• Follow us on:

 

Tech Talk

Recent posts

The Future of Hotel Wi-Fi
Posted: 11/15/2017

Today’s hotel guests expect a homelike Wi-Fi encounter. As this “instant-on” experience becomes table stakes for hotels to compete for guest loyalty, it also opens the door to a revolution in delivering a more personalized guest service. Coleen Carey shares how to best serve your guests a seamless and familiar Wi-Fi experience.

Google Search Console offers a number of resources to tune your site's SEO functions as well as get important information about visitors and their activities while on the site. Nimesh Dinubhai dives into the best features of the offered webmaster tools.

Anyone who works in the hospitality industry knows how gratifying it feels to receive a good review. Unfortunately, many hospitality businesses have also experienced the flip side of this coin: a scathing review of your business, its staff, and everything that you’ve worked so hard to achieve. Roseanne Luth talks about the importance of monitoring your online reviews and how they affect potential customers.

Today, a growing number of brands believe that AI assistants have the power to enhance the guest experience. But the sentiment isn’t shared by all. Brendon Granger reviews the transition of technology in guestrooms and the influence it could have in the hotel-guest relationship.

Budgeting for Success in 2018
Posted: 11/01/2017

For many hoteliers, it seems budget season begins earlier and earlier each year. While the process and timeline varies from company to company, every hotel ultimately has to answer the same question: “What can we do differently next year to optimize revenue and maximize profit?” Rich Rebidue talks budgeting options as 2018 quickly approaches.



want to read more articles like this?

want to read more articles like this?

Sign up to recieve our weekly newsletter and monthly e-magazine and never ever miss an issue!

Subscribe

Keep up to date on all the latest industry news.

x
 

The European Union's General Data Protection Regulation: What Steps Must Members of the Hospitality Industry Take?

06/21/2017

US companies collect, analyze, and leverage consumer data to optimize efficiency, advertise and, hopefully, increase profits. However, with the rise of data breach incidents, varying laws and consumer demand pressure companies to secure networks, scrutinize vendor usage—such as security of one cloud processor versus another, and be transparent with "collection practices." Privacy officers and in-house counsels may already understand US data privacy is controlled by a patchwork of state and industry-specific federal laws. However, companies across the hospitality community are (or should be) racing against the clock to satisfy increased requirements of the EU's General Data Protection Regulation (GDPR), which becomes effective May 25, 2018. The GDPR will replace the current Data Protection Directive, which was well-intentioned, but inadequate in light of growing technologies. There are notable changes and increased obligations within the GDPR to which US businesses must adhere or risk huge financial penalties. This if the first of several articles updating readers on why the GDPR matters and what steps members of the hospitality industry should take to comply with the regulation.

The European Union's General Data Protection Regulation: What Steps Must Members of the Hospitality Industry Take?

1. Who does the GDPR affect?

The law is geographically expansive as it applies to the processing of EU residents’ personal data (name, ID number, reference to a physical, economic, or cultural identity of a person, etc.) regardless of the company/processor’s location. For instance, if a hotel markets its services to EU residents beyond merely having a website, than it will likely be controlled by the GDPR. Practically speaking, any organization desirous of European customers—regardless of whether the organization has a European-based office—must comply with the GDPR.

2. What are the consequences if a company does not comply with the GDP

US companies controlling or processing data of EU residents face increased penalties for violating the new regulation. Fines can reach 4 percent of annual global revenue, or 20 million Euros per violation. The regulation also grants European Supervisory Authorities the power to ban a company’s data collection practices altogether. Obviously, US companies cannot afford to mishandle security of EU residents’ data. Below, I list some of the GDPR issues/requirements most applicable to the hospitality industry:

  • Stricter Technical and Organizational Security Measures
  • New Data Subject Consent Rules
  • More Demanding Breach Notification Rules; and
  • Vendor Scrutiny and Use of Business Associate Contracts

Stricter Technical and Organizational Security Measures

Unlike some state/federal laws and the current European Data Protection Directive, the GDPR increases the safeguards a company must take to protect customer information against unauthorized access, accidental loss or alteration. The regulation mandates companies implement appropriate technical and organizational measures. "Appropriate" actions include, but are not limited to:

(1) "Encryption" or "Pseudonymization" of personal data—The regulation explicitly names encryption as a technique to avoid improper disclosure of customer information. Encryption software often comes at a higher cost and has its administrative obstacles. As a result, some businesses may instead benefit from "pseudonymization" of personal data. Hospitality members should know the GDPR does not apply to consumer information unrelated to identifiable persons and, further, expressly approves pseudonymization—the concept of removing personal "identifiers" from information to eliminate a link to one's identity—which would remove data from the scope of the GDPR. Encryption and/or pseudonymization help organizations meet other GDPR requirements as well. For example, depending on the risk of harm, companies must notify European authorities and citizens following a data breach incident (the subject of another article). Since encryption/pseudonymization reduce the risk of harm to EU citizens, companies using these techniques stand a higher chance of avoiding costly reporting obligations.

(2) A contingency plan amidst a technical incident (such as a cyber attack or “ransomware” event)—Companies under the GDPR should have an emergency plan establishing how they will respond and operate during a data breach incident. For example, during a cyber attack on a hotel chain, the hotel should be prepared with a plan employees have practiced so appropriate personnel can (a) identify what data has been compromised, (b) trigger "back up" data for normal business operations, (c) work with the in-house IT team (and potentially an outside forensic specialist) to contain/eradicate an attack, (d) restore operating systems, and (e) examine alongside counsel the various legal obligations arising out of the event.

(3) Utilize regular tests to evaluate effectiveness of technical/organizational security measures—For example, an IT “penetration test” is a simulated attack on a computer network to identify security strengths and weaknesses. Such a tactic assists businesses to identify what software/issues need addressing to improve security. Also, administrative fire drills to test the aforementioned contingency plan will help businesses prepare for a data breach incident.

Keep in mind GDPR violations carry heavy penalties that could crush small businesses. Documenting steps you have taken to address the above issues may establish mitigating factors that could go a long way towards dramatically reducing penalties amidst a GDPR audit.

This article only broadly addresses the GDPR's technical and organizational security requirement. Contact a privacy attorney to analyze the best approach for your organization and to understand the finer points of the GDPR's technical/organizational requirements.



[1] GDPR Article 3.

[2] “A Primer on the GDPR: What You Need to Know.” Bowman, Courtney, December 23, 2015

[3] GDPR Article 83(5). It should be noted consumers have a right to judicial remedy against companies and processors under the GDPR.

[4] GDPR Article 58.

[5] GDPR Article 32; GDPR Recital 49.

About The Author
Sam Crochet Esq. CIPP-US

Hall Booth Smith, PC


Sam Crochet, Esq. is a CIPP-US certified attorney at Hall Booth Smith, PC. He specializes in data privacy/security matters and civil litigation. He assists clients with data breach response, HIPAA compliance, development of cybersecurity/privacy policies and procedures and preparation for the EU's General Data Protection Regulation (GDPR).

 
Comments
Blog post currently doesn't have any comments.
Leave comment



 Security code