Tech Talk

Recent posts

Time is limited. Once it’s gone, you can’t gain it back. Similarly, once a room goes unsold for a night, it will go unsold forever. There’s no way to recover that loss, because there’s no way to go back in time.
 
Many hotels fight this limitation by trying to sell as many rooms as possible. If all the rooms are completely booked, time no longer becomes a factor. But most don’t have the luxury of being at-capacity every single night. That’s why last-minute booking apps are growing in popularity in the industry, where hotels can make the most of each day. These apps specifically target guests who don’t plan far in advance, seeking accommodations from one week to one minute later.
 
There are several different ways your hotel can benefit from using last-minute booking apps in your business strategy.

IoT is Coming, Jon Snow…
Posted: 05/21/2019

Hospitality is prime for the coming advent of the various devices that make up the Internet of Things. Estimates show the industry now represents 17.5 million rooms worldwide and savvy guests are demanding more personalization and an overall improved guest experience along their connected travel journey and belief is that IoT can bring this to reality. 

The forces driving local search rankings are constantly changing. But recent studies suggest that in 2019, four key factors make up the local search algorithm. 
 
The most significant factor is Google My Business (GMB). If you’re not on it, get on it now.

The robotic revolution in the hospitality industry might seem to have taken a step back. This January, the famously quirky Henn-Na Hotel in Japan fired half of its 243 robot staff. The robotic workforce reportedly irritated guests and frequently broke down.

Think about the moment when you first enter your hotel room. Look around: Does the room tell you anything unique about the hotel where you are staying? Or is it all beige walls and double beds with white covers, and you have to walk back outside and look at the sign on the hotel’s facade to even remember where you are?



want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.

x
 

PART 2: The European Union's General Data Protection Regulation: Two Important Steps to Take

07/18/2017
In my June column, we discussed why the General Data Protection Regulation (GDPR) matters to the hospitality industry and the technical/organizational steps members should take to comply with the regulation. Practically speaking, any U.S. company desirous of European customers must comply with the GDPR as of May 25, 2018, or risk facing penalties as high as 4 percent of global revenue.

In this segment, we move on to two key requirements of the GDPR that supervisory authorities will be monitoring (and enforcing) closely: consent and breach notification.
 
1. Changes to How Hospitality Members Must Obtain "Consent" to Collect Data
 
The GDPR requires companies to give European consumers the chance to “opt in” to data collection by a statement or clear affirmative action. Presentation of the “opt in” request must be clear and concise. This is a stark shift from the former EU regime and the opposite of many U.S. state/federal laws. The rule requires major overhaul in written policies and customer forms (both digital and paper). For example, a hotel's online booking page displaying pre-ticked boxes for consenting to the collection of names, email addresses, and telephone numbers will no longer suffice. Likewise, a hotel's collection of personal information based on consumer inactivity or silence in the face of a privacy notice does not trigger consent. Instead, the consumer must be given the chance to express affirmative action at either ticking an empty box or providing some other explicit consent such as submitting a signature. Further, for those companies hoping to gain opt-in consent through electronic signatures that succeed boiler plate language, the GDPR requires organizations provide consent requests that are closely linked to the processing activity through clear affirmative action regarding that specific collection practice. Similarly, when data processing has multiple purposes, consent must be obtained for each purpose (i.e. marketing versus customer service). 
 
Additionally, the GDPR gives consumers the right to withdraw consent at any time. Companies must notify consumers of this right before obtaining consent and, once consent is withdrawn, consumers can request their personal information be erased. 
 
2. Changes to the Data Breach Notification Rules for Many Hospitality Members
 
Perhaps no section of the GDPR reflects increased consumer protectionism as much as the new data breach notification rules. Hospitality members under the GDPR will face far greater exposure to costly breach reporting requirements for EU citizens' data than with U.S. consumers since there is more “personal data” under the GDPR. “Personal data” is any information relating to an identifiable natural person. This could feasibly be everything from names, telephone numbers, email addresses and photographs to IP addresses, online cookies, and mobile device IDs. Less restrictive U.S. state/federal laws often require "personal data" to include a full name and a social security, driver’s license, or financial account number. Given this increased exposure under the GDPR, hospitality members should immediately analyze the scope of the information they collect to determine how vulnerable they are to the GDPR’s definition of “personal data.” Depending on what data is being collected, companies will need to immediately reform their policies pertaining to breach response and subsequent notifications. On a side note, it is highly advisable to practice “pseudonymization” as data is only “personal” under the GDPR if it can be linked to an identifiable person. By de-humanizing information, a company can often avoid the obligations of the GDPR, costly breach reporting requirements, and the public relation storms that often follow a data breach.
 
In the event of a data breach involving EU residents’ data, U.S. companies will have to report the event to certain European Supervisory Authorities within 72 hours of obtaining notice of the breach. This is more precise than many state laws, which generally include a “reasonable time period” or “without undue delay” standard. Further, whereas notification to the European Supervisory Authorities turns on whether there is a general “risk” to the consumer, the obligation to provide notification to consumers themselves turns on whether there is “high risk” to the consumer. Thus, when reviewing or developing a breach response procedure, hospitality members under the GDPR need to factor whether a breach’s risk to a consumer meets this high standard, at which point it would have to provide immediate consumer notice. This ambiguity could trouble hospitality members struggling to respond in the hours and/or days following a breach. The GDPR does offer some clarity, indicating “high risk” may incorporate severe vulnerabilities such as threat of identity theft, financial loss, fraud, discrimination, and/or damage to reputation. 
 
GDPR auditors will not smile kindly on U.S. companies seeking loopholes in the law. The highest potential fines will be reserved for companies violating the most basic principles for processing, such as consent or breach notification.
 
Hospitality members can reduce exposure under the GDPR by performing a full risk assessment starting with the scope and legal significance of their data collection practices. (1) Revising internal policies/procedures to accommodate the GDPR's consent and notification requirements and (2) tailoring breach response protocol to the timing and risk/high risk test will go a long way toward avoiding a violation and, most importantly, will document the compliance steps members have taken in the event of an EU audit.
About The Author
Sam Crochet Esq. CIPP-US

Hall Booth Smith, PC


Sam Crochet, Esq. is a CIPP-US certified attorney at Hall Booth Smith, PC. He specializes in data privacy/security matters and civil litigation. He assists clients with data breach response, HIPAA compliance, development of cybersecurity/privacy policies and procedures and preparation for the EU's General Data Protection Regulation (GDPR).

 
Comments
Blog post currently doesn't have any comments.
Leave comment



 Security code