ALICE has been working hard to fully understand the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and its obligations on us and our customers. We'd like to share what we've learned in order to help hoteliers and anyone else who has to figure out what is going on.
In essence, the GDPR was brought into effect to strengthen and unify data protection for all individuals within the European Union (EU). Building upon the 1995 Data Protection Directive (Directive 95/46/EC), the GDPR was approved by the European Parliament, the Council of the European Union, and the European Commission on April 14, 2016. After a two-year transition period it will become enforceable across the 28 member states on May 25, 2018.
The GDPR gives power back to the consumers by forcing companies to become transparent in how they are collecting, storing, and sharing their customers' personal data information. Although the GDPR applies to any organization or business collecting data on EU citizens, the nature of hotels and the various data holding sources such as OTA bookings and PMS systems escalate the regulation for travel and hospitality industries.
As ALICE grows and expands to new markets, we are complying with the GDPR to ensure our privacy settings are being adequately integrated, allowing our partners to adapt at every stage of the life cycle of customer personal information data.
Decision makers and key people in EU and EEA-based hotels should be aware that the law is changing to the GDPR. This would include at least the following roles, if they exist: General Manager, Head of Marketing, and the Revenue Manager. Each of these roles deals with a significant amount customer and employee data. These leaders should read this FAQ and look further into how to comply within the areas they are presiding over.
All data about persons in the EU are covered under the GDPR. This includes both guests and employees. Hotels should document what personal data they hold, where it came from and with whom it is shared. Hotels may need to organise an information audit.
"Personal data" is any data about an identifiable person. A person can be identified by their name, phone number, email address, reservation number, IP address, or any information that allows them to be uniquely identified.
The GDPR grants extra protections for "sensitive data." This includes personal data that reveals any of the following:
The following are less likely to show up in hotel systems, but should still be understood to be sensitive in case they do show up:
All of the above types of sensitive data can only be handled with explicit consent. If this kind of data is collected incidentally, it should be removed immediately to avoid undertaking new obligations for the protection of that data.
All rules that hotels must follow also apply to the software they use. If a hotel uses a product to process its data, that product must adhere to all the same obligations that the hotelier has. Every single vendor who receives personal data from a hotel must share a Data Processing Agreement (DPA) with the hotelier to confirm that the vendor is compliant with the rules of the GDPR. The DPA must dictate the purposes for which the processor is processing the data.
If a hotel is using a software given to it by its brand or flag, it may not be in complete control of how the gathered information will be used. In that case, as joint controllers of the data, the hotel and its brand would need to draw up a contract that explicitly states their relationship with regards to managing data. Both parties would need to communicate the relationship to both guests and employees.
Yes, but there are limits to how data can be transferred outside of the EU/EEA. Most major cloud service providers and many other companies, such as ALICE, have systems in place to address these rules. To confirm that a cloud service is compliant with the GDPR, hoteliers need to make sure:
For each vendor that processes guests' personal information, a hotel needs to do the following:
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. You should review how you seek, record, and manage consent and whether you need to make any changes. Refresh existing consents now if they don't meet the GDPR standard.
Hoteliers may need to speak with customers at check-in if explicit consent is required for any forms of data collection that require it, such as consent to marketing communications. All loyalty programs need to be examined for similar requirements if data is used in a way that requires consent.
It depends. The GDPR recommends that companies take steps to protect all personal data, but it does not specify what those steps have to be. Instead, companies are asked to identify the risks to personal data and do what is appropriate for those risks. Encryption is one of many options available to protect data, but it is not specifically required by the GDPR.
Article 32 of the GDPR gives the following options, none of which are strict requirements, but which should be considered for their benefits to your guests' data privacy:
Customers, employees, or anyone whose personal data is stored at a hotel may request that their data be erased. They can also ask for a copy of all of their data (right to data portability) or for their data to be corrected. There are cases in which this does not need to be honored, for example if there is an ongoing contractual or legal requirement to retain the data. But in most cases, the request will need to be honored. Recital 59 of the GDPR requires these requests be answered within one month. This period can be extended under exceptional circumstances, by requesting for another month.
In order to be able to handle these requests in time, hotels need to plan in advance how requests can be honored. Each location where data is stored should be mapped out with a plan on how to address the rights request for data in that location. Each vendor also needs to be vetted to confirm they have a similar plan in place. Vendors should have an SLA that is less than a month (e.g. 25 days), in order to give time for communication between you and the vendor on each end of the process when a request happens.
For data portability requests, the law requires the data be given to the customer in a standardized format for transfer to other companies. Since at the moment there is no industry standard for this kind of data to be transferred from a hotel, you must use a generic but easily transferable format, such as text files with headers and comma-separated values.
Within the EU/EEC, a "child" is defined as someone younger than a country-defined age between 13 and 16. For most cases, hotels will not need to rely on children's' or parent's consent to process guest information, since the primary basis for data processing is handling reservations. However, in cases where consent is the basis for data processing, for example, for marketing purposes, children's data needs to be handled with extra care.
You should start thinking now about whether you need to put systems in place to verify individuals' ages and to obtain parental or guardian consent for any data processing activity. Children's data can only be handled with explicit consent when consent is required.
Best practice is to avoid collecting and storing data about children unless it is legally required or absolutely essential for handling a reservation.
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation's structure and governance arrangements, even if you are not formally required to have a DPO. You should consider whether you are required to formally designate a Data Protection Officer, and this designation depends on the volume and sensitivity of the information. At the chain and large group level, a DPO is almost certainly required, but for individual hotels, the law is not yet clear and you should seek guidance from your local counsel as to whether it is required.
According to Article 3 of the GDPR, the regulations cover activity happening within the EU or data processing by organizations based in the EU. When an EU citizen travels outside the EU, their activities outside the EU are no longer protected by the GDPR unless the organization processing the data is based in the EU.
However, a booking process that happens between a person in the EU and a hotel outside the EU is considered covered by the GDPR. Data that is collected in the EU during that process is an activity happening within the EU. So hotels outside the EU do collect data that is covered by the GDPR as part of the online reservation process. This data needs to be protected with the appropriate safeguards dictated above.
Businesses can have fines of up to 4% of annual global turnover or $24.6 million (€20 million), whichever is higher for not complying with the GDPR rules.
104 W 27th St
New York, NY 10001
Alexander Shashou is the co-founder and President of ALICE, the hospitality industry's first fully integrated operations platform, uniting back of house service optimization with front of house guest experience management and messaging. ALICE’s technology suite brings together the hotel front desk, concierge, housekeeping, and maintenance teams, and connects hotel guests to their hotel with a mobile app and SMS. With his ALICE co-founders, Justin Effron and Dmitry Koltunov, Mr. Shashou has taken the company through three rounds of funding, raising $13M, and built a global client base in the hospitality and luxury residential sectors. Mr. Shashou received his Bachelor's Degree from the University of Pennsylvania, Wharton Business School with a dual concentration in Finance and Operations and Information Management. After graduation, he took a position with Goldman Sachs in the Equity Sales division in New York, leaving in Sept 2013 to pursue ALICE full-time. Born in London, Mr. Shashou grew up in the hospitality industry, with his family operating 90 hotels in the UK across three hotel chains.