• What to Expect at HITEC Houston 2018: Elite Education, Exhibits, E20X and More

    HOUSTON: A booming cosmopolitan city that is home to more than 2 million Texans, NASA’s famous Johnson Space Center, and — in just two short months — the world’s largest hospitality exhibition HITEC®.

  • HFTP Report: Hospitality Data Security — Strategy for Data Protection and Regulation Compliance

    This guide from Hospitality Financial and Technology Professionals (HFTP(R)) covers safeguards that can be implemented in hospitality businesses today, tips on how to continuously improve security and data regulation compliance.

  • HFTP GDPR Guidelines: Privacy Policies for Hotels

    This document offers points to consider in the development of a hotel’s privacy policy. In view of the multiple organisational and legal structures under which hotels operate, as well as the complexity of the third party landscape that may be part of the complete guest experience, this document serves as a guideline only.

  • HFTP GDPR Guidelines: Hospitality Guest Registration Cards

    This document offers recommendations for guest information collection on the guest registration card along with consent for use. It can be used as a guideline for loyalty cards, health data, export of data outside of the EU, privacy policies and direct marketing.

Article by Bob Rauch

The Changing Landscape of Hotel Management

RAR Hospitality ·21 May 2018
Shifting demographics and new technologies are primary catalysts for the evolving hospitality business; however, the impact on management is enormous.Led by revenue management but now including distribution channel management, social media marketing, Web 2.0, cybersecurity, human resources and more, this industry has been thoroughly transformed. The key is to have GMs and corporate executives who understand this.Here are a few things to consider.Revenue management may be the single most important element in driving profitability. Today, it is time for the industry to price based on value perception and not just price relative to a competitor. Understanding the true demand in a marketplace is quite scientific. The large quantities of demographic and psychographic information available about the makeup of today's traveler requires analytical skills and creativity to correctly respond to the marketplace. Product choices by consumers are influenced by a model of the consumer decision process that stresses the importance of finding the right customer for the right hotel at the right time. Is our guest interested in sustainability, fitness or wellness? Knowing our guest will drive our marketing efforts.Booking more profitable business is critical as the distribution landscape is expanding beyond online travel agencies, including popular sales vehicles such as meta-search, flash sales and mobile channels. Beyond simple awareness of the different mediums available to sell hotel rooms, hoteliers must know the costs of the variety of distribution channels and the returns expected from each. GMs are the gatekeepers for these channels when a revenue manager is not around.Next, product quality must be exceptional. Overall service must be at the level of "wow," and there must be a compelling value proposition for the consumer to choose the hotel. Loss of market share is difficult to regain, which means desertion management (asking guests why they did not return) is paramount today and easy to define via social media. Staff service and attitude make a significant difference in competitive advantage in every market segment and these require strong leadership from the GM. No GM can do it all--corporate support is required.Hotels that can train and motivate their team members will have a much better chance of getting repeat business. It is beyond the basic four-step skills-training method; rather it is adding the component of why they need that skill.Millennials have become the fastest-growing customer segment within the industry and also have no problems speaking up. If what they are seeking is not handled to their liking, they will turn to Twitter, Facebook, Yelp or TripAdvisor to voice complaints. Reputation management rules, and this is where the GM must be hanging out in the lobby, at the front desk and in the restaurant.Customer service must include enabling guests to be self-sufficient. For example: if a guest wants to find information using his/her smartphone, providing an app or mobile website that accommodates that information will appeal to many. The rise of this digital traveler requires the hotel industry to balance the expectation of personalization while enhancing the need to remain independent.International visitors are here now but have been talked about for years, and this group of travelers has increased markedly this past decade. Management must understand the language and culture of these guests as they are arguably the fastest-growing travel segment today and spend more than any other traveler. With the European Union's General Data Protection Plan (GDPR) compliance requirement coming later this year, cybersecurity must be at the forefront of our industry. Security in general must be tightened up with active shooter training and drills for each type of crisis.The path forwardThe transition from art to science in hospitality has caught many by surprise and unfortunately, these are the people and the companies that are falling behind. There will always be a need for great customer service, but today's travelers require both great service and technology. It is crucial that we understand the hospitality industry as it is today because if we focus solely on the art of hospitality, we will be missing out on capturing more business and increasing our profitability. Further, there are legal challenges with human resource management, ADA laws, public relations and crisis management, to name a few.Are our properties exciting or are they just clean? Do they provide unique experiences or are they just offering the basics? Is there true ownership or management oversight and input or is it absentee management reviewing monthly financial performance? Are our digital assets such as website, social media sites and real-time marketing efforts effective? These four questions will give each of us a hint at where some opportunity lies. Management companies and GMs must utilize this playbook and much more.This article was first published in Hotel News Now and is reprinted with the permission of the author.

How to Deliver Personalized Guest Experiences in the Age of GDPR and Data Privacy Concerns

Concilio Labs, Inc. ·18 May 2018
Hotels are faced with an interesting dilemma. We're entering a time of hyper-personalization -- guests show dominating preference for hospitality experiences which are more unique in nature and catered to individual needs/expectations. However, riding the coattails of the on-going personalization trend comes the initial implementation of GDPR on May 25th.For those unfamiliar, the General Data Protection Regulation (GDPR) aims strengthen and unify data protection for individuals within the European Union (EU). This legislation, which applies to guests and employees, brings with it a large number of changes relating to the use of personal data.This is where the dueling conundrum lies. With all these rules and guidelines, how will hotels remain competitive in their quest to deliver the exceptional, personalized service guests expect? How can hotels be expected to get personal if they have limited access to personal data?We're here to break it down for you.What Constitutes 'Personal Data'?In order to understand the expectations (and subsequent limitations) of the new protocol, we need to first gain an understanding of what exactly GDPR defines as the "personal data" of guests and hotel employees.In the case of GDPR, personal data is "any information relating to an identified or identifiable natural person ('data subject')". Basically, this could include an individual's name, identification number, location data, online identifiers, their physical appearance, and more. Consider this the beginning tier of data classification, while other personal information such as political beliefs, biometric data, genetic information, is considered sensitive and is therefore held to a higher standard of security.Why GDPR?You may be wondering why this new legislation has come to fruition. Over time it has been noted that the hospitality industry is exceptionally vulnerable to data-related threats. From pre-stay to post-stay, guests are engaged in a near limitless number of transactions, which involve the exchange of sensitive information in addition to credit card data. In fact, according to the Verizon 2016 Data Breach Investigations, the hotel industry accounted for the second largest share of security breaches in 2016.GDPR has been formulated in an effort to remedy this trend in the EU, compelling hotels to upgrade their data protection processes to meet new, improved standards. Those hotels who do not meet the standards enforced by GDPR will face serious financial penalties, with costs up to EUR20 million or 4 per cent of worldwide annual turnover (whichever is greater).How Can Hotels Collect Personal Data for GDPR?While it may seem daunting at first glance, the GDPR legislation shouldn't act as an impenetrable barrier between hoteliers and their guests.With GDPR in place, personal data must be collected for specified explicit purposes. Further, data cannot be captured (with consent for a specific information exchange) and then used for other purposes, unless consent is readily provided and documented. Let's consider a common example. Imagine a guest has supplied their email address at the time of booking a hotel. Under GDPR's regulations, you cannot use that email for email marketing at a later stage, unless the guest provided documented consent (likely through an 'opt-in' feature) for that use.Due to the dynamic nature of hotel services and touch points, it's likely that guests' personal details are shared amongst different areas of a hotel's operation (the front desk, spa, restaurants etc.). In preparation of GDPR, hotels' management teams should set aside time to complete a data mapping process that clarifies what data is captured, where that information is stored and how it can be used -- in order to protect and monitor it appropriately.Hoteliers should also take a closer look at their third-party partnerships, to ensure there is no risk to the security of guest data within those touchpoints, as well. Why is this so important? Under the standards of GDPR, if a hotel is outsourcing the process of data to a third party who is not complying with GDPR regulations, the hotel and the third-party processor can be held jointly responsible if a breach occurs.GDPR might leave some hoteliers feeling nervous as they prepare for changes to their current data processes, especially considering how many hotels rely on email marketing as a critical pillar to their business model. However, it's important to recognize the opportunity this legislation provides to establish more open communication streams with guests. In order to access and use their personal data, hotels must now develop a communications strategy that allows guests to know exactly what their data is being used for, and why. Essentially, hoteliers will be expected to talk with their guests, in a more holistic and transparent manner, to determine what they want out of their experience.In many ways, GDPR may ultimately yield a positive outcome for hoteliers and for guests. By forcing an opt-in and being specific about how information will be used, hoteliers will be left with a database of clients that are interested in receiving relevant guest experiences, marketing messages, and perhaps more receptive to booking or becoming loyal to your hotel.Additionally, it forces hoteliers to become smarter about what data they request and keep. The data which hoteliers must access to satiate and earn the loyalty of modern guests speaks to their preferences. What wine do they like, what type of pillow do they prefer, what other items, service styles or experiences will make their stay more enjoyable? The use of this type of data should be easy to obtain guest consent for, as it will ensure their visit meets (and exceeds) their expectations.
Article by Einar Rosenberg

Texting guests is about to be a HUGE legal liability that can cost a hotel 4% of its annual revenue

TND NFC by Creating Revolutions · 3 May 2018
Every GM knows the equation for implementing new hotel services. Benefit must be greater than the cost. In 2017, the most popular new craze for hotels was text messaging guests. The cost was low and the benefits were high. But in 2018, that cost is going to sky rocket, thanks to the GDPR or General Data Protection Regulation. If your hotel hasn't heard of the GDPR yet, you better learn fast, because it's going to change how nearly every hotel around the world does business. At its core, the GDPR is the strongest consumer privacy and protection laws in history. Though the GDPR was created by the EU, it's not limited to Europe, its Global. And starting this May, the GDPR goes active. So why will the GDPR affect guest text messaging services in hotels? Because the GDPR has 4 requirements that text messaging just can't accomplish, leaving a legal liability with penalties of up to 4% a hotel company's entire annual revenue.These 4 liabilities include: 1. Usage Explanation 2. Lack of Security 3. Privacy by Design 4. No 3rd Party Protection Barrier Usage Explanation The GDRP requires that a hotel give Usage Explanation in "Non-Legalese". For an industry used to giving guests long legal documents that blanket protect every possible liability from alien attacks to the kitchen sink, those days are gone. How can a hotel cover themselves when they cannot use legal language to protect themselves from legal liability? The GDPR also requires a hotel to easily and clearly explain what they will do with the guests information, how will they use it, by whom, where and more. That is a herculean, considering today's hotels use complex algorithms and artificial intelligence to process a guest's information. How can you easily explain such complexities to the average guest? Add in explanations about how the guest can easily opting in and out easily, and the average 140 character text message your guest is used to, will now be as long as a 19th century Russian novel. Lack of Security The GDPR also has security requirements. Not good news for something like text messaging, which never had any real security and never will. The first text message was sent in 1992, back when dialup modems ruled the world. Since then, the technology has barely changed from that first SMS. What's worse is that SMS is an integral part of Signaling System No.7. More commonly known as SS7, it is a critical part of the architecture that basically all mobile phone systems are built on. The reason SS7 means trouble for SMS is because in 2017, access to the SS7 network started being offered by hackers on the dark web for just $500. With as little information as a phone number, you could now not only eavesdrop on text messages but manipulate or even block messages. The SS7 vulnerability can even track a person without the need of using a virus or malware. Text Messaging has no encryption and its infrastructure is a closed loop system that has no identity confirmation, so anyone can access it today and no one would even know it. But it's not the mere possibility of text message hacking that is the problem. The problem translates into real dollars lost for hotels. Imagine someone creating random messages to your staff, sending them in all directions of your hotel property, based on false requests. Or requesting expensive services or products that get delivered to a guest who hasn't asked for it. And imagine a guest receiving a message they thought was from the hotel, with a link that says billing invoice, which ends up installing a virus into that guest's phone. These days, it doesn't take some sophisticated hacker to screw with your business. Just about anyone can buy hacker software or hacking services, which can steal from your hotel or create chaos. The most popular ransomware today, is easily available to anyone for as little as $20. How secure are you feeling about the security of text messages now? Privacy by Design A more interesting requirement of the GDPR has to do with requiring a system to include privacy by design. Here is how the GDPR explains it: "Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition." Not one text messaging service used today, has an original design that includes privacy as a core element of the design. And adding privacy now to their existing system is not allowed. The only choice a service provider would have is to build their whole system from scratch, and even then, it still wouldn't meet the security liabilities inherent in text messaging. By the way, the SS7 vulnerability was shown publicly in 2014, so any companies that try to state their original design was based on the privacy liabilities of the time, better make sure their original design is older than 5 years ago. No 3rd Party Protection Barrier The fourth liability has been a key protection for most companies today. If they use a third party service and the third party gets hacked, the client company is not liable. The GDPR will not accept that excuse. In fact, the 3rd party providers won't accept that excuse either. Take a look at what Twilio is telling their clients. Twilio is hands down the most popular text messaging infrastructure service today, used by 1000's of Apps and web service providers. In fact, Twilio has a 59.85% market share in the US. So what does Twilio have to say to their clients, as to how well protected they are against GDPR? "Your responsibilities under GDPR will depend on the nature of your business and your personal data processing activities. Nonetheless, broadly speaking, GDPR requires that personal data be:1. Processed lawfully, fairly and in a transparent manner 2. Collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes 3. Adequate, relevant, and limited to what is necessary for achieving those purposes 4. Accurate and kept up to date 5. Stored no longer than necessary to achieve the purposes for which it was collected, and 6. Properly secured against accidental loss, destruction or damage. What's the definition of "personal data" under the GDPR? Personal data means data that relates to an identified or identifiable natural person (aka "data subject"). An identifiable data subject is someone who can be identified, directly or indirectly, such as by reference to an identifier like a name, an ID number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Importantly, this is a very broad definition and can encompass data like IP addresses of a user's personal device, their device ID, or their phone number. It does not matter that the identifier could change (e.g., that the user could change their phone number or device ID). What matters is that the information can be used to "pick that user out of the crowd" even if you don't know who that user is. It is also important to note that the definition of personal data is not tied to concerns about identity theft the way that definitions of personally identifying information (PII) are under many US data breach laws. So, even if it seems like there would be little privacy harm if someone got ahold of your users' IP addresses that does not mean that those IP addresses are not personal data. It just means that this data may not require the same level of data protection as more sensitive personal data like your users' credit card numbers." So what does this all mean for companies who used to feel a barrier of protection, via a middle man? Sounds like those middle men are telling you, "Good Luck with That". In conclusion, text messaging is a convenient technology to use, and key to its use includes the most important identifiers about a guest, their phone number, which is running on the most essential informational device in your guest's life. Does any hotel really want to risk liability on a decades old technology with no real security? Especially with the GDPR and other legislations being released, as well as multiple class action lawsuits, and thanks to Facebook, the strongest consumer sentiment in favor of privacy ever, all occurring NOW? Two supplemental points to consider: 1. What business in the US today has the highest concentration of tourists? Answer, hotels, hence why they are the most susceptible to these new privacy laws. Think about it for a second. Both retail and restaurant are not likely to get a foreign tourist to sign up for anything or to keep any personal details about them. This is completely the opposite of a hotel which usually asks many pieces of information which they store include the person's name, credit card information for later charging, etc. For foreigners they often requests their passport as well. So hotels are the most likely to be affected by the GDPR. 2. Why are text messages and chat the highest vulnerability for hotels? Answer, it's the most important and relevant single identifier of a person. Data, especially coming from multiple sources is useless if you don't have a single consistent identifier to connect all that data together. Now think about this for a minute. There are 1000's of John Smiths out there, so names won't work as a key identifier. And practically everyone has more than one email address. As for addresses, people move. But the mobile phone number is the only consistency no matter what. With numbers portability, it's now easy to carry your mobile number to a different carrier. And with nearly half of all households now mobile only, even when a person moves, they keep their phone number. Even if it's a different area code, or they change jobs or anything, they always take their phone number. Now this isn't just for text messaging but also for the most popular form of chat used today by Europeans, which is WhatsApp. WhatsApp doesn't use a username but rather a phone number as the key identifier

Aligning Software with the Human Touch

Pegasus · 2 May 2018
As the General Data Protection Regulation (GDPR) looms and goes into effect within weeks, it's more critical than ever to ensure that consumer data is managed within the parameters, while also enabling hoteliers to build better relationships with their guests. The question is, what is the process that aligns the human touch and software to build and strengthen those guest relationships?Convert - Converting means turning phone calls and web visits into booked reservations. Boosting conversions mean the right offers are delivered to the right person. Direct bookings are often the result of consumers being given relevant offers so they don't book through other channels. Personalized content, like recommendations based on previous stays, or offers based on buying personas, can help. For example, maybe the offer is a free shoe shine for a business traveler, or wine upon arrival for a personal stay. People love personalization. Give your guests personalization, and they'll gravitate towards your brand.com offerings.Connect - Connecting means fulfilling the guest's needs. The key is having the right software, and using it within the parameters of GDPR, to know what those needs are. With the right software, hoteliers can connect offers, rooms, and features based on data already stored in the software program, or automatically pull data found on open social sites. Hoteliers can gain a deep understanding of who their prospects and guests are, what they care about, and ultimately how to influence their purchasing decisions. Of course, delivering this level of personalization requires granular data. Luckily, some systems on the market deliver tools that determine personalization opportunities and present them to your guests.Engage - Understanding your guest is critical to being able to engage with him or her. These days - thanks to research, big data, and social media - hoteliers can create detailed profiles of their guests much more easily than they could in the past. This not only helps with personalization but can predict future behavior as well. Again, within the parameters of GDPR, the ability to predict needs is a powerful tool. It can improve the overall guest experience. Guests want to feel that not only are they receiving value, but they are being treated like someone with whom you're engaged.Successful hotels understand the importance of taking a holistic approach to personalized guest interactions at every touch point, within the bounds of GDPR. With the right hotel software that pulls guest data from outside sources and delivers the right offers--hoteliers can enhance the total guest journey. Hoteliers can then forge long-lasting relationships in ways that only technology intersected with the human touch can deliver.

Top Concerns Hotels Need to Know About the GDPR and How to Prepare Your Action Plan

HEBS Digital ·23 April 2018
What is the GDPR?The GDPR is a regulation in EU law on data protection and privacy for all individuals within the European Union and regulates how companies manage, use, and share personal data. The GDPR will take effect on May 25, 2018. The GDPR applies to natural persons, whatever their nationality or place of residence, whose personal data is processed and whose behavior is monitored while within the EU. This change in legislation means that nearly every online service is affected, and the regulation has already resulted in significant changes for US users as companies begin to adapt.The foundation of the GDPR builds on rules set by earlier EU privacy measures like the Privacy Shield and Data Protection Directive, and expands on these privacy measures in two critical ways. The definition of and requirements around personal data have been expanded. First, the GDPR defines personal data as any information that can be used to identify directly or indirectly a data subject, such as an online identifier like an IP address. The GDPR sets a higher standard for collecting personal data than ever before. By default, any time a company obtains personal data on an EU resident, it will need a legal basis for collecting that data, such as explicit and informed consent from that person. Even more importantly, users also need a way to revoke that consent, and they can request all the data a company has collected on them as a way to verify that consent. These strong regulations explicitly extends to companies based outside the EU. The penalties are more severe. The GDPR's penalties are severe and have two tiers of fines. The maximum fines per violation are set at up to four percent of a company's annual global revenue or 20 million Euros, whichever is larger. The lower level fines are up to two percent of a company's annual global revenue or 10 million Euros, whichever is larger. These penalties far exceed fines allowed by the Data Protection Directive, and it signals how serious the EU is taking data privacy.Get to know the facts. Avoid misconceptions regarding the GDPR: The GDPR affects hotels across the globe: The GDPR applies to all properties that target EU residents as customers no matter where they are located. This means that the GDPR affects all hotels in the US and locations around the world, not just Europe. Hotels are liable for the GDPR: Regardless of your partners or solutions provider, the hotel (who according to the GDPR would be considered the data controller) is ultimately responsible for using tools that are in compliance with the GDPR. One price point for all of the EU: Commonly overlooked regarding the GDPR, it's important to note that hotels cannot use profiling to set prices based on an EU visitor's location.How does the GDPR apply to your hotel's online data policy?The GDPR affects your hotel's data policy regarding EU website visitors in six main ways: Getting consent: Visitors to your website must understand exactly how you are planning on using their data, and the legal basis for why you are collecting the data. Unambiguous and affirmative consent is a key part of GDPR legislation and it is important for any hotel website that collects personal data to obtain specific permission to use it in the course of their business. If you are requesting consent from the customer, the user must agree to each specific purpose. That means if you have someone's email address who booked with your hotel, you are only allowed to market to them if they have explicitly agreed to this. Similarly, privacy notices may require rewriting to be in line with the GDPR rules. Privacy Policies and Terms of Service must be simple to understand and free of jargon (a good rule of thumb here is that a 16-year-old should be able to understand the Terms of Service). Accessing data: A main component of the GDPR is being fully aware of who has access to personal data that is logged and stored on your hotel website's content management system or database. The first step is to understand exactly who has access to this data and compile a list. Next, examine the list and ask whether all of these people require access to this data. If the answer is no, permission should be revoked and measures must be implemented to control future access.There must also be a robust process in place for deleting data that is no longer relevant or required, as companies are not allowed to hold on to this for any longer than is absolutely necessary. Data accountability: Regardless of your solutions provider, hotels are ultimately responsible for using tools in compliance with the GDPR. In light of this, hotels should audit any external agencies they use that might have access to their data to ensure that their procedures are compliant. As the data owner (controller) you are ultimately responsible for this, even if you have outsourced elements of the process, so keep a record of measures you have taken to ensure all partners are acting in line with the GDPR regulations. All of your partners should be able to clearly explain what measures they have taken to maintain maximum security of the data you provide. Data accuracy: All personal data must be accurate and kept up-to-date. Every reasonable step must be taken to ensure that personal data is correct in regard to the purposes for which data is processed, and that personal data is erased or rectified without delay if inaccurate. Data minimization: Websites should collect only the minimum amount of customer data to do the job, as well as adhere to the "storage limitation principle" which mandates that personal data must be stored for no longer than is required and that individuals must be informed about the planned use of personal data. Data portability and the "Right to be Forgotten": All website users have the right to receive their personal data that was previously collected in a readable format, as well as own the "Right to be Forgotten" which grants consumers the ability to easily have all of their data deleted from the hotel database.How can your hotel prepare for the GDPR?The GDPR affects your hotel website, data strategy, digital marketing, and online merchandising. Below are the top ways you can prepare for GDPR:Preparing Your Hotel WebsiteIt's important to ensure that all web forms and website cookie usage are in line with the GDPR. Your website's Privacy Policy and Terms and Conditions should also reflect the GDPR to ensure that everything is in compliance. Update your Privacy Policy and Terms and Conditions. First and foremost, your hotel website's Privacy Policy and Terms and Conditions should be updated to reference GDPR rules and regulations. In particular, you will need to be transparent with what you will do with personal information once you've collected it, and how long you will retain this information on your website and in any other databases. Ensure your website is secure. Your hotel website should have an SSL (Secure Sockets Layer) Certificate to ensure that all data processing through the website is secure. If your website has an SSL Certificate, the domain will begin with "https," rather than "http." SSL Certificates secure all of your data as it is passed from your browser to the website's server. Ensure cookie consent. Website visitors from the EU must provide consent for your hotel website to enable cookies that are used to identify an individual. Like all other consent under the GDPR, consenting to cookies needs to be a clear affirmative action. Hotel websites should present clear terms of service regarding cookie usage with an opt-in box. Do not include pre-ticked boxes on the consent form, as this is against the GDPR regulations. It is important to note that the hotel website should not constrict users to accept cookies in exchange for information, and the hotel must also have a legal basis under the GDPR to use an EU visitor's IP address to personalize content or identify a user's device. Ensure the ability for people to opt out or erase their personal data. The GDPR clearly states that a data subject should be able to withdraw consent as easily as they gave it under the "Right to be Forgotten" clause. Controllers must inform data subjects of the right to withdraw before consent is given. Update email opt-in to default to "No" and include specific check boxes for every opt-in. Forms that invite users to subscribe to newsletters or indicate contact preferences must default to "no" or be an un-checked opt-in box. You should also ensure that users provide consent for all ways your hotel will be utilizing their data. For instance, if a user is opting in for email newsletters, this does not mean they are opting in for that email to be used for look-a-like audience marketing. Ultimately, hotels must set up a specific checkbox or form of consent for each separate use of guests' data. And finally, to ensure that you are in complete GDPR compliance, it's important to implement a double opt-in process. All web forms must clearly identify named parties. Your web forms must clearly identify each party for which the consent is being granted. It is important to note it isn't enough to say specifically defined categories of third-party organizations, they must be named in full. For example, your consent form cannot simply say third-party ad networks, it needs to specifically name the ad networks where ads will appear.Preparing Your Data StrategyOnce you've collected user data from EU residents or anyone living within the EU, it's important to follow key protocols regarding the use and removal of this data. It is also extremely important that everyone covered by the GDPR has an easy way to access and download any of their personal data collected. Here are some key considerations regarding your data strategy: Provide EU visitors with easy access to download personal data. Your hotel website should provide a request form where EU website visitors can request personal data. Do not keep data for longer than required. While the GDPR does not state a specified timeframe that limits data storage, it's a good idea to scrub customer data once or twice a year to ensure that all data is accurate and up-to-date. Any inaccurate or incomplete information should be deleted and the hotel is responsible for clearly stating how long the information will be stored within the privacy policy. Allow easy consent opt-out to address the "Right to be Forgotten" and grant EU website visitors the ability to delete their personal data. Your data strategy must allow for website visitors who previously consented to any use of their personal data to easily opt out or "erase" their data, as well as update their opt-in preferences. This user experience should be just as seamless as opting in and be easy to navigate on the hotel website.Preparing Your Marketing StrategyThe GDPR impacts your email marketing strategy, display remarketing strategy, and any display that utilizes owned customer data for targeting. Make it clear which third-party vendors will be utilizing EU customers' personal data. When prompting users to opt in to cookie consent or to access their customer profile data for marketing purposes, be sure to clearly list the name of the ad networks and third parties that will be utilizing these cookies and accessing this data for retargeting and building look-a-like audiences. Ensure that all third parties and ad networks are in compliance with GDPR. Have your marketing agency or internal marketing department reach out to any third-party vendors or ad networks to ensure that they are GDPR compliant and have taken appropriate measures. Only use data for the intent in which the EU user opted in. When an EU user grants permission to use cookies or opt in to an email marketing list, only use the data for the marketing for which the user opted in. This means if the user only opted in for remarketing, you cannot use the data to build look-a-like audience targeting. Or, if an EU user opted in to a monthly email newsletter, the user's email address should not be used for other marketing purposes. Overall, it's not only important to familiarize yourself and your hotel staff with the GDPR, it's important to ensure that all of your bases are covered. To be ready for what's next on the official launch of the GDPR on May 25, 2018, check out additional resources on The UK Information Commissioner's Office and review your policies with a data privacy consultant and your legal team.
Article by

GDPR in the EU and UK: AETHOS' 3 Steps for Complying with Employer Responsibilities

AETHOS Consulting Group · 6 April 2018
GDPR. Four letters of the alphabet that are proving to represent one of the biggest challenges facing businesses in 2018. The General Data Protection Regulation (GDPR) comes into effect on 25th May across the European Union, including the UK, and impacts any organisation that operates within the EU that processes data of EU citizens wherever they may be in the world. How organisations hold, store and process personal data will now be subject to higher and more consistent scrutiny - with potentially significant penalty for non-compliance. AETHOS Consulting Group's London Managing Director Chris Mumford emphasizes that much attention is already given to how customer data is handled under GDPR, especially in the hospitality sector where hotels process a high volume of personal information and payment data. "GDPR not only impacts how a business interacts with its external customers but also how it manages data internally with regard to its employees. In an industry such as hospitality where the labour force is so often highly diverse and comprised of multiple nationalities, most organisations will be affected by GDPR."Mumford spoke exclusively to Adele Martins, Partner and head of the Employment Department at law firm Magrath Sheldrick LLP, who clarified that GDPR is considerably stricter in its requirements than the UK's Data Protection Act (DPA). Mumford and Martins highlight a number of key features hospitality employers should consider as they address compliance with the new regulations:- What qualifies as 'sensitive data'? People will regard information about their health or their sexual orientation as more confidential. Technically Sensitive Personal Data or Special Categories of Data include information about a person's race or ethnic origin, their health or sex life, their sexual orientation, political opinions, religious / philosophical beliefs, trade union membership and genetic and biometric data.- How is employee consent defined and best obtained? The GDPR makes it clear that consent must be freely given, specific, informed and unambiguous. It can no longer be implied from silence, pre-ticked boxes or inactivity.- Regarding businesses which have external suppliers that are exposed to personal employee information (ie. payroll providers), where does GDPR compliance lie? With all parties. The advice to controllers is to have appropriate agreements in place with providers to ensure that those providers (processors) are contractually obligated to process data appropriately.- Would a hotel in New York which employs a French national in the kitchen be subject to GDPR? So, a hotel in NY employing a French national is processing the personal data of an EU national but that EU national is not within the EU. Does that mean they are off the hook? No. The EU national is still likely to be protected by the GDPR - not least because they are bound to return to the EU at some point and the processing will not stop when they do.- What are the sanctions for failing to comply? The maximum sanction under the GDPR is a whopping Euro 20,000,000 or in the case of a corporate undertaking 4% of global annual turnover - so potentially much higher than the maximum Euro 20 million figure.Mumford and Martins urge hospitality employers to immediately manage three critical steps to prepare for the GDPR compliance deadline:Dedicate data protection personnel internally and at a senior level;Appropriate security measures to ensure that personal data is properly stored, securely processed and retained only for as long as necessary;Clarify Privacy Notices to ensure that the individuals in question understand what data they are providing.

Are You Ready for GDPR? [Infographic]

MarketingProfs·Requires Registration ·29 March 2018
The EU's General Data Protection Regulation (GDPR) is set to go into effect on May 25. It will dramatically change current data privacy laws throughout Europe, strengthening the protection of personal data. If they want to avoid hefty penalties, companies that conduct business in the EU—or even process personal data originating from the EU—need to ensure their business practices adhere to the new law's strict guidelines.

Hospitality Talk (UK) - Episode 2 - GDPR and Amazon Alexa

Chocolate Pillow | By Matt Shiells-Jones·26 March 2018
IT’S HERE…… Hospitality Talk Episode 2 – I know I said in some social media posts I would likely talk mergers and acquisitions and also hospitality apprenticeships, but to be fair, I was tired and couldn’t be bothered after a Sunday morning as duty manager in a Manchester city centre hotel!! So this briefly covers GDPR and the use of Amazon Alexa in hotels!

What GDPR Means for Marketers [Infographic]

MarketingProfs·Requires Registration ·26 March 2018
Half of UK and US marketers say the European Union’s new General Data Protection Regulation (GDPR) law will make their marketing efforts more difficult, according to recent research from Act-On. The report was based on data from a survey of 200 marketing professionals in the United Kingdom and the United States.
Article by Norman Harvery

GDPR, the New Regulation for Personal Data in 2018

HospitalityTechGuru ·26 March 2018
GDPR, what is it and why is it important for the hospitality sector?EU and United Kingdom currently are governed by Data protection act of 1988, this law was enacted following the 1995 data protection law of the EU, which was created much before the internet and cloud that allowed ways to share data. GDPR regulations will provide people more control over how their personal data is used, today many companies like Google, Facebook, Twitter, other social media and marketing companies swap user data to provide services and GDPR has been designed to protect all EU citizens' privacy. GDPR will protect all information related to name, a picture, an email address, credit card information, banking details, timeline posts on social media websites, medical information, or a computer IP address.What is GDPR?The General Data Protection Regulations (GDPR) is a most important regulation of the EU data protection law that will unify and strengthen data protection for individuals in the European Union. The European commission first published GDPR in the year 2012 and following 4 years of discussions, it was adopted in April 2016. This regulation will replace the existing data protection act, With GDPR in from 25th May 2018 will signify the major changes to the data protection law and harsh penalties to those who don't comply with this regulation.What will be the impact of GDPR on the Hotel Industry?The Hotels business is considered as one among the most exposed to data threats, according to Verizon 2016 investigations, data breach report - The Hospitality industry is accounted for the second largest share of security breaches, when it comes to lost cards following a data breach. This isn't a surprise with guests handing over card details & hotels processing information on a daily basis that attracts highly motivated financial criminals. Hotel software's will need to adhere to new GDPR rules and provide parameters along with access to management and IT admins to purge data that guest does not want hotel to retain. Things to consider before adapting the regulationOne of the Primary issues with a hotel is they need to deal with data discovery. Hotels receive guest payment card information through a website, phone, email at the time of checkout, SMS and WhatsApp chats, and fax etc. and this data has been often available in multiple locations. When the management is aware of where and what information is stored, they will be able to process the information to protect it.Then, Hoteliers need to secure and compile their website. The business must be having access to data stored, also they must have the ability to change or delete this information. Also, they must prove to relevant authorities their use of system activity through logs in order to track and oversee action to their network resources when necessary.Hotels should now become more cautious of their third-party partners, so they don't prove a threat to Hotels business in terms of data protection. An important regulation of GDPR is that data processors are captured by the regulations as well as data controllers. For example, if a Hotel, as a data controller is outsourcing the process of data to a third party who is not GDPR compliant, the hotel will be held responsible if any data breach occurs. Current credit card sharing practices between OTA's and hotel and other third-party service providers will need to change drastically.In order to comply effectively with GDPR regulation, it is vital to conduct regular staff training on how to securely handle card information. Educate staff, it's unsafe to write down or email card details and sensitive information. They must also be advised on how to create strong passwords.Under GDPR act, if you find your Hotel is attacked by a security breach, this breach must be reported to the authorities and all stakeholders with 72 hours of its discovery.Will GDPR only apply within the European Union?Although the fact that it's an EU regulation, GDPR act will apply to any organization, regardless of the location which is processing or holding EU citizens personal data.This regulation is causing some confusion for British Hoteliers who do not hold any EU data or do not operate their business overseas, Given the large uncertainty surrounding Brexit. The British Government announced that all UK companies including Hotels need to comply with the regulation regardless of Britain exiting the EU.What if I am not compliant?If there is complaint received by an EU Citizen, the penalties are Harsh for not complying with GDPR. The maximum fine is set to 20 million Euros, or 4% of the annual global turnover (whichever is the greater). However, this loss can be easily avoided if the hotel leaves enough time to efficiently adapt to the regulation.Hotels should start complying as soon as possibleThe reality is that hotel operators tend to keep customer information in several different places like central reservation system, web booking engines, Property management system, point of sale, e-mails, and credit card authorization forms. Simply put, in there are too many places where the data is vulnerable to theft and intrusions are possible.The need for GDPR is largely technology driven, today's guest expects a seamless experience and hence more and more technologies are sharing data, thus giving rise to data swap and possible intrusions and hacks.It is important for organizations to start complying with the regulations as soon as possible in order to ensure they are prepared for the enforcement before May 2018.Important facts and actual policy implementation requires.Internal processing - Business must provide detailed information on the need to process personal data and how long they plan to keep it. This procedure involves organized retention policy, so the business knows the status of such information.A Hotel must keep system logs, user activity logs, the technical records and obtain the necessary certificates to prove it is protecting data. These help businesses to show the supervisory and regulatory authorities the important mechanism is in place.Hotels need to include an option on the websites that mentions "opting in," which helps hotels to store guest data. Also, they must explain the section and process to enable guest to access, modify and delete their data. This poses a significant threat to information when it is help in different places.We highlight few things to consider while planning for improving securityMalware was one of the major threat and reason for 94% of breaches in the Hospitality sector. So install better Anti-Malware security, update virus definitions on a regular basis and maintain logs.When it comes to GDPR compliance, conduct regular staff training on how to securely handle card information. Educate staff, it's unsafe to write down or email card details and sensitive information. They must also be advised on how to create strong passwords.Payment gateways are one of the primary ways to store guest card details. Most hotel properties need a third party vault provider. By using these vaults, the sensitive information is removed from your custody & you are given a tokenization system that can be used for billing. By using this integration, you move the risk of storing data to a third party who specializes in doing that, and have all security controls in place to keep the sensitive information safe.SummaryAll Hotels must be prepared and comply with GDPR regulation before the deadline date, i.e., 25th May 2018.GDPR act is applicable to all the business, regardless of location who handles EU citizen Data & non-compliance will attract hefty penalties.This act is applicable for business in the UK, despite the aftermath of Brexit.Data processors are also under the radar by the regulation.Certainly adapting your Hotel to comply with new regulations will be difficult. But the outcome the benefits will improve the Hotels key performance and allow management to know where all of their confidential information is stored and ensure their customer gets a secure and satisfying service.Get subscribed to technologies that are PCI compliance and get trained so they can avoid data breaches and hefty financial penalties."Guests nowadays care about their privacy and they expect hoteliers to respect that".

Concilio Labs CEO Terri Miller Talks About the Impact of GDPR on Hotels and Their Guests

Concilio Labs, Inc. ·15 March 2018
Recognized as an industry expert on hospitality technology, eCommerce, and business intelligence, Terri Miller, CEO and co-founder of Concilio Labs, discusses the impending European General Data Protection Regulation (GPDR) and what that means for hoteliers.Why has GDPR become such a top-of-mind issue for the hospitality industry?The May 2018 deadline for GDPR implementation will significantly change the way hoteliers handle guest data. Having guest's personal data stored in the cloud has become a necessity for today's hotelier.Until now, fines for breach of data protection regulations were limited and enforcement actions infrequent. GDPR, on the other hand, promotes the risk of costly penalties in the event of incompliance and data breaches.Even though GDPR applies specifically to EU countries only, in today's global society, it is likely that most hotels touch EU citizens in some form or fashion - and so they must comply with regulations. GDPR is also seen as a "first move" towards greater information transparency and security overall, and thus many savvy hoteliers, even those outside of the EU, are using the new regulations as a way to get their marketing, data management, and privacy programs into shape.How do you see the GDPR affecting hotel companies' strategies and habits over time?Fundamentally, GDPR requires hotels to be transparent about what data they collect as well as to take responsibility for what they--and their partners-- do with that data. Many industries, including hospitality, are struggling when it comes to winning and keeping their customers' trust. GDPR is about bringing consumers into the data ecosystem by allowing them to see, access and consent to the data that companies have and utilize.How do you see the GDPR affecting guest expectations and behaviors?The processing of personal data should be designed to serve the guest. If hotels don't honor that principle, guests will become distrustful and certainly less loyal. They may even begin to lie when asked for non-essential information. They may also shame brands that don't follow the GDPR standards of transparency and choice.We need to make guests feel as if a data exchange is beneficial - better data for better guest experiences - vs. data used simply for the purposes of mass-distributed marketing.In the short term, hotels can look to GDPR as an opportunity. Among many regulations, GDPR requires hotels to ask customers to "opt in" to marketing communications. By playing their cards correctly, hotels can use their opt-in as a chance to re-engage with guests and educate them on the benefits of data sharing to improve the guest journey.I believe that most guests will be happy to grant access to their data if their needs are being met.The GDPR introduces the concept of profiling. How will that impact hotel marketing and personalized guest service practices?The GDPR describes profiling as any form of automated processing of personal data, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.For hoteliers, the ability to leverage guest profiling is essential when it comes to personalized, relevant marketing and services. Not only can profiling deliver benefits to the hotel-- it can also deliver benefits to guests by tailoring services and offers to align with their preferences, interests and guest history. Hoteliers will need to ensure that all profiling has met the core GDPR requirements including data permission, data access, and data focus - and honor any requests or objections from guests.For some hoteliers, it will require very little change. For others, it will require a whole new set of data management systems and processes.What do hoteliers need to do next when it comes to GDPR?To start, hoteliers must prioritize based on their resources, locations, guest expectations and risk profile. I think the most critical first phase is to audit the data they already have and develop an efficient and robust record-keeping system to prove compliance. The next step is to do a privacy impact assessment of all sources to determine when it seems data could be put at risk and respond quickly to mitigate it.GDPR offers a unique opportunity to develop completely new ways of working that are based on the key principles of trust and transparency. Ultimately, in the long run, data protection and privacy will become more of a brand differentiator, so those who do the right thing will win.Concilio Labs is working with clients to ensure their data gathering and storage protocol for its Insight Engine product remains compliant with GDPR regulations.To learn more about Concilio Lab's Insight Engine and how it can transform your guest personalization, visit conciliolabs.com.

Getting Ready For The GDPR: What Hoteliers Need To Know

ALICE ·15 March 2018
IntroductionALICE has been working hard to fully understand the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and its obligations on us and our customers. We'd like to share what we've learned in order to help hoteliers and anyone else who has to figure out what is going on.1. What's the GDPR and why should I care?In essence, the GDPR was brought into effect to strengthen and unify data protection for all individuals within the European Union (EU). Building upon the 1995 Data Protection Directive (Directive 95/46/EC), the GDPR was approved by the European Parliament, the Council of the European Union, and the European Commission on April 14, 2016. After a two-year transition period it will become enforceable across the 28 member states on May 25, 2018.The GDPR gives power back to the consumers by forcing companies to become transparent in how they are collecting, storing, and sharing their customers' personal data information. Although the GDPR applies to any organization or business collecting data on EU citizens, the nature of hotels and the various data holding sources such as OTA bookings and PMS systems escalate the regulation for travel and hospitality industries.As ALICE grows and expands to new markets, we are complying with the GDPR to ensure our privacy settings are being adequately integrated, allowing our partners to adapt at every stage of the life cycle of customer personal information data.2. Which hotel staff need to know about the GDPR?Decision makers and key people in EU and EEA-based hotels should be aware that the law is changing to the GDPR. This would include at least the following roles, if they exist: General Manager, Head of Marketing, and the Revenue Manager. Each of these roles deals with a significant amount customer and employee data. These leaders should read this FAQ and look further into how to comply within the areas they are presiding over.3. What kind of information should a hotel be cautious with?All data about persons in the EU are covered under the GDPR. This includes both guests and employees. Hotels should document what personal data they hold, where it came from and with whom it is shared. Hotels may need to organise an information audit."Personal data" is any data about an identifiable person. A person can be identified by their name, phone number, email address, reservation number, IP address, or any information that allows them to be uniquely identified.The GDPR grants extra protections for "sensitive data." This includes personal data that reveals any of the following:trade union membership, which may be revealed by event attendancebiometrics for the purpose of uniquely identifying someone, such as a fingerprint stored for opening doorshealth status, which may be disclosed in guest requestssex life or sexual orientation, which may also be disclosed in some guest requestsThe following are less likely to show up in hotel systems, but should still be understood to be sensitive in case they do show up:genetic dataracial or ethnic originpolitical opinionsreligious or philosophical beliefsAll of the above types of sensitive data can only be handled with explicit consent. If this kind of data is collected incidentally, it should be removed immediately to avoid undertaking new obligations for the protection of that data.4. How does GDPR affect the software hotels can use?All rules that hotels must follow also apply to the software they use. If a hotel uses a product to process its data, that product must adhere to all the same obligations that the hotelier has. Every single vendor who receives personal data from a hotel must share a Data Processing Agreement (DPA) with the hotelier to confirm that the vendor is compliant with the rules of the GDPR. The DPA must dictate the purposes for which the processor is processing the data.If a hotel is using a software given to it by its brand or flag, it may not be in complete control of how the gathered information will be used. In that case, as joint controllers of the data, the hotel and its brand would need to draw up a contract that explicitly states their relationship with regards to managing data. Both parties would need to communicate the relationship to both guests and employees.5. Can EU hotels use software vendors or software on servers based outside the EU?Yes, but there are limits to how data can be transferred outside of the EU/EEA. Most major cloud service providers and many other companies, such as ALICE, have systems in place to address these rules. To confirm that a cloud service is compliant with the GDPR, hoteliers need to make sure:They have a Data Processing Agreement in place. These agreements are required for all data processors, not just international ones (GDPR Art.28[3]).There is a lawful basis for transfering the data (GDPR Rec.39, 40, 41; GDPR Art.6[1]), which can be through the service provider's membership in the Privacy Shield, signed standard contractual clauses, or other mechanisms allowed under the GDPR. Most companies will be relying on the GDPR's standard contractual clauses.The transfer is mentioned in the hotel's privacy policy and the purpose of the transfer is explained.6. What do hotels need to do about their vendors?For each vendor that processes guests' personal information, a hotel needs to do the following:Determine the type of data the vendor processes.Determine the purpose for which the processing is happening.Obtain a Data Processing Agreement.If the vendor is outside the EU, sign the standard contractual clauses (usually part of the Data Processing Agreement mentioned above), or confirm that the vendor is a member of the Privacy Shield.Mention the vendor in the hotel's privacy policy, along with the purpose of the vendor and how the data will be used.Confirm that the vendor can handle data rights requests with a SLA under one month (e.g. 25 days).7. How should a hotel communicate privacy notices to guests?You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. You should review how you seek, record, and manage consent and whether you need to make any changes. Refresh existing consents now if they don't meet the GDPR standard.Hoteliers may need to speak with customers at check-in if explicit consent is required for any forms of data collection that require it, such as consent to marketing communications. All loyalty programs need to be examined for similar requirements if data is used in a way that requires consent.8. Do hoteliers or vendors need to encrypt their databases?It depends. The GDPR recommends that companies take steps to protect all personal data, but it does not specify what those steps have to be. Instead, companies are asked to identify the risks to personal data and do what is appropriate for those risks. Encryption is one of many options available to protect data, but it is not specifically required by the GDPR.Article 32 of the GDPR gives the following options, none of which are strict requirements, but which should be considered for their benefits to your guests' data privacy:the pseudonymisation [obscuring the identities] and encryption of personal data;the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.9. How can hoteliers make sure they are able to honor requests for data portability, correction, or erasure, a.k.a. "the right to be forgotten"?Customers, employees, or anyone whose personal data is stored at a hotel may request that their data be erased. They can also ask for a copy of all of their data (right to data portability) or for their data to be corrected. There are cases in which this does not need to be honored, for example if there is an ongoing contractual or legal requirement to retain the data. But in most cases, the request will need to be honored. Recital 59 of the GDPR requires these requests be answered within one month. This period can be extended under exceptional circumstances, by requesting for another month.In order to be able to handle these requests in time, hotels need to plan in advance how requests can be honored. Each location where data is stored should be mapped out with a plan on how to address the rights request for data in that location. Each vendor also needs to be vetted to confirm they have a similar plan in place. Vendors should have an SLA that is less than a month (e.g. 25 days), in order to give time for communication between you and the vendor on each end of the process when a request happens.For data portability requests, the law requires the data be given to the customer in a standardized format for transfer to other companies. Since at the moment there is no industry standard for this kind of data to be transferred from a hotel, you must use a generic but easily transferable format, such as text files with headers and comma-separated values.10. How should hotels handle children's data?Within the EU/EEC, a "child" is defined as someone younger than a country-defined age between 13 and 16. For most cases, hotels will not need to rely on children's' or parent's consent to process guest information, since the primary basis for data processing is handling reservations. However, in cases where consent is the basis for data processing, for example, for marketing purposes, children's data needs to be handled with extra care.You should start thinking now about whether you need to put systems in place to verify individuals' ages and to obtain parental or guardian consent for any data processing activity. Children's data can only be handled with explicit consent when consent is required.Best practice is to avoid collecting and storing data about children unless it is legally required or absolutely essential for handling a reservation.11. Do hotels need to hire Data Protection Officers (DPOs)?You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation's structure and governance arrangements, even if you are not formally required to have a DPO. You should consider whether you are required to formally designate a Data Protection Officer, and this designation depends on the volume and sensitivity of the information. At the chain and large group level, a DPO is almost certainly required, but for individual hotels, the law is not yet clear and you should seek guidance from your local counsel as to whether it is required.12. Do hotels outside the EU/EEA have to do anything to comply with the GDPR?According to Article 3 of the GDPR, the regulations cover activity happening within the EU or data processing by organizations based in the EU. When an EU citizen travels outside the EU, their activities outside the EU are no longer protected by the GDPR unless the organization processing the data is based in the EU.However, a booking process that happens between a person in the EU and a hotel outside the EU is considered covered by the GDPR. Data that is collected in the EU during that process is an activity happening within the EU. So hotels outside the EU do collect data that is covered by the GDPR as part of the online reservation process. This data needs to be protected with the appropriate safeguards dictated above.13. What are the consequences for not complying with GDPR?Businesses can have fines of up to 4% of annual global turnover or $24.6 million (EUR20 million), whichever is higher for not complying with the GDPR rules.

What CMOs Need to Know About the Looming General Data Protection Regulation (GDPR)

MarketingProfs·Requires Registration ·13 March 2018
The countdown is on: Only two months are left for companies to ensure they are in compliance with the European Union's General Data Protection Regulation (GDPR), set to be implemented on May 25. The regulation will apply to all businesses that hold and process personal data collected in the European Union, regardless of those businesses' industry or location.

GDPR and the hospitality space: What you need to know

hotelnewsnow.com Featured Articles· 7 March 2018
For Europeans who travel abroad, the United States remains a popular destination, which is great news for domestic hotel and resort owners. But bookings from the European Union, while good for business, may soon create real headaches for hoteliers in the U.S in the form of the General Data Protection Regulation (GDPR). The EU adopted the GDPR in 2016, establishing the rights of EU residents with regard to how their personal data is collected, processed, shared and retained. In response, consumer-facing companies around the world, including those in the hospitality space, are struggling to understand how the GDPR will affect business operations and the extent of their compliance obligations. As the 25 May 2018 deadline for compliance is fast approaching, the following answers to some frequently asked questions about GDPR should prove helpful.

The GDPR (DSGVO) Countdown is On

Toedt, Dr. Selk & Coll. GmbH ·16 February 2018
The GDPR (General Data Protection Regulation) is about to become effective and it is time now for the hospitality industry to become aware of this topic. The GDPR is considered the big bang for data protection. The new regulation will take effect on May 25, 2018after a 2-year transition period. As of this date, all data protection regulations currently valid across the 28 countries of the European Union will be replaced by this new regulation, making the 28 different local data protection regulations disappear. With the GDPR data protection will be Europeanized.The new regulations of the GDPR will bring many changes and various additional obligations. This will lead to new implications for owners, managers and employees.German companies that comply with the current local Data Protection Act have a clear advantage, as a lot of the regulations will remain the same or be similar.Hand on heart - have you already taken measures to ensure proper data protection? I doubt that many hoteliers have spent the necessary time on this topic.There is a difference between the so-called "data security", i.e. the technical and organizational measures, and the actual "data protection", meaning the protection of a person from excessive collection of personal data by companies, the government etc. Under data protection a person does not only include the guests, but also employees, suppliers, and other third parties. We will focus on the hotel guests, the direct clients of our industry.Here are some good reasons why the GDPR should be taken seriously:Organizations in breach of the GDPR can be fined up to EUR20m or 4% of annual global turnover (whichever is greater). This is quite an increase from the former maximum amount of EUR300.000. Now, the annual global turnover of an organization is taken as a calculation basis. This makes it all the more important for international organizations with branches in Europe to comply with the GDPR, as the annual turnover of the entire group will be taken into consideration.Under the new regulations, the personal liability of managing directors will remain valid; so will be the personal liability of employees.The GDPR aims at strengthening the position of any affected person. This will, however, also encourage so-called "warning associations" to pursue infringements of the GDPR and to instigate legal proceedings. This could lead to the development of a new type of "warning" industry, which can increase the risk of getting fined.In other words, this is the last chance to take this topic seriously and to take respective actions.Record of Processing ActivitiesThe GDPR clearly regulates how data protection must be organized. One of the new obligations is to keep record of all data processing activities in a so-called Record of Processing Activities. All processes of an organization that involve personal data must be described and documented. The record must also indicate how long the data is stored and when it will be deleted. German organizations that have a documentation following the current German data protection regulations, can easily adapt the existing record to the new requirements. Most companies, however, have no documentation that they can build on. A typical organization has about 150 processes that have to be evaluated and documented. It can take a couple of hours to create the respective entry in the Record of Processing Activities. This gives an indication of the scope of a GDPR project and the work involved to create the required documentation. And, keeping a Record of Processing Activities is only one of a dozen requirements.The Record of Processing Activities clearly shows where data is processed and what exactly is done with it. In the past, companies had some time to create the documentation, as any inspection was announced prior by the data protection authorities. As of May 25, 2018, however, the authorities have the right to demand the Record of Processing Activities without giving any prior notification. There are even discussions about remote access to the records. But even if the deadline was longer, it would be impossible to create a proper record, as it requires so much input by the specialist departments, such as legal, the data protection officer, IT security, etc. There will be no more buffer for a quick fix. If you want to avoid the risk of getting fined, all documents should be more or less available at hand.Implications for the hotel softwareThe controller of the data, e.g. a hotel, will liable for the proper data processing of its suppliers, mainly the software providers ("processor"). This implies that a hotel based in Germany is fully liable for the activities of its software provider, which is based in the US or in China. The German hotel is obliged to verify, if the provider complies with the new regulations. This will be extremely challenging for most European hoteliers and might have serious consequences.Technological ChangesThe GDPR will also bring big challenges for the industry in regards to technology. An individual hotel works with up to 15 software systems containing guest data. As of May 25, 2018, guests have the right to request information about their personal data stored by the hotel. They also have the right to demand deletion of their personal data. Further, a guest may demand transfer of his personal data back to him or to a third party, e.g. a competitor. There are certain prerequisites to this, but these are mostly met in case of guest data.In a fully heterogeneous IT environment, it will be virtually impossible for companies to comply with the new regulations, unless they have a Central Data Management (CDM), a so-called "Above Property System", which centralizes all data streams. A CDM with its central guest profiles enables the implementation of a privacy dashboard meeting the new EU standards.We highly recommend checking, if your software provider complies with the GDPR regulations. If not, you should switch provider and even consider taking legal action for non-compliance with the legal requirements. Data protection should be part of the software concept (Privacy by Design). And it is your right to work with partners who provide a legally compliant software. We advise to only work with software providers that guarantee legal compliance. European software companies had to comply with data protection regulations for many years already and are thus better prepared than providers, for which the complex regulations of the GDPR are new territory. Never before has it been more important to select the right software provider.Since April 2017, dailypoint has been working on a holistic GDPR compliance strategy. During ITB 2018, we will present the new privacy dashboard for our dailypoint software products. This dashboard will be integrated as a standard module in all dailypoint products (kissCRM by dailypoint, dailypoint 360deg CDM/CRM, dailypoint BOOKING MANAGER and dailypoint SMART WLAN). For us "Privacy by Design" means that we take data privacy seriously and support our hotels to do the same.

6 hotel booking trends we're watching in 2018

Travel Tripper · 6 February 2018
1. Review platforms attempting to dethrone TripAdvisorThe dominance of the world's biggest travel review site will be heavily challenged in 2018. Along with the less-than-stellar performance of its hotel booking product, TripAdvisor's reputation suffered following revelations that it censored reviews concerning rape allegations at specific hotels.Both Google and Facebook are coming up on the rails following their recent moves into the reviews game. Yelp is also making a play for the huge hotel advertising market by expanding ad offerings to hotels. And there are rumors Yelp also wants to add booking capabilities to their site.All summed up, the environment looks ripe for some seriously competitive moves next year.2. Airbnb to lead an end-to-end travel booking movementAirbnb's ambitions show no sign of abating. Along with busily expanding Experiences (part of its Trips tool), the company has made a huge investment in restaurant reservations app Resy. It's pretty clear that Airbnb intends to be a one-stop shop for booking your entire travel experience. The only thing it doesn't seem to be focusing on is transportation.The company also seems keen to redefine travel for locals, too. Regarding Airbnb Trips, CEO Brian Chesky recently said he wants to make "outsiders feel like insiders," in part by helping local people better connect to their own city. It's a smart move that could help Airbnb build up a base of regular local users. Add in talk of introducing a loyalty program, and 2018 looks set to be a big year for Airbnb.But Airbnb is far from the only platform that sees the potential in tours and experiences, something that Skift classed as a "megatrend" in 2017.TripAdvisor is betting on growth from its "non-hotel" business with the strengthening of its tours and activities segment. Expedia and Booking.com are also investing heavily in tours and excursions as well.The big question for next year will be whether the OTAs also attempt to integrate end-to-end bookings (accommodation + activities + food/restaurants) into their own platforms. This would effectively make them a one-stop shop, rather than acting as multiple sites operating under the same umbrella. Given Airbnb's ambitions, this move may come sooner rather than later.Against this changing booking landscape, hotels will also need to adapt. This could involve integrating tours and experiences within their own offerings, either publishing tours on their own website or integrating links to make booking easy.3. The great race to capture user loyaltyThere's been a lot of developments this year in the loyalty game. Biggest of all was the announcement from the world's major hotel brands that their direct booking pushes and loyalty rates have worked.OTAs, which have ordinarily played the marketing game through aggressive search marketing and competition on price, are now changing their tune. For instance, Booking.com recently announced they would invest more in TV commercials, a move intended to drive direct traffic and encourage repeat bookings. Expedia also revealed they would be getting rid of their price matching guarantee.Adding to this, there are suspicions that Booking.com is taking advantage of Google's audience targeting function to advertise Genius rates to Genius users that search for hotels on Google.All of these efforts have had some positive effects. But the loyalty environment is still ripe for innovation. As such, we may see a major shift in 2018 across the industry. For example, many independent hotels are now working on ways to develop their own loyalty programs and better integrate them into the booking experience.Once again, keeping up with Airbnb will prove the main challenge. According to a study reported by Phocuswright, of all the major accommodation booking sites (including hotel brand sites and OTAs), Airbnb is by and large the site with the most loyal--read: actual repeat--customers. Just imagine what may happen if they do end up launching a loyalty program!4. This blockchain thing everyone keeps talking aboutAside from Bitcoin, few people truly understand blockchain technology. Yet while many grapple to figure out what it's all about, excitement is growing surrounding industry startups such as Winding Tree. Using blockchain, this travel distribution platform promises to help suppliers regain control over their inventory and reduce costs to middlemen, in turn driving down costs to the consumer.There's also talk of how Bitcoin can integrate within airlines, how it can improve security, and even how it could be a boon for independent hotels. Is it the panacea for all travel industry ills? Phocuswright described it as somewhere between "revolutionary and hyped." Like most new technologies, we likely won't know blockchain's true usefulness until we see it in action more commonly--something we're expecting next year.Broadly, the whole issue of data security has been pushed to the forefront in 2017. High-profile incidents included the data breach at Sabre and hacks such as the Equifax breach. All have stoked the fires surrounding the need for better security.Add in the fact that the EU's General Data Protection Regulation (GDPR) comes into effect next May, and you can bet this topic will remain firmly top of mind in 2018.5. The AI race to better dynamic and personalized pricingArtificial intelligence certainly has plenty of flashy applications in travel. In recent times, chatbots, travel apps and personal assistants have all captured the imagination. But moving forward, hotels will find the real advantage of AI lies in pricing applications.Apps such as Google Flights already offer "predictive pricing," which provides consumers with suggestions on when they might find the lowest price. However, businesses can also benefit from the same technology. For instance, Starwood has spent the year testing its own AI-powered revenue strategy optimization tool, enabling better power dynamic pricing and improved demand forecasting of 20%.The introduction of more loyalty programs and "closed group" booking tools will also mean that personalized recommendations and marketing (if not pricing) will become easier to implement as well.The integration of AI tech, which may be used to help track and identify user preferences and past habits, may help to further this along.6. China is the one to watch in digital travelChina is one of the world's largest and fastest growing tourism markets, and it's poised to be the biggest by 2022. But even more amazing, China's rate of digital adoption in travel far surpasses anyone else in the region.According to Phocuswright, if you took just Chinese mobile bookings, it would be the third highest source of bookings in all of Asia (after Chinese total and Japan). You can hear more about this discussion in The State of Digital Travel video starting at 4:57.In the Washington Post, Douglas Quinby, senior vice president of research at Phocuswright, was quoted as saying, "China is far ahead of the rest of the world in mobile travel trends," further adding that their "apps, payment services and other features are more advanced and widely accepted."It's also worth mentioning that China runs on its own digital ecosystem: all of the OTAs, social media, review sites and chat apps are specifically Chinese and aren't widely used outside the country. Likewise, many well-known apps in the West aren't used in China. So while there's a lot to learn from Chinese technology in 2018, the lack of shared platforms makes this especially hard.Looking ahead to 2018The travel industry looks set to see significant change this year. The rise of blockchain will be one to watch for sure, as will the impact on TripAdvisor from emerging review sites. And the ever-expanding plans of Airbnb will continue to grab attention. For hotels, the fight for guest loyalty and the adaption of AI for pricing personalization will be key themes as technological innovation delivers new possibilities.

The key trends shaping the hospitality industry in 2018

Cendyntm ·14 December 2017
1. In your opinion, what are the top three trends that hoteliers should be aware of going into 2018?The evolving nature of the guest experience and keeping up with guests' needs and expectations is a huge focus for the hospitality industry. For a hotel, managing the customer relationship is one of the most critical elements of gaining and increasing loyalty, and yet can be the most difficult for hotels to master, as customers interact with them via a burgeoning number of contact points: email, mobile, social media, at the front desk and throughout the hotel property. Never before has technology played a more important role in improving what is ultimately the human experience of hospitality, both in terms of curating and providing it, but also in the way that customers express their gratitude for that experience in the form of loyalty. Secondly, understanding the capabilities of artificial intelligence (AI) and how that can focus and positively affect the interaction between the guest experience and the hotel. The focus for technology companies serving the hospitality industry is to enable hotels to communicate more effectively with their guests so that they are able to deliver the right message to the right person, at the right time and importantly through the right channel for that guest. With GDPR coming into effect in May 2018, never before has it been so important for hotels to ensure their communication with the guest is relevant and the data they store about a guest is compliant with these new regulations. Lastly, a key focus is personalization. Technology companies will need to work more closely together for the benefit of mutual customers to enable personalization between the hotel and their guests. Customer relationship management (CRM) is no longer just a tool for the sales and marketing departments, CRM is a tool that benefits the operations, revenue management, and distribution departments as well. Because of this, hotels are looking to integrate CRM with their other technology vendors as well, bringing the various data sources into one central place to create a single version of truth about that guest. This enables greater personalized communication between the hotel and the guest. For example, integrating a CRM to a revenue management system has enabled our customers to now offer personalized pricing based on the guests' profile including the recency, frequency and monetary value of that guest to the hotel.2. What is the biggest challenge the hospitality industry is facing? One of the biggest challenges, and opportunities, is how small our planet has become and ultimately how that has made travel easier and more accessible than ever before. This challenge opens up a wealth of opportunity but every culture and guests' needs are different. The industry needs to be mindful of this when managing travel and guest experiences on such a scale. Combine this need with the GDPR regulations coming into effect in 2018, it is imperative that hotels are working with CRM solution providers to ensure the guest profile data is accurate, communication is effective and profile data is managed in compliance with the new regulations.3. In the next 5 years, what role do you see Cendyn playing in the hospitality industry?CRM has become front of mind for hoteliers across the globe. Not just because of its ability to process data and provide a clear, digestible view of that data, but because it is the only way to process data from multiple technology platforms within a hotel and then provide a single version of truth for every guest. This has become imperative for hoteliers who want to provide a truly personalized experience, drive loyalty to their brand and stay competitive. In the next five years, this will become even more apparent as guests become savvier and demand more from their travel experiences. For hoteliers to stay ahead of the curve, we've seen that using data to pave the way in how hoteliers communicate with their guests has revolutionized how they can learn more about guests' interactions, drive direct bookings, maintain brand presence with their most valuable guests and stay competitive in their market. Our continued investment enables hoteliers to keep their guests at the forefront of what they do, and concentrate on providing exceptional, personalized customer service at all times. And as AI becomes more of the norm, hoteliers will need to embrace the ability to use machines/technology to aggregate information and learn from data to provide a seamless experience for every guest.

Personal data, privacy and identity

HFTP ·By Alvaro Hidalgo
The collection of personal data is inherent to the hotel industry; it is what allows us to tailor guest experiences, market our hotels effectively, and foster long-term loyalty. The EU's General Data Protection Regulation (GDPR) will come into force soon, and it has the potential of turning all of this, and more, on its head. Alvaro Hidalgo walks us through the enormous challenges, and even posits a solution.
Article by Ian Graham

Serving Up Profitability

The Hotel Solutions Partnership · 7 November 2017
The principal revenue generating asset under management in a restaurant are the seats and tables - and this applies whether the restaurant is a stand-alone business, is in a mixed-use development, is in a theme park, is in an airport terminal, is in a hotel, or even is a pop-up business in a yurt. The seat is a hugely perishable asset - every minute that it is unoccupied there is a missed revenue generating opportunity. If you don't fill the seats this meal period, the revenue (not to mention the profit that you could have made) is gone - and probably elsewhere!So, it's clear that a key metric for best practice is Revenue per Available Seat Hour. RevPASH is calculated by getting the revenue for the hour and dividing it by the number of seats that you have. If the restaurant is only half full, your RevPASH will be lower than it might be; if everyone orders one course only, your RevPASH will again be lower again.Caroline Wilce is Finance Director and shareholder at Black and White Hospitality Management Ltd (the franchisor of the Marco Pierre White brands - Marco's New York Italian, Marco Pierre White's Steakhouse and Grill, Wheelers Oyster Bar and Grill Room, Mr White's English Chophouse, Bardolino). She says "the main key KPIs used by successful restaurant operators include:Revenue per available seat hour (RevPASH)Revenue per available square metre (RevPASM)Cancelled / No Show Covers as a % of Reserved CoversTime per Table Turn"The common ways to increase RevPASH are todecrease the amount of time each party spends at their table and/orincrease the average spend and/ordecrease the time that a table stays empty after a party leavesHere are some ideas to increase your RevPASH.1. Breakfast, Lunch and DinnerStelios Haji-Ioannou made a success of easyJet by first filling the aircraft then raising the price. Sweat your asset; how often do we see hotel restaurants closed for lunch. And branded restaurants closed for breakfast. Yet, one rarely sees small privately run restaurants closed - they are open all hours. The entrepreneurial owner/operator knows that the asset must be sweated.2. Seven days a weekBy increasing available seat hours, you give yourself the opportunity to spread your fixed costs. So, if there is a market, keep the restaurant open all week, all meal periods. If there isn't an obvious market, create one. Many hotels have found success with (champagne) afternoon teas. Pre-theatre dinners are a similar reaction to creating a market that enables the restaurant to be more successful.3. No more quiet nightsCapitalize on menu trends. The industry is seeing a need for more organic, healthy locally sourced options. In some cases, and locations, customers value these options and are willing to pay for them. You need to understand your customers, though, as opinions can vary depending on the market or region. Sundays and Tuesdays are traditionally toughest nights for a restaurant, so running promotions to fill the seats will at least get some revenue. Maybe link in with a local cinema, or run a series of promotions to encourage people to come out on your quieter nights.4. Increasing the number of turnsThe number of turns is the number of parties that sit at a table each night. Depending on your clientele and target market, you may be able to get another sitting in. Some restaurants do fixed sittings, say, 6pm and 8pm so that customers know if they are in the 6pm sitting, they need to be out by 8pm This works well if people are going to the movies or the theatre.5. Create a pool of ready dinersThe bar is a great way to increase your RevPASH. Customers have a couple of beers before dinner and are sitting there ready and waiting as soon as a table is cleared. The in-room TV, the lift walls, are opportunities to promote the hotel restaurant to guests. Better still, a recommendation by the receptionist at check-in can generate business that might otherwise walk out of the hotel for dinner.6. Increase your pricesMake sure your prices are right. Check the local competition and see how you compare. The big thing is to look at each sitting individually and try to optimise the results. Some restaurants do this without thinking about it. It is why there are separate lunch and dinner menus. After you evaluate what other restaurants are doing to drive sales a review of customer data might show that demand indicates that some menu prices could be increased without hurting sales.7. Table optimisationSome restaurants and cafes attract more singles and couples, others larger groups. If all your tables are for 4, it means that every single and couple is wasting seats and decreasing your RevPASH.8. Last minute offersIf you are having an unexpected quiet night, why not Tweet a special or post it on your Facebook page. Work hard to get those extra couple of tables in. It can be the difference between a loss for the night and breaking even. Customer traffic is one of the key metrics restaurant operators use to measure success. When traffic is down, many restaurants turn to new promotions or even consider lowing prices, but will these actions reverse the trend? Before you act, first take time to understand the change in traffic and the underlying causes. Two key steps in deciding how to address traffic issues are to determine if it is a sustained problem or a short-term trend and to determine whether the decrease is caused by internal or external factors. Guest count problems can be addressed in many ways. Once you gain an understanding of what causes traffic issues at a specific location, you will be better prepared to create solutions that address the true, underlying problem.Ally Dombey Northfield is a Director at Revenue by Design, creator of revenue management solutions for the hotel industry. In respect of restaurants, she says "..the focus needs to be on optimizing profitability through contribution margins, differential pricing, menu mix and price blending"Restaurant technology can and should be leveraged to provide better information to inform better decisions. Such tools provide insights into restaurant customer purchasing behavior enabling prediction of their reaction to future initiatives. Technology can be harnessed tomeasure the effectiveness and impact of limited time offersunderstand the impact of coupons and deciding on the most profitable offersquantify the impact of testing a new menu line or a new service concepthelp selecting the most representative restaurants to test brand innovationsreview loyalty programmes and recommend marketing initiativesThe National Restaurant Association in the USA believes that over 60% of sales in fine dining restaurants and 80% of sales in casual restaurants come from repeat business. So, remember that it is existing customers who are your most likely future customers - and through social media they can influence potential customers who have not yet experienced your restaurant. Leverage the database of existing customers (respecting GDPR of course).I hope some of these thoughts help YOU improve your profitability

Are you keeping your guests' personal data safe? Interview with Alan D. Meneghetti

GuestRevu ·23 October 2017
Having previously been a partner at Clyde & Co LLP and Locke Lorde LLP, and with a legal career that includes specialisation in data protection, privacy and IT, few are better equipped than Katten Muchin Rosenman UK LLP Partner Alan Meneghetti to offer guidance to hoteliers on how to handle sensitive guest data carefully.We chatted with Alan to get the expert's opinion on how hoteliers can ensure they are treating their guest data with the care it deserves, and in compliance with current and incoming data protection laws.Where did you first begin to work with hotels and the hospitality industry?My first venture into hospitality was working as a room attendant at Sir Rocco Forte's fledgling group's first hotel, the Balmoral Hotel, in Edinburgh. I went on from that to be a trainee hotel manager at the Balmoral and then to work as Restaurant Manager at Sir Rocco's first purpose-built hotel in Cardiff Bay, the St David's Hotel & Spa (which the group has since sold).I knew that I loved the hotel business and spent a long time trying to work out how I could combine it with law, which I had read at both the University of Cape Town and the University of Aberdeen.How do you think hotels will be affected by the new privacy laws coming into effect next year?Hotels, as with most other businesses, will need to ensure that they are up to speed with the requirements of the General Data Protection Regulation (GDPR), which commences across the EU on 25 May 2018, and ensure that their systems and agreements with their contractors are compliant with the requirements detailed in the GDPR (many of which are either new or extensions of the requirements under the existing European legislation).It is also worth remembering that the GDPR does not only apply to hotels operating in the EU, but also to those which offer services to customers in the EU (for example, gift cards, mail order and so on).With the rise of personalisation and hotels asking guests for more data than ever and often on different platforms, do hotels in general put enough emphasis on data security?No, but then I don't think most businesses do! Hotels hold an enormous amount of personal data and, quite often, personal data which is of a sensitive nature (for example, information about guests' medical conditions or meal choices which may indicate a religious preference), not to mention credit card and billing information. As a result of this, the data that hotels hold is particularly valuable and presents a prize target for thieves and fraudsters wishing to exploit vulnerabilities in a hotel's IT network.Hotels need to ensure that they know exactly what data they hold, how long they are holding it for, where they are holding it and what security measures they have in place to safeguard that data (as well as whether that security is currently sufficient - something which requires constant evaluation).Can hotels expect increased pressure to be transparent about how they are protecting guest data?Not necessarily so, in a general sense, although if there is an incident relating to personal data held by or on behalf of a hotel, the hotel must be in a position to respond to that. It is imperative that hoteliers have a plan in place for handling data incidents that is agreed upon and rehearsed in advance. Hoteliers also need to be prepared to explain to an investigating regulatory authority how its systems are set up and why it believes them to be sufficient to protect the data which the hotel holds.What is the first question a hotelier should ask when assessing whether their security measures are good enough?How strong, and where, is the weakest part of my network? This is where the vulnerability lies.Is there a chance that hotel staff could unwittingly be breaching privacy laws or regulations, particularly in smaller hotels?I think that there is every chance that this is the case. For example, does the hotel use a cloud service provider to back up its personal data and, if so, where does that cloud service provider physically store the data? If it is outside the European Economic Area (EEA), is the hotel able to point to a lawful ground (such as guest consent) to permit the export of this personal data outside the EEA?What advice would you give to independent hoteliers to ensure they comply with the new privacy laws?Spend a little bit of time getting to know your obligations under the GDPR and your network infrastructure. You can then work out if you need to update your customer and supplier agreements and your IT network, and create a plan to detail the areas that need addressing in order of priority.What's the best hotel you've ever stayed at?May I have two please? I love the Balmoral in Edinburgh because it is just so beautiful and perfectly decorated and I have watched it evolve since I first went there in 1996. Hadrian's and Number One are also two of my favourite restaurants - amazing food, great service, and both in settings which perfectly complement the food they serve. And then the Imperial in New Delhi, which has the most amazing food and service, and is a haven of calm and tranquillity in the middle of a thriving, bustling and generally very busy city.
Article by Abby Ward

Understand Your Guests to Increase Conversion Rates

Net Affinity ·19 October 2017
Do you know who your website content should be targeting, who's visiting your site and who's actually parting with their cash to make the booking? If you can't answer those questions, it's time to start building a picture of your target market in order to better meet their requirements and wishes.You can do this by tailoring your rate plans and packages to suit various guest types. You can also use data segmentation to send and display the right content to the right people. Be it for email marketing campaigns, or display and remarketing ads.Whilst you should be looking at your own guests in careful segments on a property level, it's helpful to take a look at the industry at large. This data can tell you who you should be trying to talk to and on which platform and devices.Across our portfolio of clients with 12,800,000 hotel website sessions for the first half of this year, we have monitored each transaction to find out those answers. Of course, this data is purely for guests who made their booking online, so keep in mind that there are guests who book over the phone, or in some cases in person, who are not represented in these figures.Let's take a look at the demographic of people who have visited our client sites and those who booked, from Q1 and Q2 2017:Who VisitsWomen made up the majority of visitors. The ratio of female to male users is more than 2:1, at 69% female and 31% male. This may reflect that more women are doing research, or that women simply prefer to visit more sites during their research.The young adults are the most enthusiastic travelers. 56% of visitors to hotel websites are 25-44, and the strongest demographic is 25-24 (28.8% of users).Who BooksWhile more women book than men overall, this number is skewed by the higher number of women visiting sites. On the whole, men convert 1.5 times more often than women, although they contribute less revenue and transactions overall.As far as the age of your guests is concerned, the same pattern as above holds true for transactions and revenue as well. Those aged 25-44 make up about 55% of transactions and revenue.However, it's worth noting that those aged 45-54 and those over 65 convert more often. This suggests that by the time your more mature guests reach the website, they are more ready to book. Younger ones, most dramatically those age 18-24, tend to shop around a bit more before committing to a booking.5 Ways To Implement Guest Data Into Your StrategyAsk your guests for information at checkout: name, email address, age, gender, occupation.Train your front desk in collecting data for each guest. Such as what the purpose of their trip is etc.Tailor your packages for each of your top segments. This could mean using value ads such as a free drink on arrival, or by using local events to make your hotel standout to those attending them.Segment your data for marketing purposes. For example, send your Valentine's Day campaign to males, with a special offer to save them money and hassle.Make sure your data storage processes and systems are GDPR compliant. A new regulation coming into force in May 2018 has significantly tightened up laws around storing and using data, so make sure you're clued up on it.For more interesting insights from our client data, check out our Digital Trends Report.

133 | GDPR Compliance with HFTP COO Lucinda Hart

The Lodging Leaders Podcast: Powerful Business Strategies for Hotel Professionals·11 October 2017
Lucinda Hart, CAE, MBA, has over 22 years of association management and customer service experience in the areas of human resources, certification, membership, chapter relations, conferences/trade shows, nonprofit legal issues, and governance and administration. As HFTP Chief Operations Officer, Lucinda is responsible for the day-to-day operations of the association, managing 30 staff members, as well as representing HFTP at numerous industry global events. Lucinda received her Bachelor of Arts in Human Resource Management and her Master of Business Administration in Organizational Leadership and Management from Concordia University Texas. She is also a Certified Association Executive (CAE). Lucinda was awarded the Professional Excellence Award from the Texas Society of Association Executives (TSAE). She serves as a mentor for Leadership TSAE and Concordia University Texas.
Article by Kris Troukens

GDPR - Advice for the Hospitality sector

Quality Hotel Services ·13 September 2017
SITUATIONGDPR, what is it, and is it important to the Hospitality Sector?The General Data Protection Regulations (GDPR) is a major overhaul of the EU data protection law. It comes into force on May 25th, 2018. It requires any business (including hospitality industry businesses) that handles personal data of a EU citizen to have adequate measures in place.What is meant by "adequate measures"?By "adequate measures" they mean data should be properly protected, and any theft or misuse of this data cannot occur. The EU citizen (the guest) also has specific rights on the data that you are holding about him. (see below)Does GDPR only apply within the European Union?No, it applies to data stored on EU citizens, wherever they are staying around the world. This impacts the entire hospitality sector, worldwide.What if I am not compliant?If a EU citizen files a complaint, the hotel may face some hefty fines. The maximum fine is set to 20 million Euros, or 4% of the annual global turnover (whichever is the greater).HOW TO PREPARE in 13 STEPSThere are several steps that the hotel can take to properly prepare for GDPR. Some of them may already be in place. They are listed below.1) Create awareness in the hotel.Buy-in of the hotel management team is also essential. There may be changes in procedures or systems, so all managers should be aware of GDPR, fully understand it, and be able to understand the impact on their department.2) Create a "data-register"You should be documenting which information you are holding, where it is stored, where it comes from, whom you are sharing it with, and if the guest has given his consent to you collecting all this data. This "data-register" will map all your data streams.All processing steps should be recorded, and this may require the compilation or review of existing policies and procedures.3) Communicate to your guests about your new privacy rulesMake sure you ask the guest for his agreement on giving you all required data, and document that agreement. This could be easily done on the registration card, or when checking-in on line. Adapt your legal statements and customer agreements to the new legislation. You will need to disclose for which purpose(s) you intend to collect data, and how long you will be keeping it.4) Guests rightsThe European guest has several rights, and you need to ensure he can exercise his rights, which include:The right of access to his dataThe right to rectificationThe right to eraseThe right to restrict processingThe right to transfer his data to another partyThe right to objectThe right not to be included in automated marketing initiatives or profilingMany of those rights may already be in existence today.5) Guest access requestsYou will need to be ready to handle a guest request coming in about his rights. You are not allowed to charge for this service, and you have a maximum of 1 month to provide an answer. If you refuse a request, you must inform the guests about your reasons, and provide any details about the Privacy Commission and the name and contact details of your DPO (Data Protection Officer, more on this below), so that the guest understands how to file a complaint.6) Lawful basis for processing guest dataWhile the hotel is collecting data, it can only do so if there is a lawful reason. You need to review and ensure all questions you are asking (on registration cards, online forms etc...) are absolutely required for you to process the guest. As an example, the departure date of a guest is a required piece of data. However, asking for the guest's birthday may be more difficult to justify.7) Guest consentIt is important to review how you are obtaining, and recording the guest consent. He may be arriving via a travel agent, via a telephone reservation, or it may be a walk-in. All these cases need to be considered.At all times, there must be a clear "opt-in" given by the guests. There cannot be any pre-ticked boxes where the guest agrees to give his data; opting in is never by default. Also consider how you will handle the case of a guest who withdraws his consent.8) ChildrenThere's an additional consideration for children under 16. Authorisaton to process a minor's data should be obtained from their parents or responsible adult. The hotel needs to prepare for this scenario.9) Data breaches or theftThe hotel should be ready to detect, and remedy any data theft concerning personal data. The data register should be able to provide insight into which pieces of data are concerned.Any incident should be reported within 72hrs to the Privacy Commission, for all cases where there is a risk that guest data may have been compromised.By extension, this implies your network and storage systems should be up-to-date with the latest intrusion detection programs and should have successfully passed penetration testing.10) Data protection by design, and Data Protection Impact assessmentsFor any new systems or major changes, it would be wise to keep the "Data protection by Design" in mind. Indeed, when discussing requirements for a new tool or procedure, you can already include the data protection principles, right from the design stage.An Impact Assessment is required when major new technology is introduced, or significant upgrades are taking place on systems which contain personal data.11) The Data Protection OfficerWithin your hotel or company someone should be tasked to become the Data Protection Officer (DPO). Make sure this is someone who knows and understands the importance of personal data processing. This can very well be an additional task for an existing employee or manager.It is mandatory to appoint a DPO when you are handling large volumes of personal data records, such as medical or criminal records. In a hotel, large amounts of credit card details are processed, so it is eminently sensible to have a DPO in place.The DPO should always understand and be aware of all data flows in the hotel, and he should ensure that he has an updated data register at all times, in case any queries arise.The name of the DPO should be mentioned on all privacy statements on any media. When filing a complaint, the guest will reference the DPO by name.12) International and Group HotelsIf you are an independent hotel, this point does not apply.For hotels with multiple properties, or in multiple EU countries, it is important to align the procedures, and to identify who is taking the lead (presumably the country or regional office) for the coordinated GDPR efforts. If you are present in multiple EU countries, it is required to identify a "main establishment", and also the country lead supervisory authority.13) Existing ContractsIt is likely that for the processing of your data you are assisted by third parties or subcontractors. Make sure you are aware of who they are, and what your current contractual obligations are. It would also be an excellent opportunity to review these contracts to include any GDPR related aspects and ensuring the contractor is aware of his obligations under GDPR and that services or systems help you meet your GDR requirements.MORE FAQ'SWho is overseeing the introduction of these new regulations?Every country has one central organisation to oversee the introduction of the new regulation. For Belgium this is the "Privacy Commission" (https://www.privacycommission.be). Any queries or complaints from guests will be addressed to them.Who is responsible?Ultimately it is you, the hotelier who is responsible. So, if any of the above points fail, and a guest files a complaint with the country authority, it will be addressed to you, and you will have to justify your actions to the Privacy Commission.What if I need assistance?Quality Hotel services can help you in several ways:Compile a comprehensive awareness campaign, tailored to your propertySet up a "data-register" for you, or provide you with a workable templateMaking sure the necessary "consent" statements are included on all printed and electronic media where you collect guest dataRecommend processes on how to obtain consent from guests, and childrenEnsuring your network and data storage devices are 100% safe and protectedDesign an "Impact Assessment Analysis" template documentCompiling the job description and procedure manual for a DPOCompiling your "Data" supplier list, and reviewing/suggesting contractual amendments

My data, my privacy

hotelnewsnow.com Featured Articles· 8 September 2017
The future is full of revenue opportunities for hoteliers who try to monetize their guests’ data, but from the guest perspective, it may seem akin to living in a surveillance state. The hotel industry is doing its best to catch up to other industries that collect consumer data and turn it into actionable items and, therefore, monetize it in one way or another. It could be sharing guest data systemwide throughout a brand so that when a guest arrives at a particular location, his or her information is available so front-desk associates can make check-in a more personal, welcoming experience. It could be using facial-recognition technology to not only confirm a guest’s identity, but also to determine a guest’s mood and recommend an action, based on that analysis, to improve the guest’s stay.

Addressing consent management in GDPR

The Analytic Hospitality Executive | SAS·31 July 2017
When we talk about consent management for the EU’s General Data Protection Regulation (GDPR), one of the key considerations is “consent for a purpose.” It might have been sufficient in the past to provide a form with a single generic consent check box and store the fact that consent was given or not. But under the GDPR, consent is per purpose, specific, might change over time and applies to a single type of interaction or channel. In GDPR terms, this is also known as “explicit consent.” Such explicit consent is given for a specific purpose -- and might only affect a portion of the personal data collected and stored.
Article by

Talking Tech with Carson Booth - HITEC Amsterdam Advisory Council Chair

Starwood Hotels & Resorts Worldwide, Inc. ·22 March 2017
This March 28-30, HFTP is producing its newest endeavor, HITEC Amsterdam, a smaller, boutique version of the ongoing, popular 45-year event. Helping to guide the educational component is long-time HFTP member, Carson Booth, vice president of global technology for Marriott International (Starwood). Using his expertise in the European, and international, hotel market, Booth leads a council of advisors to make the program uniquely European, with global appeal.What were some technology challenges that you faced early in your career? What are some of the top challenges you are facing today in the workplace? And how are you resolving them?I started my career in the late-'80s at the beginning of the technology revolution and have since witnessed the complete immersion of technology in most essential and non-essential activities. The evolution of usage went from users who were non-technical who then became tech-savvy, but still functioned well without the support of technology. Then as personal technology became universal, the tech-savvy user became tech-dependent. Extending further, we are now in the app era where users self-support personal experiences and expect accelerated technology release cycles with new functionality -- always seeking something "more."This ultimately results in the BYOD/BYOT blurring of business and personal use. Tech-dependence and devices in every pocket create very disruptive challenges to organizations trying to control the need for standard processes and data security against app-proliferation. Neither the food and beverage director, nor their niece, should be allowed to download an inventory management app. Or even more concerning, develop one themselves.In addition to the BYOT concerns of today, technology sophistication, especially technology security, has far exceeded most skills and capabilities of today's property-based IT manager. This creates gaps in security and service levels. Fortunately, above-property solutions with professionalized service level agreements (SLA) and security management are now maturing and the whole industry will continue to benefit.What technology developments interest you most and why?Augmented Intelligence -- The intersection of technology advancements in mobile and cloud computing delivers untethered, real-time information, communication and enhanced decision-making capabilities. The hospitality industry has a significant opportunity to profit from these advancements by recognizing that our guests are empowered by this intersection. Companies should redefine Data as an organizational strategic asset and build customer intelligence programs to leverage this data to ultimately provide a highly personalized experience for the guest.Micro-services Architecture -- Technology sophistication for an individual hotel has surpassed its ability to manage and secure it. This sophistication tipping point, along with industry advancements in cloud services, is driving technology above property and locking hoteliers into recurring services models where product suites can stagnate. Developers and suppliers that adopt a flexible, micro-services architecture will create a significant share shift by enabling a more flexible, open and modular approach to applications which suit an operation's needs and provides best product choice.What are some consumer-driven technology practices that have driven technology applications in the hotel?Portable personal content is driving two distinct changes in hotel technology. First, hotel internet service bandwidth continues to be a significant detractor to the customer experience. Customers compare the internet access speed/cost ratio against their home/consumer experience and place a very vocal, highly-weighted critique against operators delivering sub-par experiences. On-street mobile technology continues to improve in speed and data caps, and is also driving increased expectations for hotel internet access performance. I look forward to the day where this expectation peaks and the on-street and in-room connection experience is ubiquitous and indistinguishable, delivering an experience on-par with in-home Wi-Fi.Second, viewership and purchase of hotel-supplied content continues to decline due to increasing customer expectations and desire for bespoke content and lineups. These expectations are supported by capacity increases of portable media devices and cloud services like Netflix, Amazon and iTunes. These services are driving the guest's desire to display their personalized content using the in-room television and media players.What are some best practices you have for running an IT department in a field that is always changing?The constant evolution of technology is unsustainable for the average individual hotel with limited resources. Hotels need to carefully prioritize their investment decisions and consider the following best practices:Remain agile in product choice and contracting terms. The balance of right fit and terms needs to be weighed against medium- and long-term technology trends in the industry. Lengthy contract terms will hinder an organization's ability to pivot when necessary.Keep it simple. If it feels complicated and is not well-understood, then it should be reconsidered and questioned more.Spend constrained training funds on life-long learning skills and not on IT training. The technology of the day is transitory and so are the training investments in certifications for IT staff. It is more critical and will provide greater lasting value for IT teams to learn life-long skills like public speaking and financial management for non-finance people. The technical training can be on-the-job or self-study.Become more agile and responsive to your business partners. Do this by adopting a DevOps approach which emphasizes collaboration and communication between involved parties to break down the silos of the legacy plan-build-run organizational structures. Your business teams will thank you.Celebrate success. Digital/mobile teams receive more praise than IT due to the front-end nature of their solutions; however, do not forget their stuff is a pretty front-end for complex back-end systems and interfaces. So be sure to celebrate success across the entire technology spectrum.Having worked in hotels across the globe, in what aspect do you see regional differences?There are definite technology expectation and capability differences by region driven in large part by legislation, affordability and other market considerations. For example, in the U.S., convenience outweighs privacy. Therefore services like automated credit card settlement (chip/signature vs. more secure chip/pin) and keyless check-ins (registration-free) are examples of trading additional information or accepting greater data risk for quicker service.Global and regional operators are constantly tasked with managing legislation and requirement variances across political-economic unions, like the EU and member-states. For example, the registration card remains paper-based across some EU countries, but not all. Variations in VAT and other fiscal requirements for receipts and financial processing need to be accommodated for; as well as, differences in data nationalization efforts for countries like Russia versus the EU's General Data Protection Regulation (GDPR).In Asia, several differences are noticeable from highly-connected and automated Japan with pervasive 4G, cube and robot-staffed hotels, to solution inward-looking China which challenge global operators in their quest for operational, guest-service and data consistency.There are broader inconsistencies in language requirements and staff capabilities, costs for internet services, currency exchange and average rates which impact solution affordability, as well as definite gaps in true global cloud service offerings and service-provider. Its complex and requires local knowledge with global coordination for the larger brands to efficiently deliver consistent technology solutions to enhance the customer experience.Describe a professional experience that has stuck with you. What did you learn from this experience?Many years ago, U.S. legislation drove the need for greater accountability in financial reporting for U.S.-owned assets held around the world. In Europe, we embarked on consolidating and raising above-property the hotel-based financial reporting systems for 68 hotels in 10 countries to a self-hosted private cloud service. We built and deployed a self-managed data center, created appropriate policies and processes, and brought the solution up technically. By today's capabilities, this seems an easy and natural solution, but at the time, it was new for our users and IT staff. This took an equally-significant effort to win their hearts and minds and to prove the solution provided the needed security and service levels.This program has had three lasting effects. The first being, the program's IT processes and security program laid the foundation for Starwood's Global Information Security Policies and started the Information Risk Management program which is still deemed best in industry today. The second was the clear establishment of an above-property technology strategy for Starwood.The third lasting effect, which is personal in nature, came with the realization that one success doesn't necessarily translate into a pattern. Fond memories remain of the spectacular failure of the immediate subsequent project to implement a hosted, enterprise project management solution for all departments. Learning how to develop and present a business case, bring others along and identify when to press ahead versus when to walk-away, is one of the most important lessons of my career.Leadership and teamwork are always important. Describe an experience when you led and worked with a team to resolve an issue.The decentralized property technology that remained local created an impediment to our company's strategy. Our team was tasked with identifying multiple paths to advance property technology agility, security and standardization across the globe. We brought together a small, but very capable team, to seek solutions internally and externally with major tier-1 technology partners.Enterprise class solutions were preferred, but came with a significant cost premium which we knew the board would struggle to approve. Nine months of effort around design, scalability, iterative pricing negotiations and navigating the inherent sacred cows on both sides of the table, led to a tired and very frustrated internal team with significant personal/ownership stakes.Finally, we had a proposal that we could present and defend to our senior leadership team, but we knew its price tag was a long shot and would come down to a few minutes pitch followed by a yes, revise or in this case, a no. Several weeks prior to this decision, it was important to start a coping process to help the team transition away from their personal ownership stakes and realize in any sizable business no one person can make all the decisions. Most importantly, this included helping them recognize that as a team the journey was a success regardless of the outcome.HFTP's inaugural HITEC Amsterdam is the first of three HITEC events planned for 2017, and will take place 28-30 March at the RAI Amsterdam Convention Centre in Amsterdam, The Netherlands. The pre-conference events will take place on 28 March, followed by the full HITEC Amsterdam event featuring two full days of education, an expo and networking party. HITEC Amsterdam registration is now available on the HITEC Amsterdam website. Co-located with HITEC Amsterdam are two additional events brought by HFTP industry allies. The Hospitality Sales and Marketing Association International (HSMAI) Region Europe will locate its Revenue Optimization Conference (ROC) with HITEC Amsterdam. Also co-locating is the Hotel Technology Next Generation (HTNG) Insight Summit Europe.


Thank you for subscribing. Your email address has been added to our mailing list.
To subscribe to the GDPR Bytes Newsletter please enter your email address below.
An error occured, please check your input and try again.