotel industry to make up for lost ground. It has, by law, forced every company to deal with its own digitization and IT strategy.This is because, among other things, all people (including hotel guests, if we look at the hospitality industry specifically) in the EU have comprehensive rights to their personal data, including the right to request their data, correct it, delete it, and transfer it to another provider. All this must have been guaranteed by the 25th of May.It is a sometimes overlooked secret that hardly any hotels are actually able to abide by these regulations! This is because hotels work with a proliferation of systems that can no longer be controlled. How should a guest's right to his or her data possibly be managed when the data is scattered across the PMS, POS, WLAN, newsletter system, Outlook, booking engine, channel manager, questionnaire system, website etc.? This is simply impossible! Hotel companies are therefore wading treacherous waters.The fact that hotels work with so many systems is not only a nightmare for hotels that want to focus on the new GDPR regulations. It also leaves the hotel industry behind when it comes to digitalization. With data scattered in so many sources, hotels can't properly understand or use it in any meaningful way.But some companies did it right. Enter the winners from last decade: the Online Travel Agents (OTAs). They did something fundamentally different from the beginning. They understood the value of data and pursued a central storage of their customer data, aptly called central data management (CDM). Simply put, all data about the customer comes together in one central location, a kind of parent database that combines everything.This central database is the standard for hotels that want to move into the digital era. Only those who know their customers down to the smallest detail and use this knowledge for a comprehensive individualization of guest interaction can benefit from data. Even if it is unpleasant, hotels today generally have no idea who their guests are. This is unacceptable. All decision-makers should be aware of this.So how can hotels move forward? They need a central system in which everything comes together. In the past, this system was the property management system (PMS). But PMSs are inflexible, with expensive interfaces, and poor data cleansing functionalities. Today's dominant PMSs are not designed to handle the increasing amounts of data and data sources, and the upcoming cloud-based generation of systems is too lean and focus only the key functionalities like check-in and check-out.The hotel industry therefore needs a new central system, a mothership that takes over the former role of the PMS. An #abovePMS system is required to finally be able to work at eye level with the OTA's again.If you look at the GDPR from this perspective, it is ultimately a measure initiated by politicians to force companies to make themselves fit for the future. All those who do not do so run the risk of violating applicable law and drifting further down the competitive spiral in the coming years.In this sense, perhaps some hoteliers will thank the politicians in a few years for making them fit for the future through the GDPR. It has forcibly given those that comply with a competitive advantage.PS - Looking to see how your hotel can manage its data in compliance with GDPR regulations? Register for our webinar on July 13!

Amazon Echo, Google Home ... hotels are wrong again

tendancehotellerie.fr ·26 June 2018
And yet it's impossible not to come across an article that does not talk about it. On a simple common sense, it seems obvious that Amazon will organize everything to boost the story because on the one hand it is potentially hundreds of thousands of sales for its toy, but especially by ricochet millions of customers potentially to buy it too. All these multinationals on the web employ the best in all areas, and marketing is the keystone of the building.And the one who thinks that only the price of selling the device justifies such a debauch of energy, he or she forgets the double effect of the richness of the collected data: before we said, "if it's free, you're the product "but now we can add" even if it's not free, you're still the product ".In hotel chains, who's the boss? Many hotel chains are in fact headed by their CFO instead of their CEO, the example of Marriott sacrificing the Starwood CRS for the antediluvian Marriott CRS, just for a matter of money, demonstrates it perfectly.In this regard, the troublemaker Sebastien Bazin president of AccorHotels decided to fight, not in a "against everything" mode but in innovation and investment mode. Is he one of the only ones to have understood that a new wave of hotels emerged, driven from Asia or more simply that the word "hospitality" had changed meaning? Focusing on some of his mistakes such as the marketplace for the independent hotels would be petty: Sebastien Bazin is a locomotive on his own and we need big companies to be driven by locomotives rather than followers or worse, accountants!A question of common sense ...Working on its customer supply chain is a priority for any company that intends to last but not for a hotel chain, because the central tool in its supply chain, the CRS, is old, rigid, stuck outdated, obsolete, far too expensive, etc ... in almost every major hotel group. How many hotels have not yet incorporated this ugly concept of "customer acquisition cost" in their business management: they suffer while it is the main lever of their sustainability.Recent technological lessonsThe main slap in the hotel business is Booking: Little guys from a tiny country have taken the problem upside down and have become the undisputed masters of the hotel reservation, at least for now. Since Booking.com exists, have we seen a single hotel reservation system from a hotel or chain be as effective? as fast? as simple for the customer? Have we seen real initiatives to offer the customer a hotel list that may seem to him exhaustive? As long as the neighbor hotel is considered a competitor instead of a colleague who is heading in the same direction, the Booking-Expedia duopoly will have a bright future. As long as the bed and breakfast or furnished accommodation will be considered enemy #1, the hotel will continue to dig his grave.Wi-Fi is still a problem in the hotel industry: it is payable too often, it is of mediocre quality and its security is not often acceptable. Offering a high-quality internet (stability + security) and with a good bandwidth should be the same concern as providing hot water at the same time to all rooms. If a hotelier finds it logical to have a peak flow during rush hour, then why is it not the same with electricity during these peak hours? It would be funny to see the TV go down when you turn on the hair dryer or be in the dark as soon as the guests in the next room come in ... On this point, the comfort of use of Internet in an Airbnb is a hundred times better than in a hotel! If a hotelier finds that the Wi-Fi is expensive, may we suggest him to sell his hotel and to buy a shoe store where we do not need Wi-Fi, although ... the customers also need the Internet to visit in real time Amazon's store and check if it's not cheaper.Where's gone the innovation spirit that used to drive hotel chains to innovate, for example, IHG with the 1st CRS worldwide in 1965, at a time when even the word "computer" was unknown to most?Who remembers the beautiful days of the phone device in a hotel room, at a time most of the customers used because it was his only means of communication? Who remembers the huge margins that hoteliers could generate on the use of the telephone, especially in high-end hotels? In 2018 who's still using the room phone to call home or office? Indeed, some hotels have implemented systems allowing the customer to access from the room phone to the list of his contacts, much like the multimedia system of any modern car. Except that in the car, it is the customer's phone that serves as a transmitter, not another line with an additional cost associated ...Aside from car rentalWhen you rent a car from one of the leaders in car rental, you have a clean car, recent, little damaged and yet this car is full of traces, the digital traces of ALL previous customers: just look at the list of previous navigation destinations to find out where the car has already gone. On the phone, you even have access to dialed numbers!!!On this specific point, the hotel entertainment systems automatically reset themselves from the client (if the systems are connected) and do not speak Russian to the Argentinian client who has just checked in ... So, all is not lost!The mania of forcing the customerIn all sectors and not only hotels, we force the customer to behave as the merchant has decided: selling channels are compulsory, it is compulsory to install this app to do that, etc... now we even push the plug to bother him/her as soon as he/she passes in the street, in the alley of the commercial gallery, in front of the laundry with incessant and exhausting solicitations.Chatbots have not yet revolutionized this game. Nevertheless, rather than go to the mobile application of our bank, would not it be easier to complete a wire transfer directly from our favorite messenger/chat application (Facebook Messenger, Skype, Telegram, etc ...)? The security of the transaction is not that difficult on these tools ... if we have the right engineers. Same to book a hotel room!With Google Home or Amazon Echo installed in the room, once again we want to force the customer to use technology that the hotel has unilaterally decided to install.The law is evolving much more slowly than technologyIt's terrible! And it's not going to get any better because technology is accelerating more and more while the laws are long to be promulgated because made by generations who do not really understand the stakes, the quest for power for power being too often more important than the rest.By gaining height, the recent establishment of the GDPR is a dark task in the middle of a blank page of law (s) on digital. While the GDPR is heavy for small companies, it rings the bell and reminds all businesses, especially the most powerful, that the law can touch the only place that matters to them, the dough.For once a law is taken at the scale of a continent and not a single country, the event is literally extraordinary. Especially when at the same time this Dear POTUS renegotiates European country by European country its bilateral trade agreements, seeking to sow discord in a wobbly Europe and where small countries (in number of inhabitants and especially in GDP) that are subsidized have as much of weight than those who perfuse them.The world is changing fast, very fastThe Internet wave was followed by a technological tsunami that destabilized entire sectors of the economy. We can waste time crying and regretting the past or we can decide to make it an opportunity.DarwinAccording to Darwin's theory of evolution: the one who survives is neither the strongest nor the smartest, it's just the one who adapts!Technology has allowed every human being to do things unthinkable 40 or 50 years ago. Who would have predicted that 97% or 98% of people in many parts of the world would have their own phone in their pocket all day long? Who would have predicted that this phone would become smart and would do more than just talk?The era of personal dataWho can think that this wave will fade? Artificial intelligence and its associated technologies like machine learning are again shaking up the established order.This is just the beginning of the era of personal data, not that it did not exist before but because it is recordable, saveable, duplicable, compilable, exportable, measurable, spyable, comparable and usable to infinite power!Go headlong or think 2 seconds?There are many people who go headlong into technology without taking a step back. Is it healthy to have only one Wild West mode provider for ALL of his personal data technology tools? Is it safe to disclose 100% of one's life to an entity that does not meet any rules other than those of its own board?How many people use for example only Google: Android + Gmail + Chrome + Google Search + Google Drive + Google Calendar, etc ...? How many do it privately AND for professional purpose? Their answer is always the same and they would almost try to pass the others for degenerate morons who are too stupid to understand: it's simple! Obviously, Google's tools are well made, ergonomic, simple and addictive! Who could imagine that Google or Amazon or Booking would have arrived there with ugly and complicated tools?Must we give in to all that is addictive? Is not it reasonable to say that you have to divide your digital print between several tools while waiting for your own tool?Fortunately, there are people in the world of technology and computers who think that the web belongs to everyone and not to a handful of multinationals. And among these people, many say that the way of storing his data today is a heresy: everyone should have their own silo of data from which it gives access to such or such service, for a fixed term or not, for a precise use or not, etc ...No one has really developed its own silo data in his garage, nevertheless the blockchain today has one of the best potential on this specific topic: everyone could unilaterally control his data, give rights, revoke or modify and especially have access to undeniable and tamper-proof traceability of the use of these data.Today we do not realize the digital footprint that we leave everywhere: we leave geolocation enabled by default and shops around our phone know and can tease, propose or even harass if the pressure becomes too much strong.Imagine a hotel room where 100% of what you do is recorded and used to make statistics.Soon statistics of farts!Do you really want the hotel to be able to do statistics on the number of your farts? Little ones, big ones, sneaky ones, monstrous ones, ...Imagine the receptionists' face in the morning saying to a colleague "here's the record man of the month! "Or at check-in "I bet this one is the winner! ". Should we organize a prize giving?Do you want the "system" to remember and decide to go as far as you can down the corridor or force the HVAC to stay on a loud and de facto noisy mode the next time you come not in this hotel but in one of the hotels of the chain, at the risk that you shiver?Do you want the hotel to be able to cross this statistic with other personal and discriminating data?The time of reason is comingHe takes his time. The GDPR has allowed some people to become aware of several things. Businesses literally disappeared with the GDPR because their business was to use data acquired without consent for non-consensual purposes. And we are not going to cry for these parasites.But above all the GDPR makes it compulsory (in principle) for companies to the proportionality of information stored according to real needs, not to follow the fads of the head of marketing.The personal shopping botsArtificial intelligence is still in its early days on this specific subject of the personal purchasing robot that presents a multitude of interests, especially on social networks, rather than on the sales sites themselves: according to its settings, the fact of participating in a discussion about a product or service, or even a simple Like, allows the brand to communicate one-to-one, to access some calibrated personal details (I like blue shoes without animal matter and in 10.5 size but I do not give my name nor my mobile number) and to be able to present to the visitor a very short and hyper-targeted list of products, with personalized tariff: offering a one-to-one discount has not impact on the public value of the product because the price remains the same online.The setting of this shopping bot allows you to pause your purchases, to plan a long-term search or to start an urgent search for delivery within an hour.Except in the business travel where premises are visible, we do not yet see a real shopping bot in the field of B2C travel, however it should happen. With these shopping bots, Booking.com can have some chilling to do because what will be its added value for a casual customer? Booking.com may be able to use a loyalty system for a regular traveler but not for others, and still it will be necessary that this system of loyalty is advantageous for the customer ... And when the transaction will take place on the ground of customer, the added value of booking ergonomics will no longer be worth a kopeck! No false joy, by then Booking.com will have found something else. Remember that with the money you give them every month, they have billions in the bank to hire the best of the best ...Besides, how many customers book EXCLUSIVELY by an OTA to avoid giving too much personal details to the hotel? To avoid credit card details to be lying on a piece of paper?The explosion of data collection points All experts predict an explosion of so-called Internet of Things (IoT). A multitude of objects for programmed use (a refrigerator, a television, a shutter, a coffee maker, a switch, etc ...) are not replaceable by a single object that will do everything.On the other hand, objects of the Amazon Echo or Google Home type will not be able to multiply indefinitely and anarchically. As for the phone, this item will inevitably become personal and no longer attached to a home, room or hotel room. At this stage of technology, we almost all have a tool that already has this technological component.It's called a smartphone and it already contains a more or less intelligent tool like Siri and works very well on its connected watch or connected headset or glasses connected, or any other personal AND connected object.What should hotels do then?It is doubtful that it is not the independent hoteliers who will be able to be the driving force nor devote big means.But the chains can.Instead of trying to multiply the points of collection (and de facto friction points with the customer if he is "allergic" to a technology) and at the same time to put himself at odds with the law and the GDPR by collecting and storing data that they clearly do not need, the logic would be for hotels to do everything so that the customer's connected watch can turn on the light of the hotel room. Idem for the reservation: the customer must be able to book a room in his own environment that he could punctually leave to be possibly reassured (see a room in video 360, see breakfast room, ...). And so on for 100% of the tools and services.Imagine being able to say to the maniacs of the cleanliness: here no more common remote control, it is your telephone that controls everything. This customer segment alone is worth the investment!A priori the personal system of the client will know very well his accent and his way of speaking, which will necessarily reduce the risk of error. But above all, it will be THE system chosen by the client and that he/she will TRUST.Why should a customer trust a hotel and its employees? With these new tools, which guarantees to a customer that his extra-marital "fitness" will remain within the 4 walls of the room as it always did? It's important to remember that hotel and sex (not priced) always got along well!In this way, the customer is therefore responsible for his own digital security. The hotel does not collect and therefore no longer stores personal and unnecessary data.No need to push the reasoning very far to say that we could very well ensure that the hotel does not hold the information of an intolerance to the feather pillows until before guest check-in and DELETES it of its system once the client left. What a change of mind for hoteliers, especially in luxury segment, who think they are allowed to know everything and especially store everything on their regular customers. Yet the only data they are legally required to store for several years is the invoice and billing items. The word hospitality only means "welcome well" and not " hold a very detailed sheet" of which even the STASI would not have had the crispy details.The era of true customizationWith the arrival of shopping bots, chatbots and the rapid growth of their artificial intelligence, it is no longer the merchants who push information to the visitor. It is the potential customer who opens the floodgates of his data to merchants who meet his next generation RFP without having access to data that is not necessary to provide the service.Idem for the transaction that, for these users of a new kind, will happen on the customer side and not on the merchant side, with at stake a better understanding by the customer of the small lines, deadlines, modalities, supplements, etc ... because he will at some point be able to compare in his familiar environment.We are not there yet, and this won't explode in 2018. Nevertheless, this kind of thing should seriously develop in the decade, especially with the trend of more and more consumers trying to consume better.ConclusionIf the hotel industry wants to become again an industry that innovates, then perhaps it will be necessary to start and become precursor instead of follower.If the hotel industry wants to regain market share it would have lost due to the "furnished accommodation" business, perhaps it would be tight moment to make these tourist accommodations amateur in terms of technological security in comparison to what hotels could guarantee on the specific subject of their customers' data.In any case, the time when hotels could force customers to use a system is over. It is up to the hotels to adapt to their customers'.Whoever does not take risks and does nothing has no chance of being wrong, has no chance of adapting and consequently surviving!

Championing the value of independent data

Hotel Yearbook ·18 June 2018
In April of this year, Carson Booth was named CEO of Berlin-based SnapShot GmbH. Previously the Global VP for Property Technology at Starwood, then Marriott, he brings a wealth of relevant experience to his new assignment at the helm of this six-year old company, already one of the largest hospitality data processors in the world. We talked to Carson about his vision for the company and the challenges ahead.Hotel Yearbook: First of all, Carson, congratulations on being named Chief Executive of this dynamic young company. For our readers who don't know the firm, can you give us a brief snapshot of SnapShot?Carson Booth: Thanks, Woody. I'm proud and excited to take on this new role. As for the company, it started out in 2012 with a vision to address the industry need for a different kind of access to hospitality data - one that would be independent of software providers and give access and control back to the organizations that needed access to the data.This began as a data aggregation and retrieval system to address the data silos. From there, we rapidly realized that the same types of systems had different ways to process and store equivalent data. With the support of new investors over the following years, we evolved into an extensive data platform with the capability to collect data from hotels, harmonize the data, and then make it available back to the business in much more accessible and customized formats.And it's not just the customer's data - we also bring in external relevant data, like guest reviews, OTA or competitive set data, to support management decisions and benchmarking capabilities to our customers.Furthermore, we run our "Marketplace" where developers can build applications against our data sets and sell innovative apps back to our customers. With this combination of a data platform, data harmonization and analytics and Marketplace, we are absolutely unique.HYB: How big are you?Booth: In terms of staff, we have 75 employees in seven offices around the world. As for the number of hotels we work with, at present we have over 5,000 PMS-connected hotels sending us data three times a day, as well as several industry data suppliers. Our intention is to grow this hotel number substantially, and in parallel, leverage our platform and capabilities to not only extend our data sets for hotels, but more broadly in the hospitality industry, like restaurants, to provide similar solutions.HYB: Why is data so important?Booth: That's a very fundamental question, but it can't be emphasized enough: Data is what allows a hotel or restaurant, first, to know its guests in order to deliver an enhanced guest experience on an individual basis, and, second, to know the operation, how it is performing internally as well as against external metrics. The challenge for the hospitality industry is its very decentralized nature of a brick-and-mortar business and our traditionally low technology investment ratios compared with other industries. Over the last few years, the industry has begun to realize the importance of data, and our technology suppliers have started responding with more mature solutions, for example cloud-based options, and so on. However, no single magic system exists to meet all the unique complexities for each hotel and operation, and therefore, data silos remain.Hotels and management companies spend an incredible amount of time and energy - and therefore money - trying to cobble together relevant data and transform this into actionable information to understand operations and glean insights. This data emancipation, harmonization and visualization is core to what we do.HYB: You've emphasized also the independence of the data you work with. What do you mean by that? Why is it important?Booth: You need to think of data as an asset, possibly even the most valuable asset you own. Why? Because by understanding your data, you can gain extremely valuable insights into your customers, your competition, and of course your own performance - and those insights will form the basis for most of the decisions you make, major and minor, about running your business, staying competitive, and ultimately, thriving.However, considering how most data is generated and stored, the problem is that it's not freely accessible. That's because so much of it is enmeshed - you could even say "trapped" - within systems that are not built to share data openly. This data must be emancipated so that you can use it as you need and wish, as its rightful beneficiary. This is what I mean by "independent data". You want all this data to be free and portable so that you can more quickly integrate it into the analytical tools of your choice and reuse it for your own purposes, no matter what your needs are.Here are two examples of how independent data can greatly simplify the complexities of moving the data or transforming it as you need: Our industry continues to see very active mergers and acquisitions of brand management companies; the portability of independent data for access or consolidation significantly reduces the immediate need to undertake a major technology change in the field. Independent data also addresses an ownership group's need for insight into how their business is performing - without complexities of trying to consolidate multi-management company reports and processes. This independent data can be exposed on the transaction-by-hotel level and easily consolidated since the data is already harmonized.HYB: Is this emphasis on the value of data a recent thing?Booth: Certainly in the past few years, there has been an increasing awareness of the value of the vast and diverse store of data that a company generates through its many business activities. At the same time, though, there has been a corresponding increase in the restrictions that managing this data is subject to. You only have to think of the European GDPR rules and its global impacts to understand what I mean. So from a very practical point of view, the question a company has to ask itself is, what are we going to do with all this data we have? How are we going to use it to innovate and grow?SnapShot is uniquely positioned to help a hotel or management group come to grips with these challenges, because of our three pillars of products and services that unlock the value of a property's data. First, we can collect the data and ensure that the data is harmonized. Second, we add relevant external data sets for a combined ability to visualize the information with analytics for understanding it. And third, we continue to build our unique Marketplace where developers build and deliver innovative hospitality apps. We see ourselves as directly addressing the needs of the hospitality industry as well as brining new value to the data itself.HYB: You've been on the job for a few weeks now. What can you tell us about your plans for the company?Booth: SnapShot has an amazing data platform that is capable of scaling significantly. Leveraging this platform is core to our plans and includes several paths. Firstly, extending our data set capabilities beyond PMS, POS and external data today, to include financial and procurement data for example, and then extending this data to our Marketplace community for innovative app development. Secondly, working with large and enterprise-class groups on off-the-shelf and custom data solutions. Thirdly, we will expand our industry education and awareness programs to continue to champion our belief in the value of independent data.HYB: It all sounds very intriguing, Carson, and we hope you'll keep us posted on your progress. Thanks for the interesting conversation!Booth: Thank you, too!About SnapShotFounded in 2012 with the vision to build the hospitality's premier data platform independent of any brand or software provider, SnapShot is now one of the largest hospitality data processors in the world, managing transactional data of over 6,000 independent and branded hotels worldwide, with over 45 different connected PMS systems, and growing. With the release of the Hospitality Data Platform, SnapShot enters its third phase, which brings forward its founding vision: a secure data platform, visualization capabilities, and marketplace. To find out more, please visit snapshot.travel.

What hoteliers can do when crises strike

R. A. Rauch & Associates, Inc. ·18 June 2018
The U.S. has been hit with the longest streak of crises--mass shootings, natural disasters and security breaches--in the past decade. Hoteliers need to better prepare and develop plans for not if, but when crises strike.Crisis management will gain importance as active shooter training is added to a hotel's playbook and cybercrime continues to increase dramatically."Run. Hide. Fight" training and a technology expert at each company is now required. It is paramount to our future liability that we train our staff and have procedures in place for all potential crises.As to General Data Protection Regulation (GDPR), this has come up quickly and applies to all hotels, especially those that pursue European travelers. Hotels need traveler consent to store any data related to a European traveler, and it is recommended that we start doing that for all guests.Active shooters and disastersHigh school shootings have occurred far too often. The Santa Fe High School shooting could have been far more traumatic and caused the loss of many more lives if the school hadn't had both security and "active shooter" training in place. The training is now required for all hotels. The FBI, your local police department and Homeland Security have comprehensive materials on this subject that will provide as resources for hoteliers. Being prepared for any terror event or natural disaster is critical to both saving lives and minimizing negative impacts.Rapid hotel evacuation is key to a crisis plan, and all team members must know the evacuation route. Rapid lock down of the hotel or areas of the hotel will limit a shooter's movements. It is vital that hotel staff become acquainted with Homeland Security's detailed guides on this type of training activity. Developing a first-responder pack that includes detailed hotel plans and critical infrastructure would be paramount to a crisis plan as well. Cellphone numbers of all team members must be available to ensure safety and enable crisis communication.The same protocols regarding evacuation should be established for natural disasters. Just recently, a fast-moving lava flow from Hawaii's Kilauea volcano led local officials to close a highway on short notice. They needed to communicate to all travelers that thin strands of glass fibers carried in the wind could injure eyes and lungs. There must be real training and tangible procedures in place as we must never assume all will be calm tomorrow. I just scheduled our 2018 training with our local police departments for our teams, and I encourage all of you to do the same.CybersecurityCompanies should ensure that the property management system is on a different network than public Wi-Fi and that all networking devices have default account passwords changed. All software and operating systems in use must be up to date with the latest patches and versions, and employees must be trained to recognize harmful forms of cyberattacks to ensure the protection of guests.All passwords should be reset when an employee leaves the company. Each front-desk employee should have a unique PMS password as well as a secure computer password. Passwords should not be visible to guests. To ensure the security of computer systems, team members should be trained to lock any front-desk operating systems when they step away from the desk, and to never leave portable devices unattended.Companies need to have internal and external access to IT expert resources 24/7. Protocols should be put in place to prevent hotel staff from using hotel property for personal purposes. Periodic audits of employees and their activities should be enacted to ensure security. This merely touches the basic needs in this area of potential cybercrime.GDPRThe GDPR took effect on 25 May. The impact on almost all U.S. businesses is massive. While this is a European regulation, it will significantly impact the global lodging industry. Further, in the event of a cybersecurity attack or data breach, companies only have 72 hours to report the situation or there are financial consequences.Hotels that actively seek European guests will be required to be compliant with GDPR. This means that hotel guests can insist their data be erased. Sensitive data is personal information about an individual that could be used to discover their identity and gain access to their accounts.GDPR requires us to designate a data protection officer within our organizations. Companies must gauge whether or not any activity outside of the European Union will require communication with a person in the EU after the initial gathering of information. A risk assessment will review the data gathered and allow EU citizens to make updates to their personal data.Put your plans together and go out and have a great summer!
Article by Sarah McCay Tams

Blockchain: Loyalty And The Next Generation Of Traveller

Duetto ·15 June 2018
Blockchain is the next major disruptor to the travel industry, according to industry experts talking at the Blockchain Demystified - How will it change your business? panel discussion at last week's EyeforTravel Europe Summit.According to a recent survey by the World Economic Forum, 58% of executives anticipate that 10% of global GDP will be stored on blockchain before 2025. Hoteliers need to pay attention to this new, technological revolution.Talking at the EyeforTravel Europe Summit, Simon Talling-Smith, Chief Commercial Officer, Voy - a cryptocurrency and loyalty programme, tackled the issue of how blockchain and cryptocurrency could be used in travel loyalty programmes.He highlighted the current state of the loyalty market, in which 80% of users don't have enough points to redeem or can't log in or have forgotten their password. He said blockchain offered a perfect opportunity to fix some of the ills associated with loyalty."You need to motivate your customer. Give them something they can keep spending. There is a direct correlation between spend rate and engagement with product," he said.Talling-Smith explained how loyalty programmes are not just about providing a currency, but about tracking traveller habits. It's about personal data. However, the roll out of GDPR is changing all this. "Your power over your data is now more powerful than anyone thought it would be," he said.Using blockchain, users retain control of their personal data."You can permit access to a standard profile and choose whether or not to share your whole travel history. What incentives would companies put in place to allow them full view of your entire travel history? Imaging if you knew the entire travel history of your customers?" he asked.By giving the data control to the consumer, blockchain allows companies to track people with complete compliance.David D. Brillembourg, CEO, Brillembourg, provided a compelling overview of the future of blockchain. In his presentation, he pointed out that $1 trillion worth of travel will be in the blockchain in the next 10 years.He talked about his STEP travel ecosystem, which is powered by blockchain and cryptocurrency, and aims to provide a cost-effective solution for travellers and hotel owners. He explained how blockchain will provide an alternative distribution channel to the OTAs, via new blockchain distribution ecosystems.Brillembourg also highlighted how the consumer has changed and how they will change further."The change behaviourally has already happened; people are living in a virtual world. They already use virtual currency in their lives, for example, through video games," he pointed out.Millennials and Gen Z are set to inherit $30 trillion, according to Brillembourg. These generations were born with mobile, social media, the sharing economy and cryptocurrencies. With a strong send of wanting to belong, and susceptibility to FOMO and YOLO, this market was born to travel."Crypto economics allow us for the first time to empower the traveller, putting the digitally native traveller at the centre using the wallet and coins," Brillembourg said.Ilya Khanykov CEO, Bartini, Inc, wrapped up the session with a quick presentation on how blockchain could reduce transactional costs. Bartini is prototyping flying cars. According to Khanykov, blockchain reduces the barriers to entry, and will be used to manage the product's back office and make sure the system is safe and secure.He said blockchain provided a: "transparent playground for everyone to find their place, growing ecosystems far beyond what we thought."RELATED HOTEL REVENUE STRATEGY ARTICLESCreativity And Innovation Fuel EMEA GrowthThe Definitive Guide To Hotel Blockchain TechnologyThe Blueprint for Taking Business Back from OTAs

GDPR should be viewed as a spring-cleaning exercise

hotelnewsnow.com Featured Articles· 4 June 2018
The best way to make sure your company does not fall afoul of the new GDPR rules is to look at the whole exercise as a way of analyzing, sorting and streamlining data so the information retained makes the company more lean and focused. Maybe for you the 25 May doomsday deadline for the introduction of the European Union’s General Data Protection Regulation came and went with much the same lack of fanfare I remember associated with the Y2K bug. I rather enjoyed the month of mild panic that came with GDPR from largely useless companies with very little to offer.
commercial

Benchmarking Your Email Metrics Post "GDPR Cleanse"

MarketingProfs·Requires Registration · 4 June 2018
Are you feeling better or worse now that your "GDPR cleanse" diet has run its course? Those GDPR re-opt-in emails you've been sending (whether you needed to or not) reduced the size of your database. But all other things being equal, your performance metrics, engagement, and deliverability should improve.

What's Hot at HITEC This Year

hospitalityPulse, Inc. ·31 May 2018
The hospitality industry is constantly on the cusp of progressive, guest-centric reform -- but we're seeing this push for technological change influencing this more than ever before. With the widespread emergence of intelligent solutions, mobile technology and more, hoteliers and guests alike have an exciting hospitality experience in store as we move into the future. Eager to stay ahead of those trends which will define the coming years (and big players) in the hospitality industry, hoteliers from around the world will find themselves at the upcoming HITEC conference from June 18th to 21st. HITEC Houston is the world's largest hospitality technology show that brings the most exciting technology and trends from around the world to one place. In anticipation of this year's showcase, we've rounded up a list of what to expect at HITEC 2018.Smart RoomsGone are the days of regular hotel rooms -- 'smart' rooms are positioned to surely take over the hospitality space in the coming years. Using computer systems that link guests' preferences to the hotel room's appliances, smart rooms can tune up a host of specific preferences the minute a guest checks in. This includes temperature, lights, favorite TV channels and streaming services, mini bar selection, room service orders and so much more. Voice Integration has also become one of the most buzzed about technology advancements recently embraced by the hospitality industry. Following the widespread popularity of voice-powered assistants, Amazon Echo and Echo Dot devices are being placed in various U.S. hotel rooms so that guests can control the TV, lower the blinds, adjust the room temperature, and make front-desk requests without using a remote.In fact, since January, properties franchised or belonging to nearly all of the major U.S. flagship brands have tested the Echo Dots. Further, 400,000 guests have been exposed to Alexa-powered rooms managed by Volara, a voice-technology company for hospitality companies, since the beginning of the year. This allows guests to get immediate answers to their inquiries, while ensuring hotel staff spends less time stuck on the phone. The emergence of voice-powered tech extends beyond hotel rooms, into the travel planning process as more hotel and travel websites are becoming optimized for voice search. This movement entails a combination of traditional SEO strategies and the study of patterns inherent in voice search. Currently, this function is limited to destination-specific inquiries (such as, "What is the best hotel in ______?") versus booking confirmations, but is still an exciting trend to watch.However, while we continue to embrace this evolving trend of hyper-personalization, it's also imperative that hoteliers remain mindful of data privacy requirements. With the recent implementation of GDPR to regulate and strengthen data protection for individuals within the European Union, hotels are only able to collect data for specific and legitimate purposes. Further, data cannot be captured without specific, documented consent. But with an appropriate balance between privacy measures and personalization established, new technologies, including smart rooms, may offer an interesting prospect for hoteliers and guests alike.Internet of Things -- Making Smart Rooms Even SmarterMarriott has recently started experimenting with the utilization of the Internet of Things (IoT) to transform their guests' experience with technology that not only predicts their needs, but personalizes the entire experience. This movement focuses largely on the utilization of voice-activated technology, as mentioned above.Together with Samsung and Legrand, Marriott has built two different prototype rooms, each programmed with different scenarios for three different types of travelers: a yoga-minded meeting planner; a frequent road warrior; and a family of four on vacation. After guests opt-in to providing their preferences and creating a profile, those profiles are memorized and respective scenes are set for them. This extends to smart mirrors, smart art frames, smart showers and faucets, as well as voice-activated control (and saved preferences) for lighting, temperature, humidity, curtain, artwork etc.. Further, sensor presence technology will know when a guest gets out of bed at night, and will automatically turn on red night-lights that guide the path to the bathroom. AI and Machine LearningAI and Machine Learning technology advancements boast the potential to truly transform the travel experience throughout the booking process and on-property. AI and machine learning will extend to the utilization of concierge robots, digital assistance, voice-activated services, travel experience enhancers, data processing and booking chatbots, and more.Not only will AI robots lessen the transactional load placed on hotel support staff, but they will also help the hotel's guest service model to become more intelligent, responsive and personalized to each guest. With the power of AI, hotels can pro-actively learn about their guests using advanced data analytics that provide an intelligent overview of customer purchases, travel choices, journey patterns and itinerary, location preferences and payment methods etc. AI-driven chatbots can also provide guests critical, personalized information and suggestions regarding booking inquiries, trip scheduling, reservations, itineraries, local attractions and restaurants, and so much more. Guests are Now in Control The modern guest not only expects a personalized experience, they want to be in control of their travel experience every step of the way. With the undeniable rise in technology advancements, guests are now provided the opportunity to plan and navigate their travel experience at every touchpoint. In response to this trend, hotels are beginning to leverage their data to gain insights that tailor the online booking process, pre-stay marketing, request management, guest communications and loyalty programs. This also entails the utilization of technology solutions to track the inner workings of the rooms department, including check-in statistics, guest fulfillment, and upgrades and downgrades. Ultimately, this empowers guests to purchase their hotel rooms the way they think of them - as a set of attributes. Guests get more of what they want (more choices and the right guest room), and you get happier guests and higher revenues. Not only does this empower guest to choose their preferred experience model, but it frees up staff to engage with guests in a more holistic, personalized manner.Going to HITEC? Please come by our booth #418 to see our latest hotel technology innovations or contact me on LinkedIn to set up a call or demo.

GDPR: Why Hoteliers Should Take the new EU Regulations Very Seriously

EHL ·31 May 2018
New EU rules on data protection - or GDPR - , seven years in the making, come/came into effect on May 25. The advice from IT experts to hoteliers is: take the new rules very seriously or risk heavy fines of up to 20 million euros or four percent of the company's global turnover, whichever is higher.At the recent Young Hoteliers Summit, staged at Ecole hoteliere de Lausanne, Nick Price, CEO of NetSys Technology and CIO of citizenM Hotels, touched on the challenges posed in a keynote address.He said the new General Data Protection Regulation or GDPR was significant as the hospitality industry holds a lot of data which are spread over many different operational systems.In a panel discussion on the future of technology in hospitality after the keynote, he cautioned young hoteliers that their careers in the hospitality industry could end abruptly if they were responsible for a breach.It's criminal law. You can be fined significantly. Understand that the brand will be impacted, not you, the hotel. If your hotel loses some data, you've most likely given access to all your company's data, given how things are interconnected today. Be aware, this is very real.Another panelist, entrepreneur Uli Pillau, founder of tech firm Apaleo, said GDPR wasn't taken seriously enough, as had happened with Payment Card Industry (PCI) compliance. "This is a new topic for the industry and very few people understand what it means. There are big risks with that, but the earlier people take it seriously, the better. And I don't see too many hotel groups and hotels which are really taking it very seriously at this point""Europe has a very different perspective on individual citizens' data than the United States, for example, and these laws are a response to that," Price said during the panel discussion. "You can expect some fairly significant case law established from May when this law becomes enacted Europe-wide and some companies lose this information. With GDPR, European laws will apply and they will fine these companies serious, big money."And his advice to the young hoteliers: "Just sit back and think where customer information is actually held, in which systems in the hotel and how many systems duplicate that information. Imagine how you would collate that knowledge and protect that information in those operational systems, some of which are decades old."Pillau pointed out that legacy systems represent a 'high risk factor'. "The safest way to go is to use token technology which encrypts it entirely, (so that) at the PMS (property management system) or at the hotel level no data is kept which could get outside the systems. I think there are intelligent ways of doing that today."Suzanne Ward, Director of Digital Solutions at Movenpick Hotels & Resorts, noted that not only the data of customers should be protected, but also employee data such as payroll or HR information. "We need to be extremely careful with that sort of data too."Price told Hospitality Insights on the sidelines of the YHS forum that the new rules were 'serious' but would also be beneficial. "This is a good thing as it protects fundamental information about human beings from misuse. We have customers who stay with us and because of the nature of our business as hoteliers, we have to capture information."We have a trusted relationship with these people. They trust us with their safety when they're in our hotels. In order to have that trusted relationship, we have to be able to demonstrate we can protect the information they voluntarily give us and that's quite challenging. But frankly speaking, (the GDPR) should be welcomed by the hotel industry and it's here for a good reason.European governments have recognized, he said, that many companies nowadays are "deriving a lot of value" from the use of customer information."We, as hoteliers, also need to derive value from that information. We need to be part of that same business model," noting that Google and Amazon make money out of personal information and their valuations are 'significant.'Hotel companies should also be able to make money out of the information but in order to do that, they have to be trusted with the information in the first place and they have to give a net beneficial return to the customer that stays with them, which they can do. They're uniquely positioned to do that."But it begins with trust and you can't be trusted as a hotelier by your customer base, if you don't protect really what is in many senses the most valuable data you have, which is the information (you hold) about that customer. So yes, it's a good thing."
commercial

GDPR Is Already Here: A Simple Marketing Guide for Compliance

MarketingProfs·Requires Registration ·29 May 2018
The General Data Protection Regulation (GDPR) initiative has put customers back in the driver's seat. Customers and prospects will henceforth own their personal data and have control over the communications they receive.
Article by Bob Rauch

The Changing Landscape of Hotel Management

RAR Hospitality ·21 May 2018
Shifting demographics and new technologies are primary catalysts for the evolving hospitality business; however, the impact on management is enormous.Led by revenue management but now including distribution channel management, social media marketing, Web 2.0, cybersecurity, human resources and more, this industry has been thoroughly transformed. The key is to have GMs and corporate executives who understand this.Here are a few things to consider.Revenue management may be the single most important element in driving profitability. Today, it is time for the industry to price based on value perception and not just price relative to a competitor. Understanding the true demand in a marketplace is quite scientific. The large quantities of demographic and psychographic information available about the makeup of today's traveler requires analytical skills and creativity to correctly respond to the marketplace. Product choices by consumers are influenced by a model of the consumer decision process that stresses the importance of finding the right customer for the right hotel at the right time. Is our guest interested in sustainability, fitness or wellness? Knowing our guest will drive our marketing efforts.Booking more profitable business is critical as the distribution landscape is expanding beyond online travel agencies, including popular sales vehicles such as meta-search, flash sales and mobile channels. Beyond simple awareness of the different mediums available to sell hotel rooms, hoteliers must know the costs of the variety of distribution channels and the returns expected from each. GMs are the gatekeepers for these channels when a revenue manager is not around.Next, product quality must be exceptional. Overall service must be at the level of "wow," and there must be a compelling value proposition for the consumer to choose the hotel. Loss of market share is difficult to regain, which means desertion management (asking guests why they did not return) is paramount today and easy to define via social media. Staff service and attitude make a significant difference in competitive advantage in every market segment and these require strong leadership from the GM. No GM can do it all--corporate support is required.Hotels that can train and motivate their team members will have a much better chance of getting repeat business. It is beyond the basic four-step skills-training method; rather it is adding the component of why they need that skill.Millennials have become the fastest-growing customer segment within the industry and also have no problems speaking up. If what they are seeking is not handled to their liking, they will turn to Twitter, Facebook, Yelp or TripAdvisor to voice complaints. Reputation management rules, and this is where the GM must be hanging out in the lobby, at the front desk and in the restaurant.Customer service must include enabling guests to be self-sufficient. For example: if a guest wants to find information using his/her smartphone, providing an app or mobile website that accommodates that information will appeal to many. The rise of this digital traveler requires the hotel industry to balance the expectation of personalization while enhancing the need to remain independent.International visitors are here now but have been talked about for years, and this group of travelers has increased markedly this past decade. Management must understand the language and culture of these guests as they are arguably the fastest-growing travel segment today and spend more than any other traveler. With the European Union's General Data Protection Plan (GDPR) compliance requirement coming later this year, cybersecurity must be at the forefront of our industry. Security in general must be tightened up with active shooter training and drills for each type of crisis.The path forwardThe transition from art to science in hospitality has caught many by surprise and unfortunately, these are the people and the companies that are falling behind. There will always be a need for great customer service, but today's travelers require both great service and technology. It is crucial that we understand the hospitality industry as it is today because if we focus solely on the art of hospitality, we will be missing out on capturing more business and increasing our profitability. Further, there are legal challenges with human resource management, ADA laws, public relations and crisis management, to name a few.Are our properties exciting or are they just clean? Do they provide unique experiences or are they just offering the basics? Is there true ownership or management oversight and input or is it absentee management reviewing monthly financial performance? Are our digital assets such as website, social media sites and real-time marketing efforts effective? These four questions will give each of us a hint at where some opportunity lies. Management companies and GMs must utilize this playbook and much more.This article was first published in Hotel News Now and is reprinted with the permission of the author.

How to Deliver Personalized Guest Experiences in the Age of GDPR and Data Privacy Concerns

Concilio Labs, Inc. ·18 May 2018
Hotels are faced with an interesting dilemma. We're entering a time of hyper-personalization -- guests show dominating preference for hospitality experiences which are more unique in nature and catered to individual needs/expectations. However, riding the coattails of the on-going personalization trend comes the initial implementation of GDPR on May 25th.For those unfamiliar, the General Data Protection Regulation (GDPR) aims strengthen and unify data protection for individuals within the European Union (EU). This legislation, which applies to guests and employees, brings with it a large number of changes relating to the use of personal data.This is where the dueling conundrum lies. With all these rules and guidelines, how will hotels remain competitive in their quest to deliver the exceptional, personalized service guests expect? How can hotels be expected to get personal if they have limited access to personal data?We're here to break it down for you.What Constitutes 'Personal Data'?In order to understand the expectations (and subsequent limitations) of the new protocol, we need to first gain an understanding of what exactly GDPR defines as the "personal data" of guests and hotel employees.In the case of GDPR, personal data is "any information relating to an identified or identifiable natural person ('data subject')". Basically, this could include an individual's name, identification number, location data, online identifiers, their physical appearance, and more. Consider this the beginning tier of data classification, while other personal information such as political beliefs, biometric data, genetic information, is considered sensitive and is therefore held to a higher standard of security.Why GDPR?You may be wondering why this new legislation has come to fruition. Over time it has been noted that the hospitality industry is exceptionally vulnerable to data-related threats. From pre-stay to post-stay, guests are engaged in a near limitless number of transactions, which involve the exchange of sensitive information in addition to credit card data. In fact, according to the Verizon 2016 Data Breach Investigations, the hotel industry accounted for the second largest share of security breaches in 2016.GDPR has been formulated in an effort to remedy this trend in the EU, compelling hotels to upgrade their data protection processes to meet new, improved standards. Those hotels who do not meet the standards enforced by GDPR will face serious financial penalties, with costs up to EUR20 million or 4 per cent of worldwide annual turnover (whichever is greater).How Can Hotels Collect Personal Data for GDPR?While it may seem daunting at first glance, the GDPR legislation shouldn't act as an impenetrable barrier between hoteliers and their guests.With GDPR in place, personal data must be collected for specified explicit purposes. Further, data cannot be captured (with consent for a specific information exchange) and then used for other purposes, unless consent is readily provided and documented. Let's consider a common example. Imagine a guest has supplied their email address at the time of booking a hotel. Under GDPR's regulations, you cannot use that email for email marketing at a later stage, unless the guest provided documented consent (likely through an 'opt-in' feature) for that use.Due to the dynamic nature of hotel services and touch points, it's likely that guests' personal details are shared amongst different areas of a hotel's operation (the front desk, spa, restaurants etc.). In preparation of GDPR, hotels' management teams should set aside time to complete a data mapping process that clarifies what data is captured, where that information is stored and how it can be used -- in order to protect and monitor it appropriately.Hoteliers should also take a closer look at their third-party partnerships, to ensure there is no risk to the security of guest data within those touchpoints, as well. Why is this so important? Under the standards of GDPR, if a hotel is outsourcing the process of data to a third party who is not complying with GDPR regulations, the hotel and the third-party processor can be held jointly responsible if a breach occurs.GDPR might leave some hoteliers feeling nervous as they prepare for changes to their current data processes, especially considering how many hotels rely on email marketing as a critical pillar to their business model. However, it's important to recognize the opportunity this legislation provides to establish more open communication streams with guests. In order to access and use their personal data, hotels must now develop a communications strategy that allows guests to know exactly what their data is being used for, and why. Essentially, hoteliers will be expected to talk with their guests, in a more holistic and transparent manner, to determine what they want out of their experience.In many ways, GDPR may ultimately yield a positive outcome for hoteliers and for guests. By forcing an opt-in and being specific about how information will be used, hoteliers will be left with a database of clients that are interested in receiving relevant guest experiences, marketing messages, and perhaps more receptive to booking or becoming loyal to your hotel.Additionally, it forces hoteliers to become smarter about what data they request and keep. The data which hoteliers must access to satiate and earn the loyalty of modern guests speaks to their preferences. What wine do they like, what type of pillow do they prefer, what other items, service styles or experiences will make their stay more enjoyable? The use of this type of data should be easy to obtain guest consent for, as it will ensure their visit meets (and exceeds) their expectations.
Article by Einar Rosenberg

Texting guests is about to be a HUGE legal liability that can cost a hotel 4% of its annual revenue

TND NFC by Creating Revolutions · 3 May 2018
Every GM knows the equation for implementing new hotel services. Benefit must be greater than the cost. In 2017, the most popular new craze for hotels was text messaging guests. The cost was low and the benefits were high. But in 2018, that cost is going to sky rocket, thanks to the GDPR or General Data Protection Regulation. If your hotel hasn't heard of the GDPR yet, you better learn fast, because it's going to change how nearly every hotel around the world does business. At its core, the GDPR is the strongest consumer privacy and protection laws in history. Though the GDPR was created by the EU, it's not limited to Europe, its Global. And starting this May, the GDPR goes active. So why will the GDPR affect guest text messaging services in hotels? Because the GDPR has 4 requirements that text messaging just can't accomplish, leaving a legal liability with penalties of up to 4% a hotel company's entire annual revenue.These 4 liabilities include: 1. Usage Explanation 2. Lack of Security 3. Privacy by Design 4. No 3rd Party Protection Barrier Usage Explanation The GDRP requires that a hotel give Usage Explanation in "Non-Legalese". For an industry used to giving guests long legal documents that blanket protect every possible liability from alien attacks to the kitchen sink, those days are gone. How can a hotel cover themselves when they cannot use legal language to protect themselves from legal liability? The GDPR also requires a hotel to easily and clearly explain what they will do with the guests information, how will they use it, by whom, where and more. That is a herculean, considering today's hotels use complex algorithms and artificial intelligence to process a guest's information. How can you easily explain such complexities to the average guest? Add in explanations about how the guest can easily opting in and out easily, and the average 140 character text message your guest is used to, will now be as long as a 19th century Russian novel. Lack of Security The GDPR also has security requirements. Not good news for something like text messaging, which never had any real security and never will. The first text message was sent in 1992, back when dialup modems ruled the world. Since then, the technology has barely changed from that first SMS. What's worse is that SMS is an integral part of Signaling System No.7. More commonly known as SS7, it is a critical part of the architecture that basically all mobile phone systems are built on. The reason SS7 means trouble for SMS is because in 2017, access to the SS7 network started being offered by hackers on the dark web for just $500. With as little information as a phone number, you could now not only eavesdrop on text messages but manipulate or even block messages. The SS7 vulnerability can even track a person without the need of using a virus or malware. Text Messaging has no encryption and its infrastructure is a closed loop system that has no identity confirmation, so anyone can access it today and no one would even know it. But it's not the mere possibility of text message hacking that is the problem. The problem translates into real dollars lost for hotels. Imagine someone creating random messages to your staff, sending them in all directions of your hotel property, based on false requests. Or requesting expensive services or products that get delivered to a guest who hasn't asked for it. And imagine a guest receiving a message they thought was from the hotel, with a link that says billing invoice, which ends up installing a virus into that guest's phone. These days, it doesn't take some sophisticated hacker to screw with your business. Just about anyone can buy hacker software or hacking services, which can steal from your hotel or create chaos. The most popular ransomware today, is easily available to anyone for as little as $20. How secure are you feeling about the security of text messages now? Privacy by Design A more interesting requirement of the GDPR has to do with requiring a system to include privacy by design. Here is how the GDPR explains it: "Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition." Not one text messaging service used today, has an original design that includes privacy as a core element of the design. And adding privacy now to their existing system is not allowed. The only choice a service provider would have is to build their whole system from scratch, and even then, it still wouldn't meet the security liabilities inherent in text messaging. By the way, the SS7 vulnerability was shown publicly in 2014, so any companies that try to state their original design was based on the privacy liabilities of the time, better make sure their original design is older than 5 years ago. No 3rd Party Protection Barrier The fourth liability has been a key protection for most companies today. If they use a third party service and the third party gets hacked, the client company is not liable. The GDPR will not accept that excuse. In fact, the 3rd party providers won't accept that excuse either. Take a look at what Twilio is telling their clients. Twilio is hands down the most popular text messaging infrastructure service today, used by 1000's of Apps and web service providers. In fact, Twilio has a 59.85% market share in the US. So what does Twilio have to say to their clients, as to how well protected they are against GDPR? "Your responsibilities under GDPR will depend on the nature of your business and your personal data processing activities. Nonetheless, broadly speaking, GDPR requires that personal data be:1. Processed lawfully, fairly and in a transparent manner 2. Collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes 3. Adequate, relevant, and limited to what is necessary for achieving those purposes 4. Accurate and kept up to date 5. Stored no longer than necessary to achieve the purposes for which it was collected, and 6. Properly secured against accidental loss, destruction or damage. What's the definition of "personal data" under the GDPR? Personal data means data that relates to an identified or identifiable natural person (aka "data subject"). An identifiable data subject is someone who can be identified, directly or indirectly, such as by reference to an identifier like a name, an ID number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Importantly, this is a very broad definition and can encompass data like IP addresses of a user's personal device, their device ID, or their phone number. It does not matter that the identifier could change (e.g., that the user could change their phone number or device ID). What matters is that the information can be used to "pick that user out of the crowd" even if you don't know who that user is. It is also important to note that the definition of personal data is not tied to concerns about identity theft the way that definitions of personally identifying information (PII) are under many US data breach laws. So, even if it seems like there would be little privacy harm if someone got ahold of your users' IP addresses that does not mean that those IP addresses are not personal data. It just means that this data may not require the same level of data protection as more sensitive personal data like your users' credit card numbers." So what does this all mean for companies who used to feel a barrier of protection, via a middle man? Sounds like those middle men are telling you, "Good Luck with That". In conclusion, text messaging is a convenient technology to use, and key to its use includes the most important identifiers about a guest, their phone number, which is running on the most essential informational device in your guest's life. Does any hotel really want to risk liability on a decades old technology with no real security? Especially with the GDPR and other legislations being released, as well as multiple class action lawsuits, and thanks to Facebook, the strongest consumer sentiment in favor of privacy ever, all occurring NOW? Two supplemental points to consider: 1. What business in the US today has the highest concentration of tourists? Answer, hotels, hence why they are the most susceptible to these new privacy laws. Think about it for a second. Both retail and restaurant are not likely to get a foreign tourist to sign up for anything or to keep any personal details about them. This is completely the opposite of a hotel which usually asks many pieces of information which they store include the person's name, credit card information for later charging, etc. For foreigners they often requests their passport as well. So hotels are the most likely to be affected by the GDPR. 2. Why are text messages and chat the highest vulnerability for hotels? Answer, it's the most important and relevant single identifier of a person. Data, especially coming from multiple sources is useless if you don't have a single consistent identifier to connect all that data together. Now think about this for a minute. There are 1000's of John Smiths out there, so names won't work as a key identifier. And practically everyone has more than one email address. As for addresses, people move. But the mobile phone number is the only consistency no matter what. With numbers portability, it's now easy to carry your mobile number to a different carrier. And with nearly half of all households now mobile only, even when a person moves, they keep their phone number. Even if it's a different area code, or they change jobs or anything, they always take their phone number. Now this isn't just for text messaging but also for the most popular form of chat used today by Europeans, which is WhatsApp. WhatsApp doesn't use a username but rather a phone number as the key identifier

Aligning Software with the Human Touch

Pegasus · 2 May 2018
As the General Data Protection Regulation (GDPR) looms and goes into effect within weeks, it's more critical than ever to ensure that consumer data is managed within the parameters, while also enabling hoteliers to build better relationships with their guests. The question is, what is the process that aligns the human touch and software to build and strengthen those guest relationships?Convert - Converting means turning phone calls and web visits into booked reservations. Boosting conversions mean the right offers are delivered to the right person. Direct bookings are often the result of consumers being given relevant offers so they don't book through other channels. Personalized content, like recommendations based on previous stays, or offers based on buying personas, can help. For example, maybe the offer is a free shoe shine for a business traveler, or wine upon arrival for a personal stay. People love personalization. Give your guests personalization, and they'll gravitate towards your brand.com offerings.Connect - Connecting means fulfilling the guest's needs. The key is having the right software, and using it within the parameters of GDPR, to know what those needs are. With the right software, hoteliers can connect offers, rooms, and features based on data already stored in the software program, or automatically pull data found on open social sites. Hoteliers can gain a deep understanding of who their prospects and guests are, what they care about, and ultimately how to influence their purchasing decisions. Of course, delivering this level of personalization requires granular data. Luckily, some systems on the market deliver tools that determine personalization opportunities and present them to your guests.Engage - Understanding your guest is critical to being able to engage with him or her. These days - thanks to research, big data, and social media - hoteliers can create detailed profiles of their guests much more easily than they could in the past. This not only helps with personalization but can predict future behavior as well. Again, within the parameters of GDPR, the ability to predict needs is a powerful tool. It can improve the overall guest experience. Guests want to feel that not only are they receiving value, but they are being treated like someone with whom you're engaged.Successful hotels understand the importance of taking a holistic approach to personalized guest interactions at every touch point, within the bounds of GDPR. With the right hotel software that pulls guest data from outside sources and delivers the right offers--hoteliers can enhance the total guest journey. Hoteliers can then forge long-lasting relationships in ways that only technology intersected with the human touch can deliver.

Top Concerns Hotels Need to Know About the GDPR and How to Prepare Your Action Plan

HEBS Digital ·23 April 2018
What is the GDPR?The GDPR is a regulation in EU law on data protection and privacy for all individuals within the European Union and regulates how companies manage, use, and share personal data. The GDPR will take effect on May 25, 2018. The GDPR applies to natural persons, whatever their nationality or place of residence, whose personal data is processed and whose behavior is monitored while within the EU. This change in legislation means that nearly every online service is affected, and the regulation has already resulted in significant changes for US users as companies begin to adapt.The foundation of the GDPR builds on rules set by earlier EU privacy measures like the Privacy Shield and Data Protection Directive, and expands on these privacy measures in two critical ways. The definition of and requirements around personal data have been expanded. First, the GDPR defines personal data as any information that can be used to identify directly or indirectly a data subject, such as an online identifier like an IP address. The GDPR sets a higher standard for collecting personal data than ever before. By default, any time a company obtains personal data on an EU resident, it will need a legal basis for collecting that data, such as explicit and informed consent from that person. Even more importantly, users also need a way to revoke that consent, and they can request all the data a company has collected on them as a way to verify that consent. These strong regulations explicitly extends to companies based outside the EU. The penalties are more severe. The GDPR's penalties are severe and have two tiers of fines. The maximum fines per violation are set at up to four percent of a company's annual global revenue or 20 million Euros, whichever is larger. The lower level fines are up to two percent of a company's annual global revenue or 10 million Euros, whichever is larger. These penalties far exceed fines allowed by the Data Protection Directive, and it signals how serious the EU is taking data privacy.Get to know the facts. Avoid misconceptions regarding the GDPR: The GDPR affects hotels across the globe: The GDPR applies to all properties that target EU residents as customers no matter where they are located. This means that the GDPR affects all hotels in the US and locations around the world, not just Europe. Hotels are liable for the GDPR: Regardless of your partners or solutions provider, the hotel (who according to the GDPR would be considered the data controller) is ultimately responsible for using tools that are in compliance with the GDPR. One price point for all of the EU: Commonly overlooked regarding the GDPR, it's important to note that hotels cannot use profiling to set prices based on an EU visitor's location.How does the GDPR apply to your hotel's online data policy?The GDPR affects your hotel's data policy regarding EU website visitors in six main ways: Getting consent: Visitors to your website must understand exactly how you are planning on using their data, and the legal basis for why you are collecting the data. Unambiguous and affirmative consent is a key part of GDPR legislation and it is important for any hotel website that collects personal data to obtain specific permission to use it in the course of their business. If you are requesting consent from the customer, the user must agree to each specific purpose. That means if you have someone's email address who booked with your hotel, you are only allowed to market to them if they have explicitly agreed to this. Similarly, privacy notices may require rewriting to be in line with the GDPR rules. Privacy Policies and Terms of Service must be simple to understand and free of jargon (a good rule of thumb here is that a 16-year-old should be able to understand the Terms of Service). Accessing data: A main component of the GDPR is being fully aware of who has access to personal data that is logged and stored on your hotel website's content management system or database. The first step is to understand exactly who has access to this data and compile a list. Next, examine the list and ask whether all of these people require access to this data. If the answer is no, permission should be revoked and measures must be implemented to control future access.There must also be a robust process in place for deleting data that is no longer relevant or required, as companies are not allowed to hold on to this for any longer than is absolutely necessary. Data accountability: Regardless of your solutions provider, hotels are ultimately responsible for using tools in compliance with the GDPR. In light of this, hotels should audit any external agencies they use that might have access to their data to ensure that their procedures are compliant. As the data owner (controller) you are ultimately responsible for this, even if you have outsourced elements of the process, so keep a record of measures you have taken to ensure all partners are acting in line with the GDPR regulations. All of your partners should be able to clearly explain what measures they have taken to maintain maximum security of the data you provide. Data accuracy: All personal data must be accurate and kept up-to-date. Every reasonable step must be taken to ensure that personal data is correct in regard to the purposes for which data is processed, and that personal data is erased or rectified without delay if inaccurate. Data minimization: Websites should collect only the minimum amount of customer data to do the job, as well as adhere to the "storage limitation principle" which mandates that personal data must be stored for no longer than is required and that individuals must be informed about the planned use of personal data. Data portability and the "Right to be Forgotten": All website users have the right to receive their personal data that was previously collected in a readable format, as well as own the "Right to be Forgotten" which grants consumers the ability to easily have all of their data deleted from the hotel database.How can your hotel prepare for the GDPR?The GDPR affects your hotel website, data strategy, digital marketing, and online merchandising. Below are the top ways you can prepare for GDPR:Preparing Your Hotel WebsiteIt's important to ensure that all web forms and website cookie usage are in line with the GDPR. Your website's Privacy Policy and Terms and Conditions should also reflect the GDPR to ensure that everything is in compliance. Update your Privacy Policy and Terms and Conditions. First and foremost, your hotel website's Privacy Policy and Terms and Conditions should be updated to reference GDPR rules and regulations. In particular, you will need to be transparent with what you will do with personal information once you've collected it, and how long you will retain this information on your website and in any other databases. Ensure your website is secure. Your hotel website should have an SSL (Secure Sockets Layer) Certificate to ensure that all data processing through the website is secure. If your website has an SSL Certificate, the domain will begin with "https," rather than "http." SSL Certificates secure all of your data as it is passed from your browser to the website's server. Ensure cookie consent. Website visitors from the EU must provide consent for your hotel website to enable cookies that are used to identify an individual. Like all other consent under the GDPR, consenting to cookies needs to be a clear affirmative action. Hotel websites should present clear terms of service regarding cookie usage with an opt-in box. Do not include pre-ticked boxes on the consent form, as this is against the GDPR regulations. It is important to note that the hotel website should not constrict users to accept cookies in exchange for information, and the hotel must also have a legal basis under the GDPR to use an EU visitor's IP address to personalize content or identify a user's device. Ensure the ability for people to opt out or erase their personal data. The GDPR clearly states that a data subject should be able to withdraw consent as easily as they gave it under the "Right to be Forgotten" clause. Controllers must inform data subjects of the right to withdraw before consent is given. Update email opt-in to default to "No" and include specific check boxes for every opt-in. Forms that invite users to subscribe to newsletters or indicate contact preferences must default to "no" or be an un-checked opt-in box. You should also ensure that users provide consent for all ways your hotel will be utilizing their data. For instance, if a user is opting in for email newsletters, this does not mean they are opting in for that email to be used for look-a-like audience marketing. Ultimately, hotels must set up a specific checkbox or form of consent for each separate use of guests' data. And finally, to ensure that you are in complete GDPR compliance, it's important to implement a double opt-in process. All web forms must clearly identify named parties. Your web forms must clearly identify each party for which the consent is being granted. It is important to note it isn't enough to say specifically defined categories of third-party organizations, they must be named in full. For example, your consent form cannot simply say third-party ad networks, it needs to specifically name the ad networks where ads will appear.Preparing Your Data StrategyOnce you've collected user data from EU residents or anyone living within the EU, it's important to follow key protocols regarding the use and removal of this data. It is also extremely important that everyone covered by the GDPR has an easy way to access and download any of their personal data collected. Here are some key considerations regarding your data strategy: Provide EU visitors with easy access to download personal data. Your hotel website should provide a request form where EU website visitors can request personal data. Do not keep data for longer than required. While the GDPR does not state a specified timeframe that limits data storage, it's a good idea to scrub customer data once or twice a year to ensure that all data is accurate and up-to-date. Any inaccurate or incomplete information should be deleted and the hotel is responsible for clearly stating how long the information will be stored within the privacy policy. Allow easy consent opt-out to address the "Right to be Forgotten" and grant EU website visitors the ability to delete their personal data. Your data strategy must allow for website visitors who previously consented to any use of their personal data to easily opt out or "erase" their data, as well as update their opt-in preferences. This user experience should be just as seamless as opting in and be easy to navigate on the hotel website.Preparing Your Marketing StrategyThe GDPR impacts your email marketing strategy, display remarketing strategy, and any display that utilizes owned customer data for targeting. Make it clear which third-party vendors will be utilizing EU customers' personal data. When prompting users to opt in to cookie consent or to access their customer profile data for marketing purposes, be sure to clearly list the name of the ad networks and third parties that will be utilizing these cookies and accessing this data for retargeting and building look-a-like audiences. Ensure that all third parties and ad networks are in compliance with GDPR. Have your marketing agency or internal marketing department reach out to any third-party vendors or ad networks to ensure that they are GDPR compliant and have taken appropriate measures. Only use data for the intent in which the EU user opted in. When an EU user grants permission to use cookies or opt in to an email marketing list, only use the data for the marketing for which the user opted in. This means if the user only opted in for remarketing, you cannot use the data to build look-a-like audience targeting. Or, if an EU user opted in to a monthly email newsletter, the user's email address should not be used for other marketing purposes. Overall, it's not only important to familiarize yourself and your hotel staff with the GDPR, it's important to ensure that all of your bases are covered. To be ready for what's next on the official launch of the GDPR on May 25, 2018, check out additional resources on The UK Information Commissioner's Office and review your policies with a data privacy consultant and your legal team.
Article by

GDPR in the EU and UK: AETHOS' 3 Steps for Complying with Employer Responsibilities

AETHOS Consulting Group · 6 April 2018
GDPR. Four letters of the alphabet that are proving to represent one of the biggest challenges facing businesses in 2018. The General Data Protection Regulation (GDPR) comes into effect on 25th May across the European Union, including the UK, and impacts any organisation that operates within the EU that processes data of EU citizens wherever they may be in the world. How organisations hold, store and process personal data will now be subject to higher and more consistent scrutiny - with potentially significant penalty for non-compliance. AETHOS Consulting Group's London Managing Director Chris Mumford emphasizes that much attention is already given to how customer data is handled under GDPR, especially in the hospitality sector where hotels process a high volume of personal information and payment data. "GDPR not only impacts how a business interacts with its external customers but also how it manages data internally with regard to its employees. In an industry such as hospitality where the labour force is so often highly diverse and comprised of multiple nationalities, most organisations will be affected by GDPR."Mumford spoke exclusively to Adele Martins, Partner and head of the Employment Department at law firm Magrath Sheldrick LLP, who clarified that GDPR is considerably stricter in its requirements than the UK's Data Protection Act (DPA). Mumford and Martins highlight a number of key features hospitality employers should consider as they address compliance with the new regulations:- What qualifies as 'sensitive data'? People will regard information about their health or their sexual orientation as more confidential. Technically Sensitive Personal Data or Special Categories of Data include information about a person's race or ethnic origin, their health or sex life, their sexual orientation, political opinions, religious / philosophical beliefs, trade union membership and genetic and biometric data.- How is employee consent defined and best obtained? The GDPR makes it clear that consent must be freely given, specific, informed and unambiguous. It can no longer be implied from silence, pre-ticked boxes or inactivity.- Regarding businesses which have external suppliers that are exposed to personal employee information (ie. payroll providers), where does GDPR compliance lie? With all parties. The advice to controllers is to have appropriate agreements in place with providers to ensure that those providers (processors) are contractually obligated to process data appropriately.- Would a hotel in New York which employs a French national in the kitchen be subject to GDPR? So, a hotel in NY employing a French national is processing the personal data of an EU national but that EU national is not within the EU. Does that mean they are off the hook? No. The EU national is still likely to be protected by the GDPR - not least because they are bound to return to the EU at some point and the processing will not stop when they do.- What are the sanctions for failing to comply? The maximum sanction under the GDPR is a whopping Euro 20,000,000 or in the case of a corporate undertaking 4% of global annual turnover - so potentially much higher than the maximum Euro 20 million figure.Mumford and Martins urge hospitality employers to immediately manage three critical steps to prepare for the GDPR compliance deadline:Dedicate data protection personnel internally and at a senior level;Appropriate security measures to ensure that personal data is properly stored, securely processed and retained only for as long as necessary;Clarify Privacy Notices to ensure that the individuals in question understand what data they are providing.

Are You Ready for GDPR? [Infographic]

MarketingProfs·Requires Registration ·29 March 2018
The EU's General Data Protection Regulation (GDPR) is set to go into effect on May 25. It will dramatically change current data privacy laws throughout Europe, strengthening the protection of personal data. If they want to avoid hefty penalties, companies that conduct business in the EU—or even process personal data originating from the EU—need to ensure their business practices adhere to the new law's strict guidelines.
commercial

Hospitality Talk (UK) - Episode 2 - GDPR and Amazon Alexa

Chocolate Pillow | By Matt Shiells-Jones·26 March 2018
IT’S HERE…… Hospitality Talk Episode 2 – I know I said in some social media posts I would likely talk mergers and acquisitions and also hospitality apprenticeships, but to be fair, I was tired and couldn’t be bothered after a Sunday morning as duty manager in a Manchester city centre hotel!! So this briefly covers GDPR and the use of Amazon Alexa in hotels!

What GDPR Means for Marketers [Infographic]

MarketingProfs·Requires Registration ·26 March 2018
Half of UK and US marketers say the European Union’s new General Data Protection Regulation (GDPR) law will make their marketing efforts more difficult, according to recent research from Act-On. The report was based on data from a survey of 200 marketing professionals in the United Kingdom and the United States.
Article by Norman Harvery

GDPR, the New Regulation for Personal Data in 2018

HospitalityTechGuru ·26 March 2018
GDPR, what is it and why is it important for the hospitality sector?EU and United Kingdom currently are governed by Data protection act of 1988, this law was enacted following the 1995 data protection law of the EU, which was created much before the internet and cloud that allowed ways to share data. GDPR regulations will provide people more control over how their personal data is used, today many companies like Google, Facebook, Twitter, other social media and marketing companies swap user data to provide services and GDPR has been designed to protect all EU citizens' privacy. GDPR will protect all information related to name, a picture, an email address, credit card information, banking details, timeline posts on social media websites, medical information, or a computer IP address.What is GDPR?The General Data Protection Regulations (GDPR) is a most important regulation of the EU data protection law that will unify and strengthen data protection for individuals in the European Union. The European commission first published GDPR in the year 2012 and following 4 years of discussions, it was adopted in April 2016. This regulation will replace the existing data protection act, With GDPR in from 25th May 2018 will signify the major changes to the data protection law and harsh penalties to those who don't comply with this regulation.What will be the impact of GDPR on the Hotel Industry?The Hotels business is considered as one among the most exposed to data threats, according to Verizon 2016 investigations, data breach report - The Hospitality industry is accounted for the second largest share of security breaches, when it comes to lost cards following a data breach. This isn't a surprise with guests handing over card details & hotels processing information on a daily basis that attracts highly motivated financial criminals. Hotel software's will need to adhere to new GDPR rules and provide parameters along with access to management and IT admins to purge data that guest does not want hotel to retain. Things to consider before adapting the regulationOne of the Primary issues with a hotel is they need to deal with data discovery. Hotels receive guest payment card information through a website, phone, email at the time of checkout, SMS and WhatsApp chats, and fax etc. and this data has been often available in multiple locations. When the management is aware of where and what information is stored, they will be able to process the information to protect it.Then, Hoteliers need to secure and compile their website. The business must be having access to data stored, also they must have the ability to change or delete this information. Also, they must prove to relevant authorities their use of system activity through logs in order to track and oversee action to their network resources when necessary.Hotels should now become more cautious of their third-party partners, so they don't prove a threat to Hotels business in terms of data protection. An important regulation of GDPR is that data processors are captured by the regulations as well as data controllers. For example, if a Hotel, as a data controller is outsourcing the process of data to a third party who is not GDPR compliant, the hotel will be held responsible if any data breach occurs. Current credit card sharing practices between OTA's and hotel and other third-party service providers will need to change drastically.In order to comply effectively with GDPR regulation, it is vital to conduct regular staff training on how to securely handle card information. Educate staff, it's unsafe to write down or email card details and sensitive information. They must also be advised on how to create strong passwords.Under GDPR act, if you find your Hotel is attacked by a security breach, this breach must be reported to the authorities and all stakeholders with 72 hours of its discovery.Will GDPR only apply within the European Union?Although the fact that it's an EU regulation, GDPR act will apply to any organization, regardless of the location which is processing or holding EU citizens personal data.This regulation is causing some confusion for British Hoteliers who do not hold any EU data or do not operate their business overseas, Given the large uncertainty surrounding Brexit. The British Government announced that all UK companies including Hotels need to comply with the regulation regardless of Britain exiting the EU.What if I am not compliant?If there is complaint received by an EU Citizen, the penalties are Harsh for not complying with GDPR. The maximum fine is set to 20 million Euros, or 4% of the annual global turnover (whichever is the greater). However, this loss can be easily avoided if the hotel leaves enough time to efficiently adapt to the regulation.Hotels should start complying as soon as possibleThe reality is that hotel operators tend to keep customer information in several different places like central reservation system, web booking engines, Property management system, point of sale, e-mails, and credit card authorization forms. Simply put, in there are too many places where the data is vulnerable to theft and intrusions are possible.The need for GDPR is largely technology driven, today's guest expects a seamless experience and hence more and more technologies are sharing data, thus giving rise to data swap and possible intrusions and hacks.It is important for organizations to start complying with the regulations as soon as possible in order to ensure they are prepared for the enforcement before May 2018.Important facts and actual policy implementation requires.Internal processing - Business must provide detailed information on the need to process personal data and how long they plan to keep it. This procedure involves organized retention policy, so the business knows the status of such information.A Hotel must keep system logs, user activity logs, the technical records and obtain the necessary certificates to prove it is protecting data. These help businesses to show the supervisory and regulatory authorities the important mechanism is in place.Hotels need to include an option on the websites that mentions "opting in," which helps hotels to store guest data. Also, they must explain the section and process to enable guest to access, modify and delete their data. This poses a significant threat to information when it is help in different places.We highlight few things to consider while planning for improving securityMalware was one of the major threat and reason for 94% of breaches in the Hospitality sector. So install better Anti-Malware security, update virus definitions on a regular basis and maintain logs.When it comes to GDPR compliance, conduct regular staff training on how to securely handle card information. Educate staff, it's unsafe to write down or email card details and sensitive information. They must also be advised on how to create strong passwords.Payment gateways are one of the primary ways to store guest card details. Most hotel properties need a third party vault provider. By using these vaults, the sensitive information is removed from your custody & you are given a tokenization system that can be used for billing. By using this integration, you move the risk of storing data to a third party who specializes in doing that, and have all security controls in place to keep the sensitive information safe.SummaryAll Hotels must be prepared and comply with GDPR regulation before the deadline date, i.e., 25th May 2018.GDPR act is applicable to all the business, regardless of location who handles EU citizen Data & non-compliance will attract hefty penalties.This act is applicable for business in the UK, despite the aftermath of Brexit.Data processors are also under the radar by the regulation.Certainly adapting your Hotel to comply with new regulations will be difficult. But the outcome the benefits will improve the Hotels key performance and allow management to know where all of their confidential information is stored and ensure their customer gets a secure and satisfying service.Get subscribed to technologies that are PCI compliance and get trained so they can avoid data breaches and hefty financial penalties."Guests nowadays care about their privacy and they expect hoteliers to respect that".

Concilio Labs CEO Terri Miller Talks About the Impact of GDPR on Hotels and Their Guests

Concilio Labs, Inc. ·15 March 2018
Recognized as an industry expert on hospitality technology, eCommerce, and business intelligence, Terri Miller, CEO and co-founder of Concilio Labs, discusses the impending European General Data Protection Regulation (GPDR) and what that means for hoteliers.Why has GDPR become such a top-of-mind issue for the hospitality industry?The May 2018 deadline for GDPR implementation will significantly change the way hoteliers handle guest data. Having guest's personal data stored in the cloud has become a necessity for today's hotelier.Until now, fines for breach of data protection regulations were limited and enforcement actions infrequent. GDPR, on the other hand, promotes the risk of costly penalties in the event of incompliance and data breaches.Even though GDPR applies specifically to EU countries only, in today's global society, it is likely that most hotels touch EU citizens in some form or fashion - and so they must comply with regulations. GDPR is also seen as a "first move" towards greater information transparency and security overall, and thus many savvy hoteliers, even those outside of the EU, are using the new regulations as a way to get their marketing, data management, and privacy programs into shape.How do you see the GDPR affecting hotel companies' strategies and habits over time?Fundamentally, GDPR requires hotels to be transparent about what data they collect as well as to take responsibility for what they--and their partners-- do with that data. Many industries, including hospitality, are struggling when it comes to winning and keeping their customers' trust. GDPR is about bringing consumers into the data ecosystem by allowing them to see, access and consent to the data that companies have and utilize.How do you see the GDPR affecting guest expectations and behaviors?The processing of personal data should be designed to serve the guest. If hotels don't honor that principle, guests will become distrustful and certainly less loyal. They may even begin to lie when asked for non-essential information. They may also shame brands that don't follow the GDPR standards of transparency and choice.We need to make guests feel as if a data exchange is beneficial - better data for better guest experiences - vs. data used simply for the purposes of mass-distributed marketing.In the short term, hotels can look to GDPR as an opportunity. Among many regulations, GDPR requires hotels to ask customers to "opt in" to marketing communications. By playing their cards correctly, hotels can use their opt-in as a chance to re-engage with guests and educate them on the benefits of data sharing to improve the guest journey.I believe that most guests will be happy to grant access to their data if their needs are being met.The GDPR introduces the concept of profiling. How will that impact hotel marketing and personalized guest service practices?The GDPR describes profiling as any form of automated processing of personal data, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.For hoteliers, the ability to leverage guest profiling is essential when it comes to personalized, relevant marketing and services. Not only can profiling deliver benefits to the hotel-- it can also deliver benefits to guests by tailoring services and offers to align with their preferences, interests and guest history. Hoteliers will need to ensure that all profiling has met the core GDPR requirements including data permission, data access, and data focus - and honor any requests or objections from guests.For some hoteliers, it will require very little change. For others, it will require a whole new set of data management systems and processes.What do hoteliers need to do next when it comes to GDPR?To start, hoteliers must prioritize based on their resources, locations, guest expectations and risk profile. I think the most critical first phase is to audit the data they already have and develop an efficient and robust record-keeping system to prove compliance. The next step is to do a privacy impact assessment of all sources to determine when it seems data could be put at risk and respond quickly to mitigate it.GDPR offers a unique opportunity to develop completely new ways of working that are based on the key principles of trust and transparency. Ultimately, in the long run, data protection and privacy will become more of a brand differentiator, so those who do the right thing will win.Concilio Labs is working with clients to ensure their data gathering and storage protocol for its Insight Engine product remains compliant with GDPR regulations.To learn more about Concilio Lab's Insight Engine and how it can transform your guest personalization, visit conciliolabs.com.

Getting Ready For The GDPR: What Hoteliers Need To Know

ALICE ·15 March 2018
IntroductionALICE has been working hard to fully understand the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and its obligations on us and our customers. We'd like to share what we've learned in order to help hoteliers and anyone else who has to figure out what is going on.1. What's the GDPR and why should I care?In essence, the GDPR was brought into effect to strengthen and unify data protection for all individuals within the European Union (EU). Building upon the 1995 Data Protection Directive (Directive 95/46/EC), the GDPR was approved by the European Parliament, the Council of the European Union, and the European Commission on April 14, 2016. After a two-year transition period it will become enforceable across the 28 member states on May 25, 2018.The GDPR gives power back to the consumers by forcing companies to become transparent in how they are collecting, storing, and sharing their customers' personal data information. Although the GDPR applies to any organization or business collecting data on EU citizens, the nature of hotels and the various data holding sources such as OTA bookings and PMS systems escalate the regulation for travel and hospitality industries.As ALICE grows and expands to new markets, we are complying with the GDPR to ensure our privacy settings are being adequately integrated, allowing our partners to adapt at every stage of the life cycle of customer personal information data.2. Which hotel staff need to know about the GDPR?Decision makers and key people in EU and EEA-based hotels should be aware that the law is changing to the GDPR. This would include at least the following roles, if they exist: General Manager, Head of Marketing, and the Revenue Manager. Each of these roles deals with a significant amount customer and employee data. These leaders should read this FAQ and look further into how to comply within the areas they are presiding over.3. What kind of information should a hotel be cautious with?All data about persons in the EU are covered under the GDPR. This includes both guests and employees. Hotels should document what personal data they hold, where it came from and with whom it is shared. Hotels may need to organise an information audit."Personal data" is any data about an identifiable person. A person can be identified by their name, phone number, email address, reservation number, IP address, or any information that allows them to be uniquely identified.The GDPR grants extra protections for "sensitive data." This includes personal data that reveals any of the following:trade union membership, which may be revealed by event attendancebiometrics for the purpose of uniquely identifying someone, such as a fingerprint stored for opening doorshealth status, which may be disclosed in guest requestssex life or sexual orientation, which may also be disclosed in some guest requestsThe following are less likely to show up in hotel systems, but should still be understood to be sensitive in case they do show up:genetic dataracial or ethnic originpolitical opinionsreligious or philosophical beliefsAll of the above types of sensitive data can only be handled with explicit consent. If this kind of data is collected incidentally, it should be removed immediately to avoid undertaking new obligations for the protection of that data.4. How does GDPR affect the software hotels can use?All rules that hotels must follow also apply to the software they use. If a hotel uses a product to process its data, that product must adhere to all the same obligations that the hotelier has. Every single vendor who receives personal data from a hotel must share a Data Processing Agreement (DPA) with the hotelier to confirm that the vendor is compliant with the rules of the GDPR. The DPA must dictate the purposes for which the processor is processing the data.If a hotel is using a software given to it by its brand or flag, it may not be in complete control of how the gathered information will be used. In that case, as joint controllers of the data, the hotel and its brand would need to draw up a contract that explicitly states their relationship with regards to managing data. Both parties would need to communicate the relationship to both guests and employees.5. Can EU hotels use software vendors or software on servers based outside the EU?Yes, but there are limits to how data can be transferred outside of the EU/EEA. Most major cloud service providers and many other companies, such as ALICE, have systems in place to address these rules. To confirm that a cloud service is compliant with the GDPR, hoteliers need to make sure:They have a Data Processing Agreement in place. These agreements are required for all data processors, not just international ones (GDPR Art.28[3]).There is a lawful basis for transfering the data (GDPR Rec.39, 40, 41; GDPR Art.6[1]), which can be through the service provider's membership in the Privacy Shield, signed standard contractual clauses, or other mechanisms allowed under the GDPR. Most companies will be relying on the GDPR's standard contractual clauses.The transfer is mentioned in the hotel's privacy policy and the purpose of the transfer is explained.6. What do hotels need to do about their vendors?For each vendor that processes guests' personal information, a hotel needs to do the following:Determine the type of data the vendor processes.Determine the purpose for which the processing is happening.Obtain a Data Processing Agreement.If the vendor is outside the EU, sign the standard contractual clauses (usually part of the Data Processing Agreement mentioned above), or confirm that the vendor is a member of the Privacy Shield.Mention the vendor in the hotel's privacy policy, along with the purpose of the vendor and how the data will be used.Confirm that the vendor can handle data rights requests with a SLA under one month (e.g. 25 days).7. How should a hotel communicate privacy notices to guests?You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. You should review how you seek, record, and manage consent and whether you need to make any changes. Refresh existing consents now if they don't meet the GDPR standard.Hoteliers may need to speak with customers at check-in if explicit consent is required for any forms of data collection that require it, such as consent to marketing communications. All loyalty programs need to be examined for similar requirements if data is used in a way that requires consent.8. Do hoteliers or vendors need to encrypt their databases?It depends. The GDPR recommends that companies take steps to protect all personal data, but it does not specify what those steps have to be. Instead, companies are asked to identify the risks to personal data and do what is appropriate for those risks. Encryption is one of many options available to protect data, but it is not specifically required by the GDPR.Article 32 of the GDPR gives the following options, none of which are strict requirements, but which should be considered for their benefits to your guests' data privacy:the pseudonymisation [obscuring the identities] and encryption of personal data;the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.9. How can hoteliers make sure they are able to honor requests for data portability, correction, or erasure, a.k.a. "the right to be forgotten"?Customers, employees, or anyone whose personal data is stored at a hotel may request that their data be erased. They can also ask for a copy of all of their data (right to data portability) or for their data to be corrected. There are cases in which this does not need to be honored, for example if there is an ongoing contractual or legal requirement to retain the data. But in most cases, the request will need to be honored. Recital 59 of the GDPR requires these requests be answered within one month. This period can be extended under exceptional circumstances, by requesting for another month.In order to be able to handle these requests in time, hotels need to plan in advance how requests can be honored. Each location where data is stored should be mapped out with a plan on how to address the rights request for data in that location. Each vendor also needs to be vetted to confirm they have a similar plan in place. Vendors should have an SLA that is less than a month (e.g. 25 days), in order to give time for communication between you and the vendor on each end of the process when a request happens.For data portability requests, the law requires the data be given to the customer in a standardized format for transfer to other companies. Since at the moment there is no industry standard for this kind of data to be transferred from a hotel, you must use a generic but easily transferable format, such as text files with headers and comma-separated values.10. How should hotels handle children's data?Within the EU/EEC, a "child" is defined as someone younger than a country-defined age between 13 and 16. For most cases, hotels will not need to rely on children's' or parent's consent to process guest information, since the primary basis for data processing is handling reservations. However, in cases where consent is the basis for data processing, for example, for marketing purposes, children's data needs to be handled with extra care.You should start thinking now about whether you need to put systems in place to verify individuals' ages and to obtain parental or guardian consent for any data processing activity. Children's data can only be handled with explicit consent when consent is required.Best practice is to avoid collecting and storing data about children unless it is legally required or absolutely essential for handling a reservation.11. Do hotels need to hire Data Protection Officers (DPOs)?You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation's structure and governance arrangements, even if you are not formally required to have a DPO. You should consider whether you are required to formally designate a Data Protection Officer, and this designation depends on the volume and sensitivity of the information. At the chain and large group level, a DPO is almost certainly required, but for individual hotels, the law is not yet clear and you should seek guidance from your local counsel as to whether it is required.12. Do hotels outside the EU/EEA have to do anything to comply with the GDPR?According to Article 3 of the GDPR, the regulations cover activity happening within the EU or data processing by organizations based in the EU. When an EU citizen travels outside the EU, their activities outside the EU are no longer protected by the GDPR unless the organization processing the data is based in the EU.However, a booking process that happens between a person in the EU and a hotel outside the EU is considered covered by the GDPR. Data that is collected in the EU during that process is an activity happening within the EU. So hotels outside the EU do collect data that is covered by the GDPR as part of the online reservation process. This data needs to be protected with the appropriate safeguards dictated above.13. What are the consequences for not complying with GDPR?Businesses can have fines of up to 4% of annual global turnover or $24.6 million (EUR20 million), whichever is higher for not complying with the GDPR rules.

Newletter

Thank you for subscribing. Your email address has been added to our mailing list.
Close
To subscribe to the GDPR Bytes Newsletter please enter your email address below.
An error occured, please check your input and try again.
CancelSubscribe