As hotel industry is one of the highest volume of data collected.

There is no surprise then why our industry accounts for a high number of breaches. Unfortunately data is exposed to hacking and cyber criminals. Hoteliers had numerous incidents on the past years affecting even a large amount of hotels belonging to hotel groups.

It is true that hotels process and store often a very high volume of guest´s personal information and payment card transactions. Moreover this information reaches hotels from many different sources (booking systems, point of sales, internet sites, faxes, phone calls, emails, etc.). Furthermore, this info is also store in different places and formats.

We are now aware that on 25th May 2018 the new European General Data Protection Regulation (GDPR) will come in force. But, are we informed of main changes involved?. As this new regulation is definitely protecting more and more consumers, as it should be.

First of all, it applies to any organization of the world (even if not located in Europe) that processes European Resident`s personal data or information. This information is technically called Personally Identifiable Information (PII).

Secondly, hotels should be aware that penalties would be more important than before. Any breaches of this law should be notified to GDPR representatives within 72 hours and if they are really serious they may incurred into penalties of up to 4% of the organization`s turn over.

• To start with, hotels need to define and state the objective for gathering data from their guests. As very soon, data will belongs to the guest, not to the hotel. And hotel must have a clear purpose of use of this data. Not only have it but also make it published and clear to their guests.
• There has to be consistency in the procedure, policies and teamwork collecting data.
• And for sure, it will be good to implement some audit system so hotel is always safe and in control of this issue.
• Are you aware that new regulation changes impose hotel to provide detailed and full information about what data they store?. Why they need that personal data for?. And how long it plans to keep it?.
• Hotels must proof having technical records and total control when protecting data.
• The Opt-out option is over now. From now onwards hotels need to display an “opt-in” that will allow them to keep and use this PII data. And as it was before, inform customers about their right to update, access, modify and delete this information kept.
• Hotels will need to informed and declare where the PII data is stored.
• Staff must be trained to access, store and use the PII of the hotel.

1. You have to have a clear CONSENT to process data.

2. Data has to be accessible, portable and with a valid limit in time.

3. Customers does have the right to be forgotten, this time it is serious.

4. Marketing. Customer has the right to consent regarding direct marketing that uses their data. They have to opt-in. Forget about the opt-out option. It is over now.

May 2018 is not really so far away and becoming GDPR compliant may take longer than thought.