On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) went into effect. This regulation applies to all citizens of the European Union (EU) and dictates how a company may use its clients’ personal data. If a company slips up, the penalties are steep—up to 4 percent of its annual global turnover or €20 million, whichever is greater.
U.S. hoteliers are subject to GDPR when hosting guests from the EU, making an understanding of the regulation and its requirements of the utmost importance. Luckily though, according to Adam Corey, chief marketing officer at Tealium, a San Diego-based company that offers customer data orchestration solutions, big hotel companies were ready for GDPR when it went live. “Major hospitality companies operate around the world, so they were planning for GDPR for a long time,” he says. “However, it did take a little longer for many in the United States to take it seriously. A year later, though, I think that tide is starting to change.”
This is because the United States is sowing its own crop of privacy laws and regulations, which, in turn, tunes businesses more into GDPR. Corey says that a privacy regulation passed in California is due to go into effect in 2020. Many other states are also considering legislation focused on privacy and data regulations. “It’s the new normal,” he adds.
Corey notes that GDPR and the conversation around data privacy can be particularly complicated when it comes to the hotel industry. “Hospitality is a very challenging place to execute initiatives around privacy because hotels want to get to know their guests so that they can better deliver a valuable experience. There’s just a really great case for gathering customer data and using it to improve the guest’s stay,” he says.
Corey recommends that hotels take the time to think about data security across all areas of the industry when developing a compliance strategy. “Hospitality is made up of large, complex organizations with third-party companies in the mix. It is a lot of work to think about all of the moving pieces and build a guest-centric data model that also satisfies compliance requirements.”
As of yet, the hospitality industry has not been a target for GDPR-related fines; however, that will likely change as crackdowns become more frequent. Even so, Corey says that hotel companies should be doing everything in their power to follow these regulations. “There’s no better industry than hospitality to lead on data security initiatives because it is already so invested in consumer relationships. This is just one more way those companies can build their guests’ trust.”
