By Terri Miller

Hotels are faced with an interesting dilemma. We’re entering a time of hyper-personalization — guests show dominating preference for hospitality experiences which are more unique in nature and catered to individual needs/expectations. However, riding the coattails of the on-going personalization trend comes the initial implementation of GDPR on May 25th.

For those unfamiliar, the General Data Protection Regulation (GDPR) aims strengthen and unify data protection for individuals within the European Union (EU). This legislation, which applies to guests and employees, brings with it a large number of changes relating to the use of personal data.

This is where the dueling conundrum lies. With all these rules and guidelines, how will hotels remain competitive in their quest to deliver the exceptional, personalized service guests expect? How can hotels be expected to get personal if they have limited access to personal data?

We’re here to break it down for you.

What Constitutes ‘Personal Data’?

In order to understand the expectations (and subsequent limitations) of the new protocol, we need to first gain an understanding of what exactly GDPR defines as the “personal data” of guests and hotel employees.

In the case of GDPR, personal data is “any information relating to an identified or identifiable natural person (‘data subject’)”. Basically, this could include an individual’s name, identification number, location data, online identifiers, their physical appearance, and more. Consider this the beginning tier of data classification, while other personal information such as political beliefs, biometric data, genetic information, is considered sensitive and is therefore held to a higher standard of security.

Why GDPR?

You may be wondering why this new legislation has come to fruition. Over time it has been noted that the hospitality industry is exceptionally vulnerable to data-related threats. From pre-stay to post-stay, guests are engaged in a near limitless number of transactions, which involve the exchange of sensitive information in addition to credit card data. In fact, according to the Verizon 2016 Data Breach Investigations, the hotel industry accounted for the second largest share of security breaches in 2016.

GDPR has been formulated in an effort to remedy this trend in the EU, compelling hotels to upgrade their data protection processes to meet new, improved standards. Those hotels who do not meet the standards enforced by GDPR will face serious financial penalties, with costs up to €20 million or 4 per cent of worldwide annual turnover (whichever is greater).

How Can Hotels Collect Personal Data for GDPR?

While it may seem daunting at first glance, the GDPR legislation shouldn’t act as an impenetrable barrier between hoteliers and their guests.

With GDPR in place, personal data must be collected for specified explicit purposes. Further, data cannot be captured (with consent for a specific information exchange) and then used for other purposes, unless consent is readily provided and documented. Let’s consider a common example. Imagine a guest has supplied their email address at the time of booking a hotel. Under GDPR’s regulations, you cannot use that email for email marketing at a later stage, unless the guest provided documented consent (likely through an ‘opt-in’ feature) for that use.

Due to the dynamic nature of hotel services and touch points, it’s likely that guests’ personal details are shared amongst different areas of a hotel’s operation (the front desk, spa, restaurants etc.). In preparation of GDPR, hotels’ management teams should set aside time to complete a data mapping process that clarifies what data is captured, where that information is stored and how it can be used — in order to protect and monitor it appropriately.

Hoteliers should also take a closer look at their third-party partnerships, to ensure there is no risk to the security of guest data within those touchpoints, as well. Why is this so important? Under the standards of GDPR, if a hotel is outsourcing the process of data to a third party who is not complying with GDPR regulations, the hotel and the third-party processor can be held jointly responsible if a breach occurs.

GDPR might leave some hoteliers feeling nervous as they prepare for changes to their current data processes, especially considering how many hotels rely on email marketing as a critical pillar to their business model. However, it’s important to recognize the opportunity this legislation provides to establish more open communication streams with guests. In order to access and use their personal data, hotels must now develop a communications strategy that allows guests to know exactly what their data is being used for, and why. Essentially, hoteliers will be expected to talk with their guests, in a more holistic and transparent manner, to determine what they want out of their experience.

In many ways, GDPR may ultimately yield a positive outcome for hoteliers and for guests. By forcing an opt-in and being specific about how information will be used, hoteliers will be left with a database of clients that are interested in receiving relevant guest experiences, marketing messages, and perhaps more receptive to booking or becoming loyal to your hotel.

Additionally, it forces hoteliers to become smarter about what data they request and keep. The data which hoteliers must access to satiate and earn the loyalty of modern guests speaks to their preferences. What wine do they like, what type of pillow do they prefer, what other items, service styles or experiences will make their stay more enjoyable? The use of this type of data should be easy to obtain guest consent for, as it will ensure their visit meets (and exceeds) their expectations.