GDPR – What impact will the new #DataRegulation have on the Hotel Industry?


Indispensable for reservations and booking, hotels handle large amounts of personal data that need special protection. The hotel must ensure customers are aware of the particular uses of their data. GDPR legislation brings in a large number of transformations. Here below is a brief overview of the challenges that will have to be faced by the various players in the sector.


In 2014, the computer security company Kaspersky revealed to the general public the hacking campaign “Dark-hotel” developed in luxury hotels. By penetrating Wi-Fi networks, sensitive data has been robbed via devices of senior executives while they were on a business trip. More recently, in January 2017, an Australian hotel was hit by ransomware. With the possession of the electronic key system, the hackers had locked hotel’s customers in their rooms, forced to pay $ 1,500 in bitcoins on the Dark-web, a price for opening the room’s door.


In addition to all other industries, the hotel industry is exposed, as well, to a major challenge: ensuring the security of personal data while dealing with cybercrime. In this perspective, the European Union has adopted the General Regulation on the Protection of Personal Data (RGPD) which is mandatory form from May 25, 2018.

* GDPR is a regulation to strengthen and unify data protection for individuals within the European Union.


It redefines the protection of individuals by protecting their personal data with a number of major provisions. Fully concerned, the hotel industry has only two months to anticipate these new obligations in order to strengthen their data protection system.


Hoteliers must take responsibility


Today, the concerned actors are not aware of the risks essential to personal data and the strict responsibilities upon them. Indeed, the hoteliers have in their hands a colossal amount of personal data that customers entrust fairly easily to the detour of a few clicks.

Customers are invited to book by sharing several private data (full name, postal address, email, credit card information, date of birth). Once the reservation is made, a contract of trust is established between the customer who shared his personal data and the hotel which has the heavy responsibility to protect them.


In this logic of responsibility, this need for data protection and integrity naturally extends to service providers, partners and subcontractors (Booking Center, Concierge Services, etc.) to whom the obligations regarding security and confidentiality will have to be met, to be strengthened and clarified. It is easy to understand the impact that any flaw in the concierge service would generate by disclosing the habits and sensitive data of its customers and distinguished guests.


According to travel statistics, 93% of customers goes online to find and book a hotel. Taking the example of the platform, the industry leader, the client communicates all its personal information which will then be transmitted directly to the hotel. In 13% of cases, this data will be sent by fax which, poorly preserved, can generate a risk for the individual in case of fraudulent use.


The penalties for not complying with GDPR are large, at a financial cost of up to €20 million or 4% of worldwide annual turnover (whichever is greater), not to mention the potential reputational cost to a business in the hospitality industry. Even more prejudicial, the contract of trust with customers would be particularly weakened with a reputational risk with serious consequences for the hotel.



Six urgent measures to take


It is security that must adapt to the customers and not the other way around. Securing data is a major issue that hotels must prepare to ensure a level of security adapted to maintain and strengthen this relationship of trust between customers and hoteliers.

For that, several challenges will have to be raised by the various actors of the sector:


Data mapping: Hotels need to complete a data mapping process to become aware of what data is captured, where its stored, and how it is used before it can begin the process of how to protect and monitor it moving forward. A data mapping process helps to react effectively in case of violation.


IT and Security assessment: After data mapping process, the hotel’s hardware and software applications should be reviewed along with hard copy files. A series of encryption codes, pseudonymization techniques, passwords or limitations on access may need to be implemented to protect access and the integrity of the data.


Data protection officer: Designate the data protection officer, guarantor of the data protection structure with the responsibility to review the access, archiving, transfer and data protection processes. Data protection officers are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.


Cleaning up data records: Deleting isn’t required but validating the data that is a must. In this process, a hotelier must reach out to customers to inform them of the new policies and to verify their data and its uses. Document all standard operating procedures and invest in training of all relevant staff members to ensure they have a thorough understanding of the new procedures and the implications of the regulation. Analyze the risks of impacts by assessing the risk of disclosure of personal data by system.


Raise awareness and train internal staff: Maintaining GDPR awareness with staff is an ongoing process. Management should provide regular refresher training for all staff to ensure an awareness culture exists to protect against possible breaches.


Third party partners: Review contracts with existing partners, contractors and subcontractors to ensure integrity throughout the data cycle. A major change due to GDPR is that data processors are captured by the regulations as well as data controllers.


Taking the example of the “ransomware” of the Austrian hotel, It is a call for accountability and awareness for the hospitality industry that requires concrete actions to meet the challenges. This will fully fulfill the contract of trust to the customer by ensuring protection of their data.