ALICE Shares Everything They Learned About GDPR Compliance
March 15, 2018 12:32am
by Alex Shashou
ALICE has been working hard to fully understand the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and its obligations on us and our customers. We’d like to share what we’ve learned in order to help hoteliers and anyone else who has to figure out what is going on.
1. What’s the GDPR and why should I care?
In essence, the GDPR was brought into effect to strengthen and unify data protection for all individuals within the European Union (EU). Building upon the 1995 Data Protection Directive (Directive 95/46/EC), the GDPR was approved by the European Parliament, the Council of the European Union, and the European Commission on April 14, 2016. After a two-year transition period it will become enforceable across the 28 member states on May 25, 2018.
The GDPR gives power back to the consumers by forcing companies to become transparent in how they are collecting, storing, and sharing their customers’ personal data information. Although the GDPR applies to any organization or business collecting data on EU citizens, the nature of hotels and the various data holding sources such as OTA bookings and PMS systems escalate the regulation for travel and hospitality industries.
As ALICE grows and expands to new markets, we are complying with the GDPR to ensure our privacy settings are being adequately integrated, allowing our partners to adapt at every stage of the life cycle of customer personal information data.
2. Which hotel staff need to know about the GDPR?
Decision makers and key people in EU and EEA-based hotels should be aware that the law is changing to the GDPR. This would include at least the following roles, if they exist: General Manager, Head of Marketing, and the Revenue Manager. Each of these roles deals with a significant amount customer and employee data. These leaders should read this FAQ and look further into how to comply within the areas they are presiding over.
3. What kind of information should a hotel be cautious with?
All data about persons in the EU are covered under the GDPR. This includes both guests and employees. Hotels should document what personal data they hold, where it came from and with whom it is shared. Hotels may need to organise an information audit.
“Personal data” is any data about an identifiable person. A person can be identified by their name, phone number, email address, reservation number, IP address, or any information that allows them to be uniquely identified.
The GDPR grants extra protections for “sensitive data.” This includes personal data that reveals any of the following:
The following are less likely to show up in hotel systems, but should still be understood to be sensitive in case they do show up:
All of the above types of sensitive data can only be handled with explicit consent. If this kind of data is collected incidentally, it should be removed immediately to avoid undertaking new obligations for the protection of that data.
4. How does GDPR affect the software hotels can use?
All rules that hotels must follow also apply to the software they use. If a hotel uses a product to process its data, that product must adhere to all the same obligations that the hotelier has. Every single vendor who receives personal data from a hotel must share a Data Processing Agreement (DPA) with the hotelier to confirm that the vendor is compliant with the rules of the GDPR. The DPA must dictate the purposes for which the processor is processing the data.
If a hotel is using a software given to it by its brand or flag, it may not be in complete control of how the gathered information will be used. In that case, as joint controllers of the data, the hotel and its brand would need to draw up a contract that explicitly states their relationship with regards to managing data. Both parties would need to communicate the relationship to both guests and employees.
5. Can EU hotels use software vendors or software on servers based outside the EU?
Yes, but there are limits to how data can be transferred outside of the EU/EEA. Most major cloud service providers and many other companies, such as ALICE, have systems in place to address these rules. To confirm that a cloud service is compliant with the GDPR, hoteliers need to make sure:
6. What do hotels need to do about their vendors?
For each vendor that processes guests’ personal information, a hotel needs to do the following:
7. How should a hotel communicate privacy notices to guests?
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. You should review how you seek, record, and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
Hoteliers may need to speak with customers at check-in if explicit consent is required for any forms of data collection that require it, such as consent to marketing communications. All loyalty programs need to be examined for similar requirements if data is used in a way that requires consent.
8. Do hoteliers or vendors need to encrypt their databases?
It depends. The GDPR recommends that companies take steps to protect all personal data, but it does not specify what those steps have to be. Instead, companies are asked to identify the risks to personal data and do what is appropriate for those risks. Encryption is one of many options available to protect data, but it is not specifically required by the GDPR.
Article 32 of the GDPR gives the following options, none of which are strict requirements, but which should be considered for their benefits to your guests’ data privacy:
9. How can hoteliers make sure they are able to honor requests for data portability, correction, or erasure, a.k.a. “the right to be forgotten”?
Customers, employees, or anyone whose personal data is stored at a hotel may request that their data be erased. They can also ask for a copy of all of their data (right to data portability) or for their data to be corrected. There are cases in which this does not need to be honored, for example if there is an ongoing contractual or legal requirement to retain the data. But in most cases, the request will need to be honored. Recital 59 of the GDPR requires these requests be answered within one month. This period can be extended under exceptional circumstances, by requesting for another month.
In order to be able to handle these requests in time, hotels need to plan in advance how requests can be honored. Each location where data is stored should be mapped out with a plan on how to address the rights request for data in that location. Each vendor also needs to be vetted to confirm they have a similar plan in place. Vendors should have an SLA that is less than a month (e.g. 25 days), in order to give time for communication between you and the vendor on each end of the process when a request happens.
For data portability requests, the law requires the data be given to the customer in a standardized format for transfer to other companies. Since at the moment there is no industry standard for this kind of data to be transferred from a hotel, you must use a generic but easily transferable format, such as text files with headers and comma-separated values.
10. How should hotels handle children’s data?
Within the EU/EEC, a “child” is defined as someone younger than a country-defined age between 13 and 16. For most cases, hotels will not need to rely on children’s’ or parent’s consent to process guest information, since the primary basis for data processing is handling reservations. However, in cases where consent is the basis for data processing, for example, for marketing purposes, children’s data needs to be handled with extra care.
You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity. Children’s data can only be handled with explicit consent when consent is required.
Best practice is to avoid collecting and storing data about children unless it is legally required or absolutely essential for handling a reservation.
11. Do hotels need to hire Data Protection Officers (DPOs)?
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements, even if you are not formally required to have a DPO. You should consider whether you are required to formally designate a Data Protection Officer, and this designation depends on the volume and sensitivity of the information. At the chain and large group level, a DPO is almost certainly required, but for individual hotels, the law is not yet clear and you should seek guidance from your local counsel as to whether it is required.
12. Do hotels outside the EU/EEA have to do anything to comply with the GDPR?
According to Article 3 of the GDPR, the regulations cover activity happening within the EU or data processing by organizations based in the EU. When an EU citizen travels outside the EU, their activities outside the EU are no longer protected by the GDPR unless the organization processing the data is based in the EU.
However, a booking process that happens between a person in the EU and a hotel outside the EU is considered covered by the GDPR. Data that is collected in the EU during that process is an activity happening within the EU. So hotels outside the EU do collect data that is covered by the GDPR as part of the online reservation process. This data needs to be protected with the appropriate safeguards dictated above.
13. What are the consequences for not complying with GDPR?
Businesses can have fines of up to 4% of annual global turnover or $24.6 million (€20 million), whichever is higher for not complying with the GDPR rules.
Tags: gdpr compliance,
general data protection regulation,
Manage staff work and guest communication across departments with the ALICE operations platform. By joining all the departments of your hotel onto a single operations platform for internal communication and task management, ALICE helps your staff act as a team to provide consistently excellent service.
Since the company was founded in 2013, ALICE has gained serious traction in the industry working many of the world's leading hotel brands, including Two Roads Hospitality, Dream Hotel Group, Grupo Posadas, SIXTY Hotels, NYLO Hotels, and Leading Hotels of the World. The company acquired concierge technology provider GoConcierge in 2017. For more information, visit https://info.aliceapp.com.
Contact: Alex Shashou
Luxury Resorts Appreciate Guest Privacy Enhancements Included in Version Update for Springer-Miller’s SMS|Host PMS
Learn How to Upgrade Guest Satisfaction and Operational Excellence With ALICE at HITEC 2018
SpaSoft Integrates New Security Enhancements to Latest Release
ALICE and Samsung Unveil First-Ever Hospitality Industry Smartwatch with Viceroy Hotel Group
Beekeeper Achieves ISO Certification to Protect Hotels' Data
How This Palm Beach Hotel Creates Personalized Guest Experiences with ALICE
ALICE Extends Their Core Operations Platform Through Innovative API Integrations
Let Your Guests Make Requests By Voice, And Give Staff A Way To Seamlessly Manage Their Requests, With The New Partnership Between ALICE And Volara
Clairvoyix Client Databases GDPR Ready Before Deadline
Create and Deliver Itineraries Without Leaving The Lobby With ALICE and Percipia
GDPR: What You Need to Know About the EU's New Data Privacy Rules
GDPR: Why Hoteliers Should Take the new EU Regulations Very Seriously
Four Must-Attend Speaking Engagements During HITEC 2018
Learn Why More Than 2,000 Hotel Properties Worldwide Use ALICE’s Award-Winning Technology
How to Deliver Personalized Guest Experiences in the Age of GDPR and Data Privacy Concerns
ALICE Celebrates 100 Global Employees (And Counting)
From Coast to Coast: The Parker New York Sister Property in Palm Springs Selects ALICE to Enhance Hotel Operations and Guest Experience
Now Available for Download: HEBS Digital’s GDPR Whitepaper
Texting Guests Is About to Be a HUGE Legal Liability That Can Cost a Hotel 4% of Its Annual Revenue
What Will Your Front Desk Staff Do With All the Extra Time They Have After Adopting Text Messaging Automation?
Please login or register to post a comment.