Nearly everyone in the United States is accustomed to the seemingly unstoppable spread of their personal information. Buying from one online retailer may lead to your email address winding up on the mailing list of a related business, and hitting the “unsubscribe” link at the bottom of solicitous messages has just become second nature. Not so in Europe, where personal privacy laws are much more stringent than in the United States. Those laws are only getting more comprehensive. On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR), which was passed in April 2016, officially goes into effect.
GDPR dictates how a company may use its clients’ personal data, and it applies to all people who live in the European Union (EU)—regardless of where their data is processed. This means that hotels in the United States serving European guests must start adhering to the regulation, or else face steep fines—up to 4 percent of annual global turnover or €20 million (whichever is greater).
GDPR specifies that consumers must explicitly consent for their personal information to be processed and used by third parties. For example, if a someone stays at a hotel, that guest’s information cannot be used for marketing purposes or disseminated to third parties without that guest’s written approval. It also entitles EU citizens to the right to access their data and know how it is being used, as well as the right to be forgotten—that is, to halt third parties from processing the data. It includes regulations regarding privacy by design, which, according to the official GDPR website, “calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. More specifically, ‘The controller shall…implement appropriate technical and organizational measures…in an effective way… in order to meet the requirements of this Regulation and protect the rights of data subjects’.”
With so much on the line, it is imperative that U.S. hoteliers acquaint themselves with GDPR and prepare to meet its requirements. “Any hotel that has international aspirations is going to be affected, as will any hotel brand with a global presence,” comments John Barchie, a senior fellow at Arrakis Consulting, a San Tan Valley, an Ariz.-based security company. “They’re going to be expected to protect their EU citizens’ data,” he adds.
The crux of GDPR is consent, says Ciske van Oosten, senior manager of the global intelligence division at Verizon’s security assurance consulting practice. “Consent is the first requirement of GDPR. Guests need to explicitly opt into having their data collected and shared,” he explains. Asking for that consent is not something U.S. hotels are currently used to. “Hotels must explain to guests what data they are capturing, why they are capturing it, and who will have access to it. This will be a major change for many hotels, and will also change what people see online when booking a room. Any documentation will need to be very clear about its purpose.”
For many U.S. hoteliers—namely, those that have a portfolio of branded properties—the groundwork should already be in place for acquiring that consent. “The question is whether that company is choosing to protect everyone’s data like they would in the European Union, or if it would only apply to European hotels,” Barchie says. He adds that hoteliers who have properties under global brands might want to reach out to their global offices for guidance in implementing GDPR. “They almost certainly have an understanding because of their European properties.”
It’s worth noting that these regulations don’t apply just to hotels; they also extend to booking systems and revenue management software. “If you use a cloud provider to store, process, or transmit personal data of EU residents, and that data is compromised by that provider, the hotel can also be liable,” van Oosten states. Hotels, as data controllers, should engage only those data processors that provide sufficient guarantees to implement appropriate technical and organizational measures to meet the GDPR’s requirements and protect data subjects’ rights. “That differs quite significantly from U.S. data breach laws, which are typically only triggered upon exposure of information that can lead to fraud or identity theft. GDPR is much broader. You need to report the breach to a European regulator authority within 72 hours after having become aware of the breach,” he adds.
While GDPR is something that all hoteliers should be aware of, it is worth noting that it won’t impact all hotels. “Non-EU established hotels won’t be expected to adhere to GDPR unless they conduct data processing activities related to the offering of goods or services to individuals in the EU, or when they monitor the behavior of individuals in the EU,” van Oosten points out.
Barchie concurs. “A vacationer who comes to the U.S. and walks into a bed and breakfast or a mom-and-pop hotel cannot expect that hotel to be GDPR-compliant. It’s only the properties that are actively pursuing European guests that must adhere to GDPR rules.”
Barchie says hoteliers must prepare and be diligent as they go about implementing GDPR. “A lot of people think GDPR is going to be easy to implement. That’s not the case. It’ll be about four or five times more difficult to implement than its predecessor, and U.S. hoteliers need to be prepared,” Barchie says.