On 25 May 2018 the EU General Data Protection Regulation (GDPR) will take effect and become immediately enforceable.
As a hostel operator, this DOES apply to your business, regardless of where you operate. It’s a big deal, so we’ll cover some of what you need to know about it.
Important note: I am neither a lawyer nor an expert on GDPR. Nothing in this post should be taken as legal advice. The information in this post is what I pieced together from the internet and compiled to make it easier for everyone to to figure these regulations out. Please jump in and let us all know if any information is incorrect or incomplete or if you have any suggestions to help hostels comply with the regulations!
What is GDPR?
GDPR is a new regulation that dictates how personal data needs to be handled and protected by businesses like yours and mine.
Big Data is big business, and it seems like information about all of us is being collected and traded by unknown entities every time we go online, buy groceries, or just sit at home and watch a movie on Netflix. It makes sense that the authorities are stepping in to regulate with whom all of that data can be shared and how it can be used.
After May 25, 2018, every organization the world over that processes EU residents’ personally identifiable information (PII) -- in plain English, any data that could identify an individual -- will be affected by the GDPR. These regulations aim to unify and strengthen existing data protection rules and ease the flow of personal data across the EU member states. When the GDPR comes into force, any organization that processes PII will have to conform to a number of regulations, or risk facing significant penalties. (Source)
It is similar to PCI compliance, which dictates how credit card payments have to be handled and the information has to be secured. PCI compliance deals with the technology side of data security. GDPR deals with the hostel’s side, and how we as people manage and protect that data on a day-to-day basis.
What is Personal Data?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, credit card details, bank details, posts on social networking websites, medical information, or a computer IP address. (Source)
If you have a spa, personal data could include medical information about your guests. If you have a restaurant, it could include notes about food allergies or favorite appetizers. If you have a group sales department, it could include the names of a key travel agent’s children.
What does it mean for hostels?
It means we have a lot of work to do! We have to ensure that any personal data we receive is properly protected, and that any theft or misuse of that data cannot occur. It means making a clear plan for how to handle the data, training our teams to follow the procedures that we lay out, and keeping lots of records to prove that we have been diligent in our efforts to secure that data in case the authorities come around for an inspection or a guest files a complaint. Basically, it means covering our asses, because otherwise we’ll find ourselves quite exposed.
The hospitality industry will definitely be on the radar of the data protection authorities. We process a lot of personal data just by taking a reservation. For example, depending on the booking source and the local requirements, we might collect a guest’s:
- Full name
- Email address
- Phone number
- Credit card number
- Passport number
- Information about previous stays
- Room or bed preferences
All of this data will need to be justified, stored and protected. It will also need to be accessible by your team and by the guest so that it can be reviewed, changed, or deleted at the guest’s request.
The hotel industry is considered one of the most vulnerable to data threats. According to Verizon’s 2016 Data Breach Investigations Report, the hotel industry accounts for one of the highest number of breaches in any sector and has the highest volume, when it comes to lost cards following a breach. (Source)
We will need to have technology or other verification procedures in place to recognize if a security breach has occurred. It will be mandatory to notify GDPR representatives and all the people whose data were involved within 72 hours in order to avoid significant fines and penalties.
Which hostels does this affect?
These new regulations affect your hostel. They affect any organization, worldwide, that handles EU citizen data. Even if you are not located in the EU, if you take reservations from EU citizens or through EU based portals (ie. HW in Ireland, Booking in The Netherlands) then you are required to comply with GDPR. Is your channel manager, PMS, CMS, booking engine provider, etc. based in the EU? Then this applies to your hostel.
From a hotel digital marketing perspective, if you are monitoring the behaviour of users that takes place within the EU, such as booking trends out of Germany, you have to comply with the requirements of GDPR. This affects the use of different types of web analytics tools, as well as tracking for personalisation and retargeting purposes. It applies to website visits from users that are in the EU, regardless of whether they are EU citizens or not. (Source)
What does this mean for marketing?
One big change has to do with marketing, like targeted ads or collecting email lists to send your guests newsletters, promotional offers, repeat business requests, etc. They would need to give you permission to use their data for each of these purposes separately. Most of us will need to make a lot of modifications to our websites and social media channels.
This regulation states that customers will now have to “opt-in” to an email marketing service, as opposed to the current widely-used “opt-out” system. Hotels must be able to prove that their customers have given consent for their data to be used for marketing purposes, and must also specify which data they wish to be used. (Source)
Explicit consent means that hotels must: explain to the customer what data you are capturing (the nature of the data), explain to the customer why you are capturing that data (the purpose of the data) and explain to the customer who is requesting that data (the identity of the Data Controller) and who else will have access to this data. The end result is that the person you are seeking to collect data from completely understands what data you want and what you plan on doing with it. The customer can then give you unambiguous consent. (Source)
All of these things need to be laid out clearly, in plain language, in your privacy statement and anywhere in your hostel or on your website/social media that collects this information.
If you go out for a pub crawl and take pictures of your guests to post online, that is personal data. Now it would be wise to have them sign a consent form before you put a pitcure up on Facebook.
Who will enforce this regulation?
Every country will have their own data protection authority responsible for enforcing the regulation. That means that enforcement could be stricter or more lenient, depending on where you are located.
What are the consequences of non-compliance?
If an EU citizen files a complaint and it is determined that your hostel is not compliant, the penalties can be quite severe.
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement. (Source)
A major change due to GDPR is that data processors are captured by the regulations as well as data controllers. This means that if a hotel, as a data controller, is outsourcing the process of data to a third party who is not complying with GDPR regulations, the hotel and the third party processor can be held jointly responsible if a breach occurs. (Source)
This includes 3rd party partners who process data like your PMS, OTA, Booking Engine, Payment Gateway, etc
What should you do to make your hostel GDPR compliant?
Create a “Data Register”
This is a written document detailing exactly:
- Which information you are holding
- For what specific purpose are you holding each piece of information
- Where it is stored (ie. usb drives, encrypted cloud servers, a cardboard box in the basement)
- Where does it come from (check-in forms, online forms, fax, telephone, email, etc.)
- With whom you are sharing the information
- If the guest has given his consent for you to collect all these data
This Data Register should map all your data streams. Break down each step of the process from data collection to data storage, because you may need to change some of your Standard Operating Procedures to make sure that the information is protected at every step. When creating any new procedure, keep “Data Protection by Design” in mind to ensure continued compliance.
Determine your Lawful Basis for processing guest data
Your hostel can only collect guest data if there is a lawful reason to do so. This “lawful reason” usually comes in two forms:
1) The guest has explicitly given his consent for you to collect and hold his data for a specific purpose, or
2) Your hostel is required by your local or national laws to collect the data.
You need to make sure that you are ONLY asking questions on registration cards, online forms, etc. that are absolutely necessary to process that guest’s booking. For example, do you really need to record your guest’s birthdate, home address, credit card number and favorite color? If any of that information is unnecessary, then you should no longer ask for it.
Review and Update Policies and Contracts
There are several policies that you will need to update or create, such as:
- Terms and Conditions or other Customer Agreements (which data are required, for what purpose, request for customer consent)
- Data Retention Policy (How will the data be stored and for how long)
- Data Subject Access Request (DSAR) Policy (How can a guest request access to his data, and how will that request be handled by the hostel)
- Shredding Policy (when, how, and by whom will paper documents be destroyed)
- Breach Management Policy (How will a data breach or theft be handled)
You will also need to review and possibly change contracts with 3rd party data partners like OTA, PMS, CMS, booking engine, payment gateways, etc. If they process your guests’ data then they must also be GDPR compliant.
Appoint a Data Protection Officer (DPO)
You may, or may not, need to appoint someone to become the Data Protection Officer. This will be someone who knows and understands the importance of personal data processing and who understands the flow of data in your hostel. The DPO should have an updated Data Register at all times. The name of the DPO should be mentioned on all privacy statements on any media. When filing a complaint, the guest will reference the DPO by name.
It is mandatory to appoint a DPO when you are handling large volumes of personal data records. In a hostel we process a large amounts of credit card and other guest details, so it is probably wise to have a DPO in place.
Depending on the size of your hostel and your turnover, however, you may not need a DPO. As a rule of thumb, if you average more than 5000 guests per month, then you should look into designating (or outsourcing) a DPO.
Conduct IT and Security Assessments
The hostel’s hardware and software applications should be reviewed to ensure they are up to date and secure:
- Ensure that access to hostel computers, drives, servers, and email accounts that receive or hold personal data are secured with strong passwords
- Restrict the access to hostel computers and drives exclusively to members of hostel staff
- Do not use unauthorized usb drives or devices on hostel equipment to prevent malicious software
- Ensure that only authorized individuals have access to guests’ credit card numbers
- Encrypt electronically stored customer data
- Invest in solid antimalware and antivirus software
- Connect the hostel’s computers to a separate secured wi-fi network than the one your guests use
- Install a firewall on your hostel’s computer and network to protect cardholder data
- Install up-to-date intrusion detection programs on your network and storage systems, and conduct penetration testing
- If using a laptop, ensure that it is locked to an immovable object to prevent being carried away
- Lock external hard drives inside a safe
- Store hard copies of documents in a separate location with restricted access
- Ensure that your team understands the importance of confidentiality to avoid handing over sensitive data to scam artists despite strong IT security
An “Impact Assessment” is required when major new technology is introduced, or significant upgrades are taking place on systems which contain personal data. For example, if you change your PMS, the data will be processed differently, so an assessment on the impact on the security of those data must be completed and documented.
Implement your new GDPR policies
Once your policies and procedures have been written and your team has been trained, begin implementation on the guest data you already have:
1) Validate the data that you intend to keep
2) Edit, delete, shred, or destroy any electronic or paper documents that are older than your declared retention period, that are no longer necessary, or that you do not have a legal basis to collect
Inform your guests about your new privacy rules and understand their rights
You will need to ask your guests for their explicit consent to provide you with all required data, and you will need to document that consent. This could be done with a checkbox during the booking process, when checking in online, on check-in forms at the hostel, or any other time that you ask for their personal information. You will need to specifically state for which purpose(s) you are collecting the data, how long you will keep it, and with whom you will share it. Boxes cannot be pre-checked, as there must be a clear “op-in” given by the guest.
European citizens also have rights that you need to recognize, such as:
- The right of access to his data
- The right to rectification
- The right to erase
- The right to restrict processing
- The right to transfer his data to another party
- The right to object
- The right not to be included in automated marketing initiatives or profiling
If a guest requests access to his data, you have an obligation to provide that access, free of charge, within 30 days. If you refuse a request, you must inform him about your reasons, and provide any details about your country’s Data Protection Authority and the name and contact details of your DPO so that he understands how to file a complaint.
Authorization to process the data for any child under the age of 16 must be obtained from a parent or responsible adult. If you accept children, you should prepare these consent forms in preparation of this situation.
Ongoing Compliance and Monitoring
- Conduct regular refresher training for staff members
- Continue regular penetration testing on IT systems
- Conduct access request drills to ensure guests’ requests to access their data are handled correctly and efficiently
- Regularly update the Data Register
- Follow a schedule for regularly eliminating out-of-date data
- Keep logs of all activities mentioned above in order to prove how your data are being protected
Is your hostel already GDPR compliant, or have you been working on becoming compliant? Please share your experience with us!
- How long did the process take?
- Which aspects took you by surprise?
- What have been the biggest challenges for you?
- Have you found any great services or resources that would be helpful for other hostels?
- Who is the Supervising Authority for your country? (please post a link to their website)