By now, you’ve heard of the EU’s General Data Protection Regulation (GDPR), which was officially implemented May 25, 2018. Put simply, GDPR protects the privacy of individuals within the EU through a more cohesive regulatory environment. It demands a higher level of accountability from any business that processes personal data belonging to anyone inside the EU. Businesses are expected to keep customer data secure and to make marketing communications transparent and trustworthy.
GDPR identifies and protects 8 individual rights of your patrons:
Right to be informed
Individuals have the right to be informed about the collection and use of their personally identifiable information (PII), or personal data.
Right of access
Individuals have the right to access their PII.
Right of rectification
Individuals are entitled to have inaccurate or incomplete PII corrected or completed upon requests.
Right to withdraw consent
Individuals have the right to withdraw previously given consent.
Right to erasure
Individuals have the right to have their personal data deleted or removed from a website or database upon request.
Right to restrict processing
Individuals have the right to restrict or suppress the processing of their personal data.
Right to data portability
Individuals have the right to move, copy, or transfer their personal data easily from one IT environment to another in a safe and secure way without affecting its usability.
Right to object
Individuals have the right to object to their personal data being used in certain circumstances.
Why should an American hotel or restaurant worry about EU regulations?
While GDPR was established to protect citizens of the EU, you shouldn’t assume the regulations don’t apply to American businesses. If an EU citizen visits your hospitality website and submits GDPR-protected PII to your database via your contact form, a newsletter optin, or any other data collection tool, you will be subject to enforcement.
What’s the cost of non-compliance?
Non-compliance is an expensive proposition for businesses whose customers, employees, or contractors are EU citizens or based in the EU. GDPR supervisory authority can levy a fine of 20 million euros or 4% of your company’s global turnover, whichever is higher. Because many US based hotels and restaurants are international enterprises with guests arriving from around the world, adhering to the GDPR protects your business from the exorbitant fines associated with GDPR enforcement.
The accommodations and food services industry accounts for 15% of all cyber attacks and data breaches in 2018
Compliance with the GDPR is also pragmatic in terms of operational efficacy. According to Verizon’s 2018 Data Breach Investigations Report, the accommodations industry accounted for nearly 2 in 10 security breaches. Out of nine industries studied, accommodations was second only to healthcare in number of security breaches with 338 data breaches identified by Verizon.
When a hotel or restaurant’s database is breached, GDPR fines aren’t the only expense. In many cases, fines are levied by the customer’s bank and by the establishments merchant bank, and in some instances, credit card processing capacity may be restricted or denied after a breach. There’s also the cost of demonstrating compliance once non-compliance has been proven through a breach, and there’s the cost of restoring trust with patrons and prospects.
The regulations created by the EU are the bare minimum in terms of protecting the data of your clientele, and non-compliance leaves your website vulnerable to cyber attacks and security breaches. GDPR requirements are tech best practices that will help to prevent expensive data breaches. Ignoring them puts your client’s data and your reputation at stake.
What do you need to do to make your hospitality website GDPR compliant?
Under GDPR law, the data controller is the person or agency that “determines the purposes and means of the processing of personal data.” The data processor is the person or agency who processes the data on behalf of the data controller. GDPR treats the data controller as the principal party for responsibilities such as collecting consent and managing consent-revoking.
If your hospitality website is collecting data on prospects and clients, your establishment is the data controller and must meet the requirements of GDPR. Your site must clearly disclose any data collection and provide the lawful basis and purpose for data processing. It must state how long the data will be retained and if it is being shared with any third parties or if it’s being shared outside the EU.
Your hospitality website will need to address the following issues to be compliant with GDPR.
A secure environment
Precise, justified PII requests
Likewise, your contact form should collect the minimum amount of personal data necessary to conduct business in contact forms and opt-ins. You should also provide an explanation of why you’re gathering the information. For example, when you collect a site visitor’s phone number, the short message “We will call you at this number to make your reservation” justifies your need for the client’s phone number.
Make sure your terms and conditions are outlined properly
- The identity and the contact details of the controller and, where applicable, of the controller’s representative
- The contact details of the data protection officer, where applicable
- The purposes of the processing for which the personal data are intended as well as the legal basis for the processing
- The recipients or categories of recipients of the personal data, if any
- The legitimate interests necessitating the collection of data, where applicable
- Where applicable, information regarding the transfer of data to any third party or country
- The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
- How the data will be used
- How the data will be secured
- Any cookies being used
- How users can control any aspect of this process
- The 8 rights they have under GDPR
- With so many details to cover, Privacy Policies can become long, confusing, and difficult for the average person to understand. This is exactly what GDPR is attempting to mitigate by requiring this information to be delivered in easy-to-understand language, but it can be practically impossible to strike the right balance between language that sufficiently covers your legal bases while also being succinct.
RedCap Digital has partnered with Bergstein, Flynn and Knowlton to deliver legal and reliable terms and conditions packages for our clients in the accommodations and food service industry.
Schedule your complimentary consultation with our legal experts today to learn more about GDPR-compliance and how it relates to your hotel or restaurant.