By now, it’s no secret that the European General Data Protection Regulation (GDPR) is coming into force on Friday, May 25th. Wherever you’re inundated with emails, reminders, and a wealth of articles heralding the arrival of the biggest change to data protection laws in 20 years.
Yet with just weeks to go, you’re still not entirely sure what GDPR means for your hotel, or what you need to do about it.
That’s where we come in.
A leading London IT support company, Pacific Infotech specialise in helping hotels to navigate the complexities of business technology, not only ensuring complete compliance with ever-evolving legislation, but using that technology to its full potential in taking their business to the next level.
Over the past few weeks, we’ve been inundated with questions from many of our clients about how GDPR impacts their business.
Here, we’ve rounded up many of the most frequently asked questions -and our expert answers- into one comprehensive guide to how the new data protection regulation affects the hotel industry.
My Hotel is Already DPA Compliant – Do I Need to Worry About GDPR?
The Information Commissioner’s Office (ICO – the body responsible for overseeing GDPR in the UK) says that if you currently comply with the Data Protection Act of 1998 (DPA) then you will also need to be fully compliant with GDPR, the latter ultimately replacing the former.
The good news, is that the ICO also states that if you’re fully compliant with DPA then you’ll find that most of the measures you’ve already taken will remain valid under GDPR.
That said, it’s worth noting that GDPR is much stricter than GDPR when it comes to compliance, so your existing measures should be taken only as a starting point upon which to build.
Won’t Things Change Again After Brexit?
Not in the way you might think.
The UK government has said that once Britain leaves the European Union, our data protection laws will be a direct mirror of GDPR, meaning you’ll still need to ensure the same level of compliance.
Do I Need to Hire a Data Protection Officer?
If there’s one area of GDPR that’s causing the most confusion among hotel owners, it’s the question of Data Protection Officers (DPOs).
Though the new regulation does make it mandatory for some organisations to appoint a DPO, the rule only applies to organisations who:
- Are a public authority
- Carry out core activities which require “large-scale and regular systematic monitoring of individuals”
- Carry out core activities which consist of “large-scale processing of specialist data categories.”
These specialist data categories include those pertaining to sensitive information such as race, religion and sexuality.
Whilst it’s likely to be true that your hotel does process data on customers, employees and suppliers, it is unlikely that you process lots of special category data or carry out monitoring on such a scale that you’re legally required to hire a DPO.
That said, guidelines laid out by the Article 29 Data Protection Working Party do recommend that all businesses should appoint such an officer as a means of good practice, particularly as it will help you ensure you’re fully compliant and well-equipped to handle any requests for personal data that you might receive.
Will I Need to Update My IT Security?
In all likelihood, yes.
Again, the IT security measures you implemented to ensure DPA compliance are a good starting point, but at the very least you should talk to your hotel’s IT support company to ensure that your levels of encryption, your disaster recovery strategies, and your anti-ransomware measures are all sufficient to ensure GDPR compliance.
What Else Will I Need to Do Before May 25th?
Key tasks to take care of include:
Updating your consent policies
Adding customers to your hotel’s marketing lists just because they gave you an email address when they booked their last stay is no longer going to cut it.
GDPR is strict about businesses gaining explicit consent from individuals about the reasons for collecting their personal data, and how it’s used.
If you haven’t already done so, now is the perfect time to review whether your consent policies are compatible with GDPR rules.
Again, your hotel IT specialists can guide you on this.
Make sure your staff are trained on GDPR
Did you know that most security breaches happen as a result of human error?
If GDPR is going to change how your employees work when it comes to collecting or processing data, then it pays to make sure they’re fully informed about those changes and well-prepared to serve as your hotel’s first line of defence against data theft.
Complete a Data Inventory
Carry out a complete audit of all the data you currently store about customers, employees, suppliers, and anyone else, and ask yourself the following key questions:
- Do we still need to keep this data? If yes – why?
- Did we collect this data fairly?
- Do we have sufficient security protection in place for this data?
- Is it used only for its intended purpose by those who absolutely need to access it?
- Do we share this data with third parties? If so, is it right that we continue to do so?
Ensure Your Website is Compliant
Your hotel website is typically one of your biggest tools for collecting customer data, so it’s essential that it too is fully compliant with GDPR.
As a bare minimum, you’re going to need to have an SSL certificate and fair processing notices in place to ensure that any data is collected security, ethically, and in accordance with GDPR rules.
What If I Have Other Questions About GDPR?
Considering hiring a DPO? Need advice on how to add an SSL certificate to your website? Still unsure as to whether your business is going to be ready for May 25th? Talk to Pacific Infotech today.
One of the top IT companies in London specialising in hotel IT support, we’re on hand right now to answer your questions.
Contact us online to arrange your free, no-obligation GDPR consultation, or call now on +44 20 313 76707.