Tech Talk

Recent posts

Definitely Doug 10/18/19
Posted: 12/06/2019

Sustainable Innovation
 
Sustainability can yield multiple benefits to hotels. Saving energy and water yields direct cost savings. Revenue can be generated by guests who prefer to deal with businesses that minimize their environmental impact. And many would argue that conserving scarce resources is simply the right thing to do.

Definitely Doug 12/6/19
Posted: 12/06/2019

Meetings Innovation
 
The sale and delivery of groups and meetings is perhaps the most significant and under-automated functions for many hotels. Even though groups often account for 30% to 60% of revenue, most group bookings are still handled manually for most if not all of steps, as they move from a meeting planner’s research to a confirmed booking.

The biggest enemy to any system is complexity. In a system of inputs and outputs, such as an enterprise system, more complexity means more parts are used in interaction with inputs to create the outputs. Every part that must be built and maintained costs time and money

Tracking the evolution of key performance indicators (KPIs) over time allows hoteliers to identify meaningful trends, create forecasts and budgets and assess the results of different strategies. To perform this kind of analysis, data has to be recorded within consistent time intervals and in chronological order. This is known as a time series.

Definitely Doug 11/15/19
Posted: 11/15/2019

Every time I turn around these days, I see a new vendor or product promising something called a complete Guest Experience Management, Guest Journey Management, or Guest Engagement (or some variation on those words). This week I looked at some of the emerging products claiming to be in this space, both to try to better understand it, and to see what promising ideas it may hold.



want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.

x
 

The European Union's General Data Protection Regulation: What Steps Must Members of the Hospitality Industry Take?

06/21/2017
by Sam Crochet Esq. CIPP-US

US companies collect, analyze, and leverage consumer data to optimize efficiency, advertise and, hopefully, increase profits. However, with the rise of data breach incidents, varying laws and consumer demand pressure companies to secure networks, scrutinize vendor usage—such as security of one cloud processor versus another, and be transparent with "collection practices." Privacy officers and in-house counsels may already understand US data privacy is controlled by a patchwork of state and industry-specific federal laws. However, companies across the hospitality community are (or should be) racing against the clock to satisfy increased requirements of the EU's General Data Protection Regulation (GDPR), which becomes effective May 25, 2018. The GDPR will replace the current Data Protection Directive, which was well-intentioned, but inadequate in light of growing technologies. There are notable changes and increased obligations within the GDPR to which US businesses must adhere or risk huge financial penalties. This if the first of several articles updating readers on why the GDPR matters and what steps members of the hospitality industry should take to comply with the regulation.

The European Union's General Data Protection Regulation: What Steps Must Members of the Hospitality Industry Take?

1. Who does the GDPR affect?

The law is geographically expansive as it applies to the processing of EU residents’ personal data (name, ID number, reference to a physical, economic, or cultural identity of a person, etc.) regardless of the company/processor’s location. For instance, if a hotel markets its services to EU residents beyond merely having a website, than it will likely be controlled by the GDPR. Practically speaking, any organization desirous of European customers—regardless of whether the organization has a European-based office—must comply with the GDPR.

2. What are the consequences if a company does not comply with the GDP

US companies controlling or processing data of EU residents face increased penalties for violating the new regulation. Fines can reach 4 percent of annual global revenue, or 20 million Euros per violation. The regulation also grants European Supervisory Authorities the power to ban a company’s data collection practices altogether. Obviously, US companies cannot afford to mishandle security of EU residents’ data. Below, I list some of the GDPR issues/requirements most applicable to the hospitality industry:

  • Stricter Technical and Organizational Security Measures
  • New Data Subject Consent Rules
  • More Demanding Breach Notification Rules; and
  • Vendor Scrutiny and Use of Business Associate Contracts

Stricter Technical and Organizational Security Measures

Unlike some state/federal laws and the current European Data Protection Directive, the GDPR increases the safeguards a company must take to protect customer information against unauthorized access, accidental loss or alteration. The regulation mandates companies implement appropriate technical and organizational measures. "Appropriate" actions include, but are not limited to:

(1) "Encryption" or "Pseudonymization" of personal data—The regulation explicitly names encryption as a technique to avoid improper disclosure of customer information. Encryption software often comes at a higher cost and has its administrative obstacles. As a result, some businesses may instead benefit from "pseudonymization" of personal data. Hospitality members should know the GDPR does not apply to consumer information unrelated to identifiable persons and, further, expressly approves pseudonymization—the concept of removing personal "identifiers" from information to eliminate a link to one's identity—which would remove data from the scope of the GDPR. Encryption and/or pseudonymization help organizations meet other GDPR requirements as well. For example, depending on the risk of harm, companies must notify European authorities and citizens following a data breach incident (the subject of another article). Since encryption/pseudonymization reduce the risk of harm to EU citizens, companies using these techniques stand a higher chance of avoiding costly reporting obligations.

(2) A contingency plan amidst a technical incident (such as a cyber attack or “ransomware” event)—Companies under the GDPR should have an emergency plan establishing how they will respond and operate during a data breach incident. For example, during a cyber attack on a hotel chain, the hotel should be prepared with a plan employees have practiced so appropriate personnel can (a) identify what data has been compromised, (b) trigger "back up" data for normal business operations, (c) work with the in-house IT team (and potentially an outside forensic specialist) to contain/eradicate an attack, (d) restore operating systems, and (e) examine alongside counsel the various legal obligations arising out of the event.

(3) Utilize regular tests to evaluate effectiveness of technical/organizational security measures—For example, an IT “penetration test” is a simulated attack on a computer network to identify security strengths and weaknesses. Such a tactic assists businesses to identify what software/issues need addressing to improve security. Also, administrative fire drills to test the aforementioned contingency plan will help businesses prepare for a data breach incident.

Keep in mind GDPR violations carry heavy penalties that could crush small businesses. Documenting steps you have taken to address the above issues may establish mitigating factors that could go a long way towards dramatically reducing penalties amidst a GDPR audit.

This article only broadly addresses the GDPR's technical and organizational security requirement. Contact a privacy attorney to analyze the best approach for your organization and to understand the finer points of the GDPR's technical/organizational requirements.



[1] GDPR Article 3.

[2] “A Primer on the GDPR: What You Need to Know.” Bowman, Courtney, December 23, 2015

[3] GDPR Article 83(5). It should be noted consumers have a right to judicial remedy against companies and processors under the GDPR.

[4] GDPR Article 58.

[5] GDPR Article 32; GDPR Recital 49.

About The Author
Sam Crochet Esq. CIPP-US

Hall Booth Smith, PC


Sam Crochet, Esq. is a CIPP-US certified attorney at Hall Booth Smith, PC. He specializes in data privacy/security matters and civil litigation. He assists clients with data breach response, HIPAA compliance, development of cybersecurity/privacy policies and procedures and preparation for the EU's General Data Protection Regulation (GDPR).

 
Comments
Blog post currently doesn't have any comments.
Leave comment



 Security code