Tech Talk

Recent posts

Enterprise System Pitfalls: Summary
Today I’m wrapping up a series of posts on the broad topic of Enterprise System Pitfalls. In this series, my hope was to help shed light on the primary problems that cause us to miss budgets, fall short on capabilities, or completely fail when implementing an enterprise system. 

The Year in Review
 
As 2019 comes to a close, it’s time to count our blessings. One of mine has been the privilege (and fun!) of being able to reach out to so many interesting companies and get them to tell me what they’re doing that’s different, disruptive, and game-changing. The list of things I have to write about in future columns has only gotten longer in the nine months since I started writing this column.

Sustainable Innovation
 
Sustainability can yield multiple benefits to hotels. Saving energy and water yields direct cost savings. Revenue can be generated by guests who prefer to deal with businesses that minimize their environmental impact. And many would argue that conserving scarce resources is simply the right thing to do.

Meetings Innovation
 
The sale and delivery of groups and meetings is perhaps the most significant and under-automated functions for many hotels. Even though groups often account for 30% to 60% of revenue, most group bookings are still handled manually for most if not all of steps, as they move from a meeting planner’s research to a confirmed booking.

The biggest enemy to any system is complexity. In a system of inputs and outputs, such as an enterprise system, more complexity means more parts are used in interaction with inputs to create the outputs. Every part that must be built and maintained costs time and money



want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.

x
 

The Top 5 GDPR List for Hoteliers

by David Durko


Hotels have Finally Jumped into the GDPR Game

May 25 is quickly approaching, and the streets are abuzz with GDPR. Hoteliers are struggling for guidance and everyone has a thought or opinion as to what getting to GDPR compliance means. The worst part is we are seeing so many hotels receiving incomplete or faulty information and they will be in for a rude awakening soon.

Complying with the GDPR directives requires a hotel to implement a combination of administrative and technical controls focused on protecting the personal information of EU residents. We know that hoteliers are focused on privacy statements and policies, but we also know that most hoteliers are ignoring or overlooking these critical areas.

1. Explicit consent – How will a hotelier collect, save and reference explicit consent?

2. Right to be forgotten – How will a hotelier purge customer records from commercial off-the-shelf applications when those providers don’t have a process yet?

3. Notification of third parties to purge customer data – What is the communication method and verification process to ensure that whoever a hotel shares guest data with (for example third party email marketing partners) will also purge guest data?

4. Vendor risk assessment process – How will a hotelier ensure that third-party partners are prepared and able to comply with GDPR. Hoteliers must also think about their cloud providers, back up providers, email partners, revenue partners, rewards programs and more.

5. Complying with the technical controls – This will be the most difficult and troubling set of controls for hoteliers. First, settling on a framework that will guide the hotel’s data protection strategy is important. The reality is if a hotel can’t achieve PCI compliance it is unlikely they will achieve GDPR compliance.

6. Process to ensure timely notification – Failure to notify the appropriate data protection authorities in a timely manner will result in significant fines and penalties. 

Checklist to assist in GDPR preparation

These are the top five items that a hotelier can focus on to move the ball closer to compliance by the required dates.
 

1. Know with whom you share data!
This includes business as well as technical sources.  Make sure data flows are documented and include who and why data is shared.

2. Hire a Data Protection Officer (DPO) to handle all claims from EU consumers and data protection authorities. While not necessary in all cases, it is recommended. A virtual DPO is affordable and will ensure communications are responded to correctly and in a timely manner.

3. Create a manual paper process to capture the guests explicit consent for email marketing (opt-in) and the sharing of data with third parties. Until PMS developers have a process in place to programmatically capture consent having a paper process will mitigate the risks.

4. Clearly define your organizations record retention policy and requirements. The right to be forgotten has some exceptions and can be guided or modified to remain consistent with normal business processes.

5. Ensure all third parties have undergone a Vendor Risk Assessment and that you understand the risks associated with their engagement.

6. Ask all third parties to provide a statement of compliance and detail explanation of what processes exist for the protection of your guests’ data. This includes OTAs, PMS providers, marketing companies, cloud providers and other technology providers.

No one really knows how European Data Privacy Authorities police will enforce the GDPR directives.  In the hospitality vertical it is easier to blacklist properties that develop a reputation for not protecting the data of EU nationals.

With all of that said, when we look at properties struggling with PCI compliance we know they will not be able to attain GDPR compliance. The security framework is somewhat more stringent and will be burdensome on U.S. properties.

About The Author
David Durko
CEO
Security Validation, LLC


David Durko is the CEO and chief compliance officer for Security Validation’ Data Security Advisory Practice. Security Validation provides PCI and GDPR Assessment Services along with Virtual Data Privacy Officer services from its offices in the U.S. and U.K.

 
Comments
Blog post currently doesn't have any comments.
Leave comment



 Security code