The hotel industry is one of many affected by the EU General Data Protection Regulation (GDPR), the upcoming law that strengthens EU residents’ personal data rights.
Employees and guests are both covered by the GDPR and, although some of the Regulation’s requirements apply equally to both sets of individuals, there are also some differences. This blog explains some of those differences, but it’s first necessary to explain exactly what ‘personal data’ is.
What is personal data?
The GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’)”. In other words, any information that is clearly about a particular person. In certain circumstances, this could include anything from someone’s name to their physical appearance.
Some personal information – such as an individual’s political beliefs or their genetic information – is considered sensitive, and must be held to a higher standard of security. This affects hotels when, for example, hosting an event where guests’ trade union membership are revealed, or when employees need to give a fingerprint scan to access certain parts of the building.
Acquiring personal data
There are six lawful grounds for processing personal data. Consent is currently the most popular, but the GDPR discourages its use by toughening the rules for obtaining it. This is because consent is unreliable and time-consuming.
For instance, if you are using consent to process personal data and you then want to use that data for another purpose, you’ll need to ask for everybody’s consent again. Anyone who refuses to consent or who doesn’t reply must be removed from your records.
Individuals are also free to withdraw their consent at any time, which again means you must remove them from your records. If you don’t, your organisation risks disciplinary action from the relevant supervisory authority.
In most cases, hotels should use contractual obligation for their employees and legitimate interests for guests. Whatever lawful ground is used, hotels need to tell individuals what information is being collected, what it is being used for and how long it will be retained. The GDPR’s data protection principles emphasise that organisations should collect data only if it’s necessary for a specific purpose and retain it for only as long as it meets that purpose.
Protecting personal data
There are many steps hotels should take to protect personal data – from reviewing security policies to encrypting and/or pseudonymising data – but they should begin by adopting privacy by design. This essentially means that data protection needs to be prioritised when designing any new service or process.
For example, if a hotel was developing a new mechanism for room bookings, it would have to consider the ways in which data might be exposed, and apply necessary controls to mitigate each threat. It should conduct a data protection impact assessment (DPIA), which would bring to the fore questions such as ‘are there system vulnerabilities that a criminal hacker could exploit?’ or ‘is it too easy for an employee to misappropriate information?’.
Hotels should also appoint a data protection officer (DPO) to ensure that the processes outlined in the design are being properly implemented.
Accessing and erasing personal data
Data subjects have a number of rights concerning their personal data, but the most important one to prepare for is the right to access personal data. Individuals can submit subject access requests, which give the hotel 30 days to provide a copy of any information it stores on them.
From there, the individual can exercise a number of other rights. If they believe there is no lawful ground for any or all the collected data, and the hotel can’t prove otherwise, the information must be erased. Similarly, if the individual claims that the information is incorrect, they can request that the organisation rectify it.
Individuals also have the right to restrict processing, data portability, object and, as we mentioned in the previous point, to be informed.
What else do you need to do?
The steps listed here are a big part of GDPR compliance, but they certainly aren’t the only requirements. Hotels also need to address the policies, procedures and technology that they use for handling personal data, and ensure that staff are fully aware of their obligations.
You can learn more about the GDPR and its requirements by enrolling in one of our GDPR training courses. Depending on your level of expertise, you might prefer either:
The courses are available in classroom, distance learning and Live Online formats.
Book these courses together in our combination course and save 15%.