GDPR: Why Hoteliers Should Take the new EU Regulations Very Seriously
By Stuart Pallister, Head of Academic Editorial Content at Ecole hôtelière de Lausanne
New EU rules on data protection - or GDPR - , seven years in the making, come/came into effect on May 25. The advice from IT experts to hoteliers is: take the new rules very seriously or risk heavy fines of up to 20 million euros or four percent of the company’s global turnover, whichever is higher. At the recent Young Hoteliers Summit, staged at Ecole hôteliere de Lausanne, Nick Price, CEO of NetSys Technology and CIO of citizenM Hotels, touched on the challenges posed in a keynote address.
In a panel discussion on the future of technology in hospitality after the keynote, he cautioned young hoteliers that their careers in the hospitality industry could end abruptly if they were responsible for a breach.
It’s criminal law. You can be fined significantly. Understand that the brand will be impacted, not you, the hotel. If your hotel loses some data, you’ve most likely given access to all your company’s data, given how things are interconnected today. Be aware, this is very real.
Another panelist, entrepreneur Uli Pillau, founder of tech firm Apaleo, said GDPR wasn’t taken seriously enough, as had happened with Payment Card Industry (PCI) compliance. “This is a new topic for the industry and very few people understand what it means. There are big risks with that, but the earlier people take it seriously, the better. And I don’t see too many hotel groups and hotels which are really taking it very seriously at this point”
"Europe has a very different perspective on individual citizens' data than the United States, for example, and these laws are a response to that," Price said during the panel discussion. "You can expect some fairly significant case law established from May when this law becomes enacted Europe-wide and some companies lose this information. With GDPR, European laws will apply and they will fine these companies serious, big money."
And his advice to the young hoteliers: "Just sit back and think where customer information is actually held, in which systems in the hotel and how many systems duplicate that information. Imagine how you would collate that knowledge and protect that information in those operational systems, some of which are decades old."
Pillau pointed out that legacy systems represent a 'high risk factor'. "The safest way to go is to use token technology which encrypts it entirely, (so that) at the PMS (property management system) or at the hotel level no data is kept which could get outside the systems. I think there are intelligent ways of doing that today."
Suzanne Ward, Director of Digital Solutions at Mövenpick Hotels & Resorts, noted that not only the data of customers should be protected, but also employee data such as payroll or HR information. "We need to be extremely careful with that sort of data too."
Price told Hospitality Insights on the sidelines of the YHS forum that the new rules were 'serious' but would also be beneficial. "This is a good thing as it protects fundamental information about human beings from misuse. We have customers who stay with us and because of the nature of our business as hoteliers, we have to capture information."
We have a trusted relationship with these people. They trust us with their safety when they're in our hotels. In order to have that trusted relationship, we have to be able to demonstrate we can protect the information they voluntarily give us and that's quite challenging. But frankly speaking, (the GDPR) should be welcomed by the hotel industry and it's here for a good reason.
European governments have recognized, he said, that many companies nowadays are "deriving a lot of value" from the use of customer information.
"We, as hoteliers, also need to derive value from that information. We need to be part of that same business model," noting that Google and Amazon make money out of personal information and their valuations are 'significant.'
Hotel companies should also be able to make money out of the information but in order to do that, they have to be trusted with the information in the first place and they have to give a net beneficial return to the customer that stays with them, which they can do. They're uniquely positioned to do that.
"But it begins with trust and you can't be trusted as a hotelier by your customer base, if you don't protect really what is in many senses the most valuable data you have, which is the information (you hold) about that customer. So yes, it's a good thing."