Tech Talk

Recent posts

A great deal has been written over the years about the viability of moving a hotel’s property-management system (PMS) to the cloud to take advantage of the latest technologies, but hoteliers need to realize that it’s not the only viable option. All platforms have advantages, including self-hosted, private cloud and on-premise solutions that leverage the latest mobile, contact free and web-based technologies. Independent operators can still enhance the digital guest experience, support personalized and mobile check-in, deploy contact free technologies, and secure hotel/guest data even if their PMS does not reside in the cloud. It should not be a question of “Cloud or On Premise?” but rather “Does the PMS solve your business objectives in both technology and service?”

Much has been written in the mainstream hospitality press about the challenges COVID-19 has presented to the industry. Hotels are in more pain than at any time in our memories. Because of the extensive media coverage, I won’t dwell on this topic further in what is primarily a technology column. But it’s the background for this week’s column, and so merits acknowledgement.

Are You All In?
Posted: 07/27/2020

Imagine everyone in your organization engaged, aligned, and performing to their potential. Imagine everyone playing “All In.”

Great organizations have synergy. Their culture allows them to play to a rhythm at a different tempo than the average organization. How do you get that at your organization?

Many front-line hospitality workers rely on tips for a significant part of their paychecks. If not for tips, many hotel associates who serve as waitstaff, bartenders, housekeepers, bell staff, concierges and pool attendants would soon be looking for other jobs. This is a regional issue: in most of Asia and Europe, staff get higher base pay, and tips are either not expected at all, or are truly discretionary. But in the U.S., Canada, Britain and other countries, tips are an important reality, and one that’s not likely to change anytime soon.

As somebody who’s helped to grow a company from 13 people to nearly a thousand, I know very well the excitement that comes with having a mindset focused entirely on growth. Every newly acquired customer, every new office and every milestone means the gap between you and your nearest competitor is that much bigger and that much harder to overtake.



want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.

x
 

PART 2: The European Union's General Data Protection Regulation: Two Important Steps to Take

07/18/2017
by Sam Crochet Esq. CIPP-US
In my June column, we discussed why the General Data Protection Regulation (GDPR) matters to the hospitality industry and the technical/organizational steps members should take to comply with the regulation. Practically speaking, any U.S. company desirous of European customers must comply with the GDPR as of May 25, 2018, or risk facing penalties as high as 4 percent of global revenue.

In this segment, we move on to two key requirements of the GDPR that supervisory authorities will be monitoring (and enforcing) closely: consent and breach notification.
 
1. Changes to How Hospitality Members Must Obtain "Consent" to Collect Data
 
The GDPR requires companies to give European consumers the chance to “opt in” to data collection by a statement or clear affirmative action. Presentation of the “opt in” request must be clear and concise. This is a stark shift from the former EU regime and the opposite of many U.S. state/federal laws. The rule requires major overhaul in written policies and customer forms (both digital and paper). For example, a hotel's online booking page displaying pre-ticked boxes for consenting to the collection of names, email addresses, and telephone numbers will no longer suffice. Likewise, a hotel's collection of personal information based on consumer inactivity or silence in the face of a privacy notice does not trigger consent. Instead, the consumer must be given the chance to express affirmative action at either ticking an empty box or providing some other explicit consent such as submitting a signature. Further, for those companies hoping to gain opt-in consent through electronic signatures that succeed boiler plate language, the GDPR requires organizations provide consent requests that are closely linked to the processing activity through clear affirmative action regarding that specific collection practice. Similarly, when data processing has multiple purposes, consent must be obtained for each purpose (i.e. marketing versus customer service). 
 
Additionally, the GDPR gives consumers the right to withdraw consent at any time. Companies must notify consumers of this right before obtaining consent and, once consent is withdrawn, consumers can request their personal information be erased. 
 
2. Changes to the Data Breach Notification Rules for Many Hospitality Members
 
Perhaps no section of the GDPR reflects increased consumer protectionism as much as the new data breach notification rules. Hospitality members under the GDPR will face far greater exposure to costly breach reporting requirements for EU citizens' data than with U.S. consumers since there is more “personal data” under the GDPR. “Personal data” is any information relating to an identifiable natural person. This could feasibly be everything from names, telephone numbers, email addresses and photographs to IP addresses, online cookies, and mobile device IDs. Less restrictive U.S. state/federal laws often require "personal data" to include a full name and a social security, driver’s license, or financial account number. Given this increased exposure under the GDPR, hospitality members should immediately analyze the scope of the information they collect to determine how vulnerable they are to the GDPR’s definition of “personal data.” Depending on what data is being collected, companies will need to immediately reform their policies pertaining to breach response and subsequent notifications. On a side note, it is highly advisable to practice “pseudonymization” as data is only “personal” under the GDPR if it can be linked to an identifiable person. By de-humanizing information, a company can often avoid the obligations of the GDPR, costly breach reporting requirements, and the public relation storms that often follow a data breach.
 
In the event of a data breach involving EU residents’ data, U.S. companies will have to report the event to certain European Supervisory Authorities within 72 hours of obtaining notice of the breach. This is more precise than many state laws, which generally include a “reasonable time period” or “without undue delay” standard. Further, whereas notification to the European Supervisory Authorities turns on whether there is a general “risk” to the consumer, the obligation to provide notification to consumers themselves turns on whether there is “high risk” to the consumer. Thus, when reviewing or developing a breach response procedure, hospitality members under the GDPR need to factor whether a breach’s risk to a consumer meets this high standard, at which point it would have to provide immediate consumer notice. This ambiguity could trouble hospitality members struggling to respond in the hours and/or days following a breach. The GDPR does offer some clarity, indicating “high risk” may incorporate severe vulnerabilities such as threat of identity theft, financial loss, fraud, discrimination, and/or damage to reputation. 
 
GDPR auditors will not smile kindly on U.S. companies seeking loopholes in the law. The highest potential fines will be reserved for companies violating the most basic principles for processing, such as consent or breach notification.
 
Hospitality members can reduce exposure under the GDPR by performing a full risk assessment starting with the scope and legal significance of their data collection practices. (1) Revising internal policies/procedures to accommodate the GDPR's consent and notification requirements and (2) tailoring breach response protocol to the timing and risk/high risk test will go a long way toward avoiding a violation and, most importantly, will document the compliance steps members have taken in the event of an EU audit.
About The Author
Sam Crochet Esq. CIPP-US

Hall Booth Smith, PC


Sam Crochet, Esq. is a CIPP-US certified attorney at Hall Booth Smith, PC. He specializes in data privacy/security matters and civil litigation. He assists clients with data breach response, HIPAA compliance, development of cybersecurity/privacy policies and procedures and preparation for the EU's General Data Protection Regulation (GDPR).

 
Comments
Blog post currently doesn't have any comments.
Leave comment



 Security code