The European Union’s General Data Protection Regulation has a far reach, and U.S. hoteliers have been busy trying to understand the law, when it applies to them and what they must do to comply.
GLOBAL REPORT—The 25 May deadline to comply with the European Union’s General Data Protection Regulation is quickly approaching, but many in the U.S. hotel industry are still working their way toward both understanding it and fully meeting its requirements.
In a nutshell, the GDPR protects the private information of people in the EU and its member states, giving them the right to decide how their personal information is collected, processed and managed.
According to a white paper prepared by HTNG titled “GDPR for hospitality,” the new regulation affords these rights to people in the EU, or “data subjects” as they are referred to under the GDPR:
- the right to understand what data is being collected, what it will be used for and how long it will be held;
- the right to explicitly consent to the use of their data and the right to easily withdraw consent;
- the right to restrict the reason(s) for how the data will be used;
- the right to review, modify, correct and delete the information held about them;
- the right to be forgotten—that is, to have their data deleted; and
- the right to obtain a copy of their data in a common machine-readable format, and to transfer it to another data controller.
There is a cultural difference between how governments and companies in the U.S. and the EU view privacy and the right to be forgotten, said Finn Schulz, principal at Schulz Consulting, an independent technology consultancy in the EU, and partial author of the HTNG white paper. Americans have become used to personal information being used to target offers for years, he said.
“Remember Metromail in the Chicago area who merged data and created phantom images of people and their needs 20 to 30 years ago?” he said. “All for direct marketing. In Europe, that was never seen as a good company.”
As a result, U.S. hoteliers might have had a “lighter foot on the brake,” Schulz said, trying to commercialize the data they have available.
“It is important to understand that with the GDPR we do require a ‘purpose’ of why we process personal information and a ‘lawful ground’ of doing so,” he said.
What this means for US hoteliers
The scope of the GDPR can be confusing, said Moyn Uddin, chief privacy officer at Cyber Counsel in the United Kingdom, so his company created a diagram to help illustrate who falls where.
Essentially, a hotel company outside of the EU that is actively marketing, selling products or services or monitoring EU data subjects will fall under the GDPR, he said. The data subject doesn’t have to be a citizen of the EU, he said, just located within the EU.
Similarly, if a company is a data controller or a data processer established in the EU, it applies to them as well, he said. The consequence of that is it must protect all individual’s personal data regardless of where those people are located or their data is collected, he said. As a result, U.S. hoteliers who have a presence in the EU must protect their guests’ and their staff’s personal data as required by the GDPR, he said.
“It puts a lot of people in the scope of the law,” he said.
According to the HTNG white paper, the GDPR applies to “the processing of personal data of data subjects who are in the EU.” For U.S.-based hoteliers, the GPDR would apply to a hotel if it was offering its services to said data subjects who make reservations for the hotel while they are still in the EU. Ultimately, determining whether the hotel is subject to the GDPR will be done on a case-by-case basis.
The paper also states hoteliers need to be aware that using third-party vendors, such as booking sites and marketing services, could be viewed as offering goods and services to data subjects in the EU.
“Depending on the website monitoring and tracking that is done, it could possibly qualify as ‘the monitoring of their behavior as far as their behavior takes place within the Union,’” according to the white paper.
The GDPR will affect everyone in the U.S. hotel industry, said Kristen Johns, partner at Waller Lansden Dortch & Davis, but how they have to comply might not be equally distributed. The reach of the GDPR is broad as it isn’t restricted by a geographic country, she said. Even hoteliers operating in the U.S. without a presence in Europe could fall under the GDPR if they process the information of a data subject of the EU.
The penalty for noncompliance with the GDPR is €20 million ($24.6 million), or 4% of the company’s net or gross sales, whichever is greater, Johns said.
“Any article you read about the GDPR, that is what they start with to grab your attention because it has meaning,” she said. “If you find out a breach has occurred, there is a 72-hour notice requirement. If you don’t notify, you have to demonstrate a reason why you’re not compliant.”
Johns said the data breach at Equifax is an example of what not to do with a data breach. If the GDPR had been in effect during that breach, it would have been a €60-million ($73.8 million) fine, she said.
Coming into compliance
What hoteliers need to do to comply with the law depends on what their individual company actually does, Johns said. There is still time to come into compliance before the deadline, but it is approaching quickly.
Hoteliers will need to go through the process of determining how it acquires guest information, what type of guest information it acquires, categorizing it all and then analyzing how it uses the information, she said.
It’s also necessary to compile a team of managers to help identify the highlighted issues, Johns said, which meanings bringing in someone from IT, management and marketing. If the situation triggers the requirement for a data protection officer, she said, the company will need to make that appointment, which could be an individual or a third-party vendor.
“Part of the nuance of the GDPR is that it recognizes no company is the same,” she said. “No entity operates the same way, uses data the same way or collects it the same way.”
The hoteliers must also prepare a response plan in case a data subject contacting the hotel invokes one of his or her rights under the GDPR, such as right of access by the data subject, right to rectification, right to erasure, right to restriction of processing, notification obligation regarding rectification or erasure of personal data or restriction of processing, right to data portability and/or right to object.
It’s also necessary to develop a GDPR awareness training program and “ensure all relevant staff members are trained prior to 25 May 2018 with follow-up training periodically and on new hire,” he said.
Working to comply
Work is underway at the SoBro Guest House in Nashville, Tennessee, to come into GDPR compliance, said GM Kim Rittenberry. As a smaller hotel, it’s mainly making sure its PCI compliance is up to date and all of its software providers have made the changes they need to in order to be compliance, she said.
“We have to update our terms and conditions,” she said. “Outside of that, the heavy lifting is with our PMS system, our CRS system and booking engine. It’s going to be important for me to go through our software provider to make sure they are compliant.”
The SoBro Guest House’s guest mix includes about 30% to 35% international visitors, Rittenberry said, and a significant portion of foreign guests come from the EU. The hotel uses online travel agencies heavily for online bookings in Europe, she said, and the property itself is popular among European travelers because it’s similar to smaller hotels on the continent.
British Airways will soon have a direct flight into Nashville through London Heathrow Airport, she said, so that should lead to an uptick in European travelers coming to the city.
Rittenberry said she’s been training her staff to understand what the GDPR is, why it’s important and why the hotel is required to be compliant, particularly about guests having the right to refuse profiling, to have their information erased and to make sure there is adequate proof of consent to use their data.
“We’re used to using software that automatically gathers information from all our guests and profiles them,” she said. “This is going to be different for (staff members). I think they will gravitate to it pretty well.”
The hotel’s employees are somewhat young and are heavy users of social media, she said, so they have a natural understanding of the information available online and how companies profile consumers.
One aspect about GDPR compliance is that it will affect how the hotel handles guest information for all guests, not just those from the EU, Rittenberry said.
“I can’t operate by one set of terms and conditions for one set of guests and another set of terms and conditions for another,” she said.
Most of the hotel’s domestic guests won’t know anything about the GDPR and how it is changing how the hotel handles their data, she said. It’s not on their radar at all.
“I seriously doubt any American will call us up and say they want us to erase their profile,” she said. “I just don’t think they’re going to know about it enough to call and ask us to erase their data.”
That might change as more news media covers personal privacy rights, particularly with recent uproar over how Facebook has handled user data, Rittenberry said.
“I can understand why the EU put these protocols in place,” she said. “Maybe it’s way down the line here in the U.S., and other countries may be following suit. I think that’s the other reason it’s best to just go ahead and make it universal and incorporate as much as you can so, later on down the road, if it does happen, whether its five or 10 years from now, it’s already been dealt with.”